VPN traffic Prioritizing over Http, Ftp.

[Nobleman]

We're running a Cisco 1711 Security Access Router at a corporate satellite office. We make Nortel and Cisco VPN connections from PCs on our internal network out through the router. These VPN connections are starved when a high bandwidth non-VPN (http, ftp, etc.) download is initiated.Can anyone provide any configuration examples (PQ, LLQ, CBWFQ, single-hop QoS, anything that works!) for identifying and prioritizing VPN traffic over all other traffic? The bottleneck is at the router and I should be able to throttle back all other traffic to allow the VPN traffic through. This is a simple problem with a simple solution but I'm finding with Cisco stuff there's no such thing as a simple solution. Please don't send links to Cisco documentation unless it provides an explicit example applying to VPN traffic (no VoIP, etc.) And don't reply saying that QoS won't do any good because it's not implemented on the open internet because all I need is a single hop solution. I had an OpenBSD machine up and running within a few hours as a bandwidth manager (using the built in packet filter) providing the VPN prioritization we needed. We'd still be using it if it were a little more stable with multiple VPN connections.

[Marco-D]

Wow, I think I am going to have to publish a website with some basic qos configurations. There's seems to be a need for it! Ok, there is a simple way to do this. As per most cisco qos, it's 3 steps:

1) create class-maps which define your traffic classes

class-map match-any VPN
match protocol ipsec

That is assuming your vpn is ipsec, you can also specifiy an access-list:

class-map match-any VPN
match ip access-group BLAH

Below is the default class. Everything not VPN will automatically go in here. You don't need to explicitly define it, it's automatically there.

class-map class-default

2) Create the policy

policy-map PRIORITISE-VPN
class VPN
bandwidth percent 50
class class-default
bandwidth percent 25

(This CBWFQ example requires the bandwidth statement be configured under
the interface)

The 'bandwidth percent' numbers represent a MINIMUM guarantee. So if VPN
needs 50% of the interface bw, it will get it. Conversely if it doesn't need it, it will shared amongst the other classes. If VPN needs more than 50% it might also get it, provided the default class doesn't need a huge amount more than it's 25% - but it's not guaranteed.

We have only allocated 75% because that's the default amount of bw you are allowed to reserve in a policy. You can change this if you want finer control.

3) Apply the policy to an interface.

If you manage the routers at both ends apply the same poilicy outbound
on both ends of the point-to-point link. Otherwise you can just double
up and apply the same policy inbound and outbound on your 1711

interface ser0
service-policy output PRIORITISE-VPN
service-policy input PRIORITISE-VPN

Hope this helps,

[Nobleman]

Thank you very much for the reply Marco. Your simple, straight-forward instructions validated that I was already on the right track. The only thing that didn't work, and it may be a restriction of the 1711, is the policy-map can't be applied to the input of an interface, but all I have to do is apply it to the output of both my external and internal interfaces to acheive the same thing. I think my problem is I'm not classifying the VPN traffic properly. We're using Nortel and Cisco VPN clients which should fall under the 'ipsec' protocol classification butit doesn't seem to be working. The other item I've had difficulty locating is the debug command to monitor the performance of a policy. Maybe I should try classifying all the high bandwidth (http, ftp, etc.) traffic and then let the VPN and whatever is left fall into the 'class-default'. If you have the time, a page with simple instructions and tutorialswould probably help a lot of people with these all-in-one routers. The main target audience for these routers, I would guess, is the SOHO crowd who just want to plunk it down as a broadband gateway, spend a couple of hours running through some configuration wizards and be done. We don't want to spend a week or two in classes or wade through a mountain of whitepaper and documentation with very few applicable examples or spend hundreds of dollars to have a Cisco certified engineer to come out and set it up. It seems to me that Cisco doesn't want to cater to this audience because it would circumvent their training/certification, service and paid support mechanism.Sorry for the rant. I'm a software engineer who just wants the thing up and running so I can get back to programming.