12-04-2006 06:46 AM - edited 03-03-2019 02:54 PM
Hello folks,
I have a site utilizing an Internet T1 for bot internet traffic and inter site VPN between this location and home office. I am ordering additional T1 to address this bandwidth concern but until then I have a little problem. i could muster through the command reference to figure this out but I'd rather tickle your genius becuase this is a production environment and time is against me. (okay, I'm lazy - LOL)
My interfaces on my 2691 router are fa0/1 (inside LAN, serial1/0 (Internet) and a GRE such as Tunnel20)
What I would like to do is give any traffic destined for my GRE Tunnel 20 (which is encapsulated in IPSEC) high priority over any other traffic.
Please tell me what you are doing in this case, kindly
Regards
Jeff
12-04-2006 06:52 AM
it would be better if you supplied a config of your router but from what you have told me something like the following should suffice. It is configured to give 60% of BW to IPSec which you may want to adjust. The policy map should be applied to the outbound serial interface using "service-policy output" command.
class-map match-all IPSec
match protocol ipsec
policy-map TEST
class IPsec
priority percent 60
class class-default
fair-queue
12-04-2006 10:23 AM
This is what I have now but I don't think this is working.
crypto map SERIAL10 51 ipsec-isakmp
set peer x.x.x.x
set transform-set ESP_3DES-ESP_SHA_HMAC
set pfs group2
match address 111
!
interface Loopback0
ip address 172.16.31.254 255.255.255.255
!
interface Loopback10
ip address 111.222.333.444 255.255.255.252 secondary
ip address 63.63.63.63 255.255.255.192
!
interface Tunnel1234
description GRE tunnel to CANCUN Loopback 0
ip address 172.31.0.110 255.255.255.252
ip mtu 1540
bandwidth 1536
tunnel source Loopback0
tunnel destination 172.16.31.254
crypto map SERIAL10
interface FastEthernet0/1
description Connection to LAN
ip address 200.200.120.1 255.255.255.0
ip nat inside
duplex full
speed 100
interface Serial1/0
description Connected Internet
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay IETF
no arp frame-relay
frame-relay lmi-type ansi
!
interface Serial1/0.10 point-to-point
bandwidth 1536
ip unnumbered Loopback10
ip access-group 120 in
ip nat outside
ip inspect FW out
frame-relay interface-dlci XXX IETF
crypto map SERIAL10
priority-group 1
priority-list 1 interface tunnel1234 high
12-05-2006 03:37 AM
Hi, I think my example aboue will work. have you tried it yet? The below example provides another example using access-lists to match esp traffic but the NBAR IPsec should match ESP and AH. Let me know if it works.
12-08-2006 10:02 AM
Mark,
Your example did work. However, I have tried this from aother angle which was the following, thanks for your help!
policy-map output
class encr-traffic
bandwidth 1024
class-map match-any encr-traffic
match access-group 122
interface Serial1/0
service-policy output output
access-list 122 permit gre any any
access-list 122 permit esp any any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide