Re: Lan-to-Lan Dynamic VPN with IPSec and QOS on Physical Interf

kamal1352 · ‎02-04-2011

Hi all,

I have a network with Two 3800 Cisco Routers as Central and many Cisco 2811 Router as Branches. Now I set two Tunnel on each router connection Interface FastEthernet from each 2811 to SubInterface Fastethernet on 3800. I set OSPF as Routing Protocol and I configure QOS on Tunnel connections. Then I have a safe connection with backup connection between 3800 Router and each 2811 Router. Now I want to set VPN with IPSEC and Certification Authentication with CA Server for Security all connection. I set IPSEC and ISAKMP and Certificate on each Router and Set Dynamic VPN on Cisco 3800 Router and Static VPN on each Cisco 2811 Router. Now when if I configure tunnel with Crypto map, it works correct and all packets are encrypt. But if I try to set crypto on physical Interface(because I want to set qos on tunnel then protect packets on physical interface) however all packets are routed but crypto and encrypt d o not work. What can I do this Idea? set qos on tunnels and crypto on fastethernet interface.

brettborschel · ‎02-05-2011

If this is going over the internet your QoS will be pretty much worthless.

m.kafka · ‎02-06-2011

Hi brett...

"worthless" is a little bit strong.

Most ISPs do their best to keep packet loss on the backbone as low as possible although they will not guarantee end-to-end QoS. the TOS resp DSCP will will be honoured on most links. Following several internet monitoring sites the actual packet loss on the internet is acceptable for most purposes, even for VoIP. I know some backbone engineers working for ISPs and what I hear from them congested backbones or peerings with other ISPs are very seldom.

QoS is mostly valuably for getting the last mile under control, which has the highest likelyhood of congestion. E.g. a VoIP call can easily suffer from simultaneous heavy downloads on the last mile. Its hardly the backbone which drops packets, mostly the internet connection or "the last mile" is the source of packet loss.

see for example http://www.internettrafficreport.com/europe.htm

A current screenshot which I took today shows clearly that most destinations experience 0% packet loss, the average of 12% or so is because of a couple of unreachable destinations with 100% packet loss.

If you have different experiences, try to switch your ISP

Rgds,

MiKa

m.kafka · ‎02-06-2011

Hi Kamal,

please look at the following feature: VTI (Virtual Tunnel Interface) for VPNs.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html

VTI supports QoS, that might solve your challenge.

But be aware that QoS on VTI has only an effect on your local link. Congestions on the Internet can't be solved with this configuration. But at least you have control, which type of traffic will be e.g. prioritized respectively policed on your local link to the internet.

Best regards,

MiKa

[Edit] Addendum: What dou exactly mean with dynamic VPN? "Eazy VPN Remote/Server" or "Dynamic Multipoint VPN" (DMVPN). Do you have Tunnel-Interfaces with tunnel mode GRE or tunnel-mode IPsec? Tunnel interfaces support directly QoS, you wouldn't apply QoS in that case to the physical interface.

kamal1352 · ‎02-07-2011

Hi guys,

Thank you for your attention, I read all your commend but I think I could not explain my problem good. First of all I find a solution for encryption with QOS that set in follow attachment configuration file. Then Qos is running OK. Encryption is running OK if I set on Tunnel, but when I set it on Fastethernet, however, traffic is been continue, all packets do not encrypt !!! What can I do?

Lan-to-Lan Dynamic VPN with IPSec and QOS on Physical Interface