[c-nsp] QoS not working - VPN acl conflicting???

David Prall dcp at dcptech.com
Thu Apr 4 13:11:56 EDT 2013


Need to turn on Pre-Classify in the ipsec crypto map. Otherwise all you are
seeing is the ipsec traffic.

David

--
http://dcp.dcptech.com

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of false
> Sent: Thursday, April 04, 2013 12:49 PM
> To: cisco mailing list
> Subject: [c-nsp] QoS not working - VPN acl conflicting???
> 
> 
> Hello,
> I have a QoS  policy in place that is set to reserve/prioritize traffic
for my
> outgoing VoIP traffic. We outsource our voip solution.
> 
> I am trying to test my QoS policy by performing multiple file transfers
> outbound to our remote site over vpn which uses the same interface. You
> can see by the txload stats below that it should have been high enough to
> make the voip policy kick in bit it didn't. There were about six phones
> connected but not being used. They are just doing keepalives for
> regisration, etc to the main server, which is indicated in the access list
> below. Any ideas? Thank you,
> 
> Serial0/1/0 is up, line protocol is up
> Hardware is GT96K with integrated T1 CSU/DSU
> Internet address is x.x.x.x/30
> MTU 1500 bytes, BW 1544 Kbit/sec, DLY 20000 usec,
> reliability 255/255, txload 218/255, rxload 19/255
> 
> router#sh policy-map interface serial 0/1/0
> Serial0/1/0
> 
> Service-policy output: VOIPpm
> queue stats for all priority classes:
> queue limit 64 packets
> (queue depth/total drops/no-buffer drops) 0/0/0
> (pkts output/bytes output) 0/0
> 
> Class-map: VOIPcm (match-all)
> 0 packets, 0 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: access-group 156
> Priority: 33% (509 kbps), burst bytes 12700, b/w exceed drops: 0
> 
> 
> Class-map: class-default (match-any)
> 898811 packets, 199817314 bytes
> 5 minute offered rate 23000 bps, drop rate 3000 bps
> Match: any
> Queueing
> queue limit 64 packets
> (queue depth/total drops/no-buffer drops/flowdrops) 0/81175/0/81175
> (pkts output/bytes output) 824273/184794616
> Fair-queue: per-flow queue limit 16
> router#
> 
> 
> CONFIG:
> access-list 156 permit ip any host 66.x.x.x.x
> 
> class-map match-all VOIPcm
> match access-group 156
> 
> policy-map VOIPpm
> class VOIPcm
> priority percent 33
> class class-default
> fair-queue
> 
> interface Serial0/1/0
> ip address 150.150.150.150 255.255.255.252
> ip access-group 101 in
> ip flow ingress
> ip flow egress
> ip nat outside
> ip inspect ISP2-cbac out
> ip virtual-reassembly
> encapsulation ppp
> crypto map vpnmap
> service-policy output VOIPpm
> end
> 
> crypto map vpnmap 21 ipsec-isakmp
>  set peer x.x.x.x
>  set transform-set vpn_set
>  match address 121
> crypto map vpnmap 32 ipsec-isakmp
>  set peer x.x.x.x
>  set transform-set vpn_set
>  match address 132
> 
> access-list 121 permit gre host 150.150.150.150 host 67.x.x.x.
> access-list 132 permit gre host 150.150.150.150 host 57.x.x.x.x
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list