Re: QoS with Loopback interface

e.deangelis · ‎03-17-2006

Hi,

i have configure vpn tunnel on my loopback interface and when i insert service-policy output command i receive " Class Based Weighted Fair Queueing not supported on interface Loopback0".

How to apply QoS in loopback interface?

I f apply policy in ATM 0.1 interface it's the same?

Thanks

pkhatri · ‎03-17-2006

Hi,

You have to apply a 'parent' shaping policy on the interface in order to apply QoS to it.

Try something like the following:

policy-map Parent

class class-default

shape average 256000

service-policy Child

!

policy-map Child

class class1

bandwidth 64

class class2

bandwidth 32

!

interface loopback10

service-policy output Parent

Hope that helps - pls rate the post if it does.

Paresh

e.deangelis · ‎03-17-2006

Hi, this is my policy:

class-map match-all telnet

match access-group 130

class-map match-all voice

match access-group 120

!

policy-map VOICE-POLICY

class voice

priority percent 70

set dscp ef

class telnet

policy-map LOOPBACK

class class-default

service-policy VOICE-POLICY

inteface loopback 0

service-policy out LOOPBACK

It's correct?

If i do a "sh run" command in loopback interface not see nothing.

pkhatri · ‎03-17-2006

Actually, what I earlier suggested will not work on loopback interfaces, since you can't shape on them. In fact, it does not make much sense to apply QoS policies to loopback interfaces at all.

There should be an alternative location to apply the policy in your case. Would you be able to post your config ?

Paresh

e.deangelis · ‎03-20-2006

This my config:

PnP Address provider:12.x.x.x

Pubblic IP Address:11.x.x.x

Local LAN: 192.168.8.x

___________________________________________

!

version 12.3

no service pad

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable password xxxx

!

username xxxx privilege 15 password xxx

aaa new-model

!

aaa authentication login console enable

aaa authentication login telnet local

aaa authentication ppp default none

aaa authorization exec console none

aaa authorization exec telnet local

aaa session-id common

ip subnet-zero

!

ip multicast-routing

ip audit po max-events 100

no ftp-server write-enable

!

crypto isakmp policy 11

hash md5

authentication pre-share

crypto isakmp key 6 psk address VPN-ADDRESS

!

crypto ipsec transform-set ROM esp-des esp-md5-hmac

!

crypto map nolan 11 ipsec-isakmp

set peer xx.xx.xx.xx

set transform-set ROM

match address 120

!

interface Loopback0

ip address 11.11.x.x.x.255.248

ip nat outside

crypto map nolan

!

interface Ethernet0

ip address 192.168.8.1 255.255.255.0

ip nat inside

no ip mroute-cache

hold-queue 100 out

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

ip address 12.12.x.x.x.x.252

ip nat outside

pvc 8/35

encapsulation aal5snap

!

ip classless

ip route 0.0.0.0 0.0.0.0 12.12.12.225

ip route 192.168.17.0 255.255.255.0 Loopback0

ip route 192.168.149.0 255.255.255.0 Loopback0

ip route 192.168.150.0 255.255.255.0 Loopback0

no ip http server

no ip http secure-server

ip nat inside source list 101 interface Loopback0 overload

!

access-list 101 deny ip any 192.168.149.0 0.0.0.255

access-list 101 deny ip any 192.168.150.0 0.0.0.255

access-list 101 deny ip any 192.168.17.0 0.0.0.255

access-list 101 permit ip 192.168.8.0 0.0.0.255 any

access-list 120 permit ip 192.168.8.0 0.0.0.255 192.168.149.0 0.0.0.255

access-list 120 permit ip 192.168.8.0 0.0.0.255 192.168.150.0 0.0.0.255

access-list 120 permit ip 192.168.8.0 0.0.0.255 192.168.17.0 0.0.0.255

!

control-plane

!

line con 0

authorization exec console

login authentication console

no modem enable

transport preferred all

transport output all

stopbits 1

line aux 0

transport preferred all

transport output all

line vty 0 4

exec-timeout 30 0

password xxxxx

authorization exec telnet

login authentication telnet

length 0

transport preferred all

transport input all

transport output all

!

scheduler max-task-time 5000

!

end

______________________________________________

Thanks for your HELP

pkhatri · ‎03-20-2006

Hi,

You could try the following additional config:

policy-map MyPolicy

class class1

bandwidth 64

class class2

bandwidth 32

!

crypto map nolan 11 ipsec-isakmp

qos pre-classify

!

interface ATM0.1

pvc 8/35

service-policy output MyPolicy

!

Hope that helps - pls rate the post if it does.

Paresh

rseiler · ‎03-23-2006

A much easier solution would be to upgrade to the latest 12.4M (mainline) release and simply use a encrypted tunnel interface. you would be applying the QoS policy to the tunnel interface which would have a source of 'interface tunnel0'. Some advantages:

1) This way you are only shaping traffic that uses the tunnel and not all ATM traffic.

2) You would use your routing table to direct traffic to the tunnel rather than the crypto map BS.

3) You won't be creating an IPSec SPI for each and every subnet to subnet/host traffic direction, the protected tunnel negotiates a 0.0.0.0/0 single SPI in each direction for the life of the IPSec tunnel.

4) You can run multicast (and, therefore OSPF or EIGRP routing protocol), if desired, without having to mess with a GRE tunnel AND the afformentioned crypto map BS.

5) The virtual tunnel interface uses dead peer detection, so you will know if the remote site goes down no differently than how a p-p T1 keepalive works. As more and more WANs are built using VPN technologies, this is important to maintain status on the remote sites. This is especially true as many service providers are offering layer 3 MPLS services which locally terminate traffic at both ends. If the remote DSL or circuit goes down, there would be no notification to the central site, for example.

See the following URLs for more information:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a008041faef.html

http://www.cisco.com/en/US/products/ps6635/products_white_paper0900aecd8029d629.shtml

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns656/c649/cdccont_0900aecd80402f0a.pdf

Please ask more questions if this is something you want to explore further, and rate this post if it helped you...

e.deangelis · ‎03-24-2006

Hi thanks for your help.

I have used this methods:

ip access-list extended VOIP

permit udp 192.168.13.0 0.0.0.255 192.168.149.0 0.0.0.255 dscp ef

class-map match-all VOICE

match access-group name VOIP

policy-map qos_for_voip

class VOICE

priority 64

set ip dscp ef

policy-map QoSVPN

class class-default

service-policy qos_for_voip

interface Loopback0

service-policy output QoSVPN

BUT IF I SHOW RUNNING CONFIG i NOT SEE service-policy command in the loopback interface.

The show running-config command does not display policy map in loopback interface.

If i write "show policy-map interface loopback 0" there are not nothings.

I have a cisco 837...why?

Thanks

Regards

rseiler · ‎05-20-2006

I don't believe a service-policy can be configured on a loopback interface. Are you sure the router didn't complain when you attempted to apply this config? i.e. did you 'term mon' via your remote ssh session to the router to see the barf message(s)?