Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
404
Views
0
Helpful
4
Replies

Help me with priority queueing please

jkrawczyk
Level 1
Level 1

‎12-04-2006 06:46 AM - edited ‎03-03-2019 02:54 PM

Hello folks,

I have a site utilizing an Internet T1 for bot internet traffic and inter site VPN between this location and home office. I am ordering additional T1 to address this bandwidth concern but until then I have a little problem. i could muster through the command reference to figure this out but I'd rather tickle your genius becuase this is a production environment and time is against me. (okay, I'm lazy - LOL)

My interfaces on my 2691 router are fa0/1 (inside LAN, serial1/0 (Internet) and a GRE such as Tunnel20)

What I would like to do is give any traffic destined for my GRE Tunnel 20 (which is encapsulated in IPSEC) high priority over any other traffic.

Please tell me what you are doing in this case, kindly

Regards

Jeff

Labels:
0 Helpful
4 Replies 4

mark.edwards
Level 1
Level 1

‎12-04-2006 06:52 AM

it would be better if you supplied a config of your router but from what you have told me something like the following should suffice. It is configured to give 60% of BW to IPSec which you may want to adjust. The policy map should be applied to the outbound serial interface using "service-policy output" command.

class-map match-all IPSec

match protocol ipsec

policy-map TEST

class IPsec

priority percent 60

class class-default

fair-queue

0 Helpful

jkrawczyk
Level 1
Level 1
In response to mark.edwards

‎12-04-2006 10:23 AM

This is what I have now but I don't think this is working.

crypto map SERIAL10 51 ipsec-isakmp

set peer x.x.x.x

set transform-set ESP_3DES-ESP_SHA_HMAC

set pfs group2

match address 111

!

interface Loopback0

ip address 172.16.31.254 255.255.255.255

!

interface Loopback10

ip address 111.222.333.444 255.255.255.252 secondary

ip address 63.63.63.63 255.255.255.192

!

interface Tunnel1234

description GRE tunnel to CANCUN Loopback 0

ip address 172.31.0.110 255.255.255.252

ip mtu 1540

bandwidth 1536

tunnel source Loopback0

tunnel destination 172.16.31.254

crypto map SERIAL10

interface FastEthernet0/1

description Connection to LAN

ip address 200.200.120.1 255.255.255.0

ip nat inside

duplex full

speed 100

interface Serial1/0

description Connected Internet

bandwidth 1536

no ip address

no ip redirects

no ip proxy-arp

encapsulation frame-relay IETF

no arp frame-relay

frame-relay lmi-type ansi

!

interface Serial1/0.10 point-to-point

bandwidth 1536

ip unnumbered Loopback10

ip access-group 120 in

ip nat outside

ip inspect FW out

frame-relay interface-dlci XXX IETF

crypto map SERIAL10

priority-group 1

priority-list 1 interface tunnel1234 high

0 Helpful

mark.edwards
Level 1
Level 1
In response to jkrawczyk

‎12-05-2006 03:37 AM

Hi, I think my example aboue will work. have you tried it yet? The below example provides another example using access-lists to match esp traffic but the NBAR IPsec should match ESP and AH. Let me know if it works.

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns109/networking_solutions_white_paper09186a00801890f7.shtml

0 Helpful

jkrawczyk
Level 1
Level 1
In response to mark.edwards

‎12-08-2006 10:02 AM

Mark,

Your example did work. However, I have tried this from aother angle which was the following, thanks for your help!

policy-map output

class encr-traffic

bandwidth 1024

class-map match-any encr-traffic

match access-group 122

interface Serial1/0

service-policy output output

access-list 122 permit gre any any

access-list 122 permit esp any any

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card