[c-nsp] QoS and split tunneling
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Thu Apr 6 09:28:08 EDT 2006
Peter Hicks <> wrote on Wednesday, April 05, 2006 5:51 PM:
> Hello
>
> One of my remote sites has a 2651XM, and a 2Mb WAN connection with 1Mb
> through the service provider for Internet access. We connect to them
> via a GRE tunnel with IPSec.
>
> They have reported that Citrix sessions are sluggish, and I can put
> this down to high CPU on our VPN hub router. This will be fixed with
> a VPN accelerator AIM.
>
> I also want to look at giving Citrix traffic priority over other
> traffic (mostly SMB/NetBIOS), as the service provider we use has an
> uncontended network and we have control of both endpoints.
>
> Given that the traffic to be prioritised is encapsulated in GRE and
> IPSec, what is the best way to implement QoS/queuing/policing etc. to
> improve Citrix response?
take a look at http://www.cisco.com/warp/public/105/crypto_qos.html
which describes this in detail. You need to enable "qos preclassify" on
the GRE tunnel and the crypto-map, and then use a QoS policy (CBWFQ,
LLQ) on the outgoing physical interface to properly queue the packets
based on tos/dscp/precedence.
In your application, you will likely need to classify the citrix packets
with a higher tos/dscp/precedence when they enter the router
(unencrypted), configure a class-map matching on this
tos/dscp/prec-value, and then provide a min-bw guarantee for this class.
This protects Citrix from the other traffic (tunnel or internet). To
protect the Internet traffic from the IPSec/GRE, you can also shape the
Ipsec traffic to 1MB using hierarchical policies, i.e. something like
this
class-map ipsec
match access-group foo (use an ACL to match your ipsec traffic, or use
"match protocol ipsec")
class-map tunnel-citrix
match ip precedence 4 (or whichever value you used)
!
policy-map tunnel
class tunnel-citrix
bandwidth 500 ! reserves 500k for Citrix
!
policy-map output
class ipsec
shape average 1000000
service-policy tunnel
class class-default
fair-queue
oli
More information about the cisco-nsp
mailing list