Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
408
Views
5
Helpful
1
Replies

QOS with ME & Site-to-Site VPNs

northtexasnetworks
Level 1
Level 1

‎09-24-2012 06:45 PM - edited ‎03-04-2019 05:39 PM

Hello,

I have a 50MB ME circuit at HQ site running a 3925 router and 20MB ME circuits at 2 branch sites running 2951 routers.

I need to reserve 90% of the bandwidth at each site for site-to-site IPSec VPN's and leave the remaining 10% for browsing.  I also need to shape the traffic on the outside interface's to match the bandwidth of the particular site.  I also want to drop any traffic that is determined to be file sharing.

The routers work fine, the VPN's work fine, traffic shaping seems to be working, but when I generate traffic across the VPN and do "sh policy-map interface Gi0/1 output" all traffic is falling into the default class, nothing is getting classified as IPSec. 

My class maps, policy maps, and outside interface config is attached.  Can someone tell me why my ISec VPN traffic is not being recognized as such?

Thanks,

Mitchell Smith

Labels:
Preview file
83 KB
0 Helpful
1 Reply 1

northtexasnetworks
Level 1
Level 1

‎09-25-2012 02:16 PM

Hello All,

I solved this myself.

In case anyone else has this problem the key was to add "qos pre-classify" to the crypto map that was applied to the outside interface.  I also set my VPN class map to not only check for IPSec protocol but also the ACLs that defines my tunnel traffic, it seems NBAR Discovery does not work well.  Once I did this it works fine.

Thanks to all those that looked at the problem.

Mitchell

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card