1. Home
  2. Cisco Systems
  3. QoS and IPSEC

QoS and IPSEC

Hi,

I have a pix to router VPN.

One Pix and 4 routers. Routers are connected with a VPN IPsec to the pix over Internet.

Lan-----pix----router0------(internet)------router1 |_________router2 |_________etc ...

I want router1,2,3 & 4 have the same bandwitch, so i would like QoS.

There is nat translation to the pix on router0 for the VPN.

I make access-list on router0 with the public IP address of the router1 to router4.

access-list 110 permit ip host 193.x.x.1 any access-list 111 permit ip host 193.x.x.2 any ... I make my class :

class-map match-all router1 match access-group 110 class-map match-all router2 match access-group 111

I make policy-map :

policy-map test class router1 bandwidth percent 15 class router2 bandwidth percent 15 ...

On the int ATM0 :

service-policy output test

It does not work ...

I have a dialer0 interface but i can't apply the service-policy (error with the virtual-template)

What solution can I have ?

thansk a lot,

Fwed

Reply to
Fwed
Loading thread data ...

As far as I see the ip addresses in your access-lists should be destination and not source? So try with: access-list 110 permit ip any host 193.x.x.1 access-list 111 permit ip any host 193.x.x.2 ...

Reply to
Horst Wagner

Perhaps you should swap the address and 'any'.

You need to enable 'ppp multilink' on the dialer, then you can apply service policy there. Since you probably don't have IP configured on ATM0, the policy won't catch any traffic based on IP attributes.

Regards, iLya

Reply to
Charlie Root

Horst Wagner a =E9crit :

I tested with :

access-list 110 permit esp host 193.x.x.1 any access-list 111 permit esp host 193.x.x.2 any

but it's the same ...

Reply to
Fwed

Ok, i have not ppp multilink ...

Because when I do an "sh ip nat translations" I see all of my router so i thought that i can do this with tha int ATM ...

There no IP on ATM0, only on dialer0.

I will looking for ppp multilink :)

Thanks

Reply to
Fwed

I find that :

It mean that i configure under the interface ATM0 and the dialer0 ? And it mean that i do it on all of the other routers (router1, 2, 3 & 4) ?

I have IPsec connection, if i add "ppp multilink" on router0, i lost the VPN. If i reload the router1 (or 2, 3, 4) with adding ppp multilink, my VPN will restart normally ?

Thanks

Reply to
Fwed

ppp multilink is required (even for single physical link) on every router where you want to aplly 'service-policy' (you'll get an error if you attempt to apply policy without having multilink ppp). So if your r[1-4] all should have 'service-policy' attached, then you need ppp multilink there, otherwise you configure it only on router0 and _only_ on dialer0 interface but not on ATM.

This is true. You most likely will actually see link automatically going down as soon as you configure ppp multilink.

For 'ppp multilink' to work, it's necessary that you ADSL provider permits it. Does your ADSL come up with multilink enabled on Dialer0? If it doesn't work now, reload won't help. If this is the case, check with your ADSL provider if they could allow you to run multilink PPP (even over single connection).

P.S.: In your other reply regarding access-list - changes are necessary, but not enough - you must attach policy to the dialer, not to the ATM interface.

Regards, iLya

Reply to
Charlie Root

Charlie Root a =E9crit :

Thanks a lot, i will check that quickly :)

Reply to
Fwed

o.k. but there you still mixed up destination and source address!

Reply to
Horst Wagner

f.y.i. i´ve als DSL with dialer and atm and no service-policy on the dialer-interface, only on atm-interface and it works great!

I still think that your access-lists are wrong because packets leaving your central router will have the addresses of the other routers as destination addresses and not source! So your statements have to be ... any host ... rather than ...host...any!

cheers Horst

Reply to
Horst Wagner

Horst Wagner a =E9crit :

interface, only on atm-interface and it works great!

your central router will have the addresses of the other routers as desti= nation addresses and not source!

I did not have any time to test. When I will can, I tell you the result := )

Thanks for your help :)

Reply to
Fwed

Horst Wagner a =E9crit :

interface, only on atm-interface and it works great!

your central router will have the addresses of the other routers as desti= nation addresses and not source!

I do what you say and that work ! :)

Thank you a lot :)

Reply to
Fwed

Summary:

It seems to me that QoS and specifically LLQ does not work with ADSL unless the provider supports Multilink PPP.

If anyone can contradict this please do so.

If anyone can off an example config please do.

If anyone has any way of persuading Cisco to eliminate this tiresome and apparently arbitrary and apparently undocumented _feature_ please do so.

It is of course documented in the sense that no examples of QoS on dialers without MPPP are in the configuration guides and there are several references to QoS with MPPP however this has not helped me to avoid wasting a lot of time and having disssatisfied users.

Finally is it possible to do ADSL without the dialer and thereby get access to QoS?

Reply to
anybody43

Theoretically - yes, but practically no. The only way I know to avoid dialer or virtual template is to use AAL5SNAP encapsulation, which not many providers support. Even if you manage to get CPE side without dialer, the provider is most likely still uses Virtual-Template therefore the line has to run MLPPP if you want bi-directional QoS (that is from access server to CPE and from CPE to the access server).

Kind regards, iLya

Reply to
Charlie Root

Thanks.

"if you want bi-directional QoS " That would clearly be ideal however eliminating the output drops and queuing delays on my ATM interface was the goal.

This is a bit of a rant now, read on at your own risk.

In one particular case we have a temporary ADSL line while we are waiting on something better going in. It is 512k up and about 3M down. I see queuing delays on the inside outbound but the outside inbound looks OK. (Well I can't see it directly but I can see that there are no delays.)

I have looked at every possible Cisco solution to this problem and I have found two.

  1. Do queuing on a Cat 3560 which after MUCH pain I got working in a manner that prioritises voice absolutely and restricts other traffic to Line-rate less Desired-voice-bandwidth). This is less than ideal and there are almost no stats available on the behaviour.

  1. Put two routers back to back in the path with two wires between them, one of then a serial link. Use policy routing to direct the traffic in different directions via either of the interfaces to get

either 512k raw data rate or more than 3M. Then put LLQ on the

512k interface to get traffic shaping to 512k.

I am quite new to QoS and I was somewhat surprised that there seems no way to do

LLQ with \\ Voice on Priority Q |__> Shaped to 512k Other traffic on other queues | /

On a Cisco router.

To do shaping you seem to need a physical interface that has a Q to do the shaping to the raw data rate and you apply the LLQ there.

Hierarchical Queuing looked promissing however it works the other way round. (More wasted time since the limitations are not exlplained in the Documentation.)

You apply shaping per Class then offer it to the LLQ.

I want to apply LLQ with the output from the queues limited to some arbitrary bandwidth of my choice.

Rant off. Don't _even_start_ me on software upgrades breaking configs.

Reply to
anybody43

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.