[c-nsp] QoS and split tunneling

[Oliver Boehmer (oboehmer)]

Peter Hicks <> wrote on Wednesday, April 05, 2006 5:51 PM:

> Hello
> 
> One of my remote sites has a 2651XM, and a 2Mb WAN connection with 1Mb
> through the service provider for Internet access.  We connect to them
> via a GRE tunnel with IPSec.
> 
> They have reported that Citrix sessions are sluggish, and I can put
> this down to high CPU on our VPN hub router.  This will be fixed with
> a VPN accelerator AIM.
> 
> I also want to look at giving Citrix traffic priority over other
> traffic (mostly SMB/NetBIOS), as the service provider we use has an
> uncontended network and we have control of both endpoints.
> 
> Given that the traffic to be prioritised is encapsulated in GRE and
> IPSec, what is the best way to implement QoS/queuing/policing etc. to
> improve Citrix response?

take a look at http://www.cisco.com/warp/public/105/crypto_qos.html
which describes this in detail. You need to enable "qos preclassify" on
the GRE tunnel and the crypto-map, and then use a QoS policy (CBWFQ,
LLQ) on the outgoing physical interface to properly queue the packets
based on tos/dscp/precedence.

In your application, you will likely need to classify the citrix packets
with a higher tos/dscp/precedence when they enter the router
(unencrypted), configure a class-map matching on this
tos/dscp/prec-value, and then provide a min-bw guarantee for this class.
This protects Citrix from the other traffic (tunnel or internet). To
protect the Internet traffic from the IPSec/GRE, you can also shape the
Ipsec traffic to 1MB using hierarchical policies, i.e. something like
this

class-map ipsec
 match access-group foo (use an ACL to match your ipsec traffic, or use
"match protocol ipsec")
class-map tunnel-citrix
 match ip precedence 4 (or whichever value you used)
!
policy-map tunnel
 class tunnel-citrix
  bandwidth 500   ! reserves 500k for Citrix
!
policy-map output
 class ipsec
  shape average 1000000
  service-policy tunnel
 class class-default
  fair-queue

	oli