Traffic priority based on IP address over IPSec

sivak80nayan · December 17, 2017, 9:51am

I would like to create traffic policy for prioritizing management traffic (telnet/ssh, snmp) and core data ( actual interest traffic) during congestion. My requirement is that when there is congestion on the backhaul, management traffic has to be prioritized compared to data traffic so that we will have access to remote end device via backhaul. I want to achieve this scenario on destination based IP as my interest traffic pointing to one IP and management access to servers, routers, switched on another IP.

ReneMolenaar · December 20, 2017, 4:20pm

You could start with something like this:

R1(config)#ip access-list extended H1_H2

R1(config)#class-map MGMT_TRAFFIC
R1(config-cmap)#match access-group name H1_H2
 
R1(config)#policy-map PRIORITY
R1(config-pmap)#class MGMT_TRAFFIC
R1(config-pmap-c)#priority 1000

R1(config)#interface GigabitEthernet 0/1
R1(config-if)#service-policy output PRIORITY

This prioritizes traffic up to 1000 kbps for traffic between 192.168.1.1 and 192.168.2.2 when there is congestion:

R1#show policy-map interface GigabitEthernet 0/1
 GigabitEthernet0/1 

  Service-policy output: PRIORITY

    queue stats for all priority classes:
      Queueing
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 0/0

    Class-map: MGMT_TRAFFIC (match-all)  
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: access-group name H1_H2
      Priority: 1000 kbps, burst bytes 25000, b/w exceed drops: 0
      

    Class-map: class-default (match-any)  
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: any 
      
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 0/0

sivak80nayan · February 4, 2018, 3:30pm

Rene, Thanks, could you please let me know whether I should apply this configuration in both peer Router. Also I am using pure IPsec( Tunnel mode), hence I configured QoS pre-classify under crypto map on both peer routers and service policy under WAN interface (where IPsec is getting form), but I could see traffic under only one router where traffic is initiating from LAN and other end router I can’t see the traffic under my class map for FTP but I can see packet increaments in default class. Is there any idea how I can get rid off from this situation.

sivak80nayan · February 4, 2018, 3:51pm

Dear Rene, Please find my configuration from both back haul router.

SB-RTR00:

class-map match-all FTP
 match access-group name MGMT-TRAFFIC

policy-map FTP-PRIORITY
 class FTP
  bandwidth percent 25

crypto isakmp policy 10
 encr aes 256
 hash sha512
 authentication pre-share
 group 2
 lifetime 86399
crypto isakmp key XXXXXXX address x.x.x.x
!
!
crypto ipsec transform-set YYYYYYY esp-aes esp-sha512-hmac
 mode tunnel
!
!
!
crypto map PPPPP local-address GigabitEthernet0/0/0
crypto map PPPPP 10 ipsec-isakmp
 set peer X.X.X.X
 set transform-set YYYYYYY
 match address IPSEC-ACL
 qos pre-classify

ip access-list extended MGMT-TRAFFIC
 permit tcp host 10.1.1.10 host 11.1.1.10 eq ftp ftp-data
ip access-list extended IPSEC-ACL
 permit ip any 11.1.1.0 0.0.0.255


interface GigabitEthernet0/0/0
 description ### Connected to  Backhaul ###
 bandwidth 3000
 ip address x.x.x.x 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 load-interval 30
 duplex auto
 speed auto
 no lldp transmit
 no lldp receive
 no mop enabled
 crypto map PPPPP 
 service-policy output FTP-PRIORITY

SB-RTR01

class-map match-all FTP
 match access-group name MGMT-TRAFFIC
!
policy-map FTP-PRIORITY
 class FTP
  bandwidth percent 25

crypto isakmp policy 10
 encr aes 256
 hash sha512
 authentication pre-share
 group 2
 lifetime 86399
crypto isakmp key xxxxxx address x.x.x.x
!
!
crypto ipsec transform-set yyyyyy esp-aes esp-sha512-hmac
 mode tunnel
!
!
!
crypto map QQQQQ local-address GigabitEthernet0/0/0
crypto map QQQQQ 10 ipsec-isakmp
 set peer x.x.x.x
 set transform-set yyyyyy
 match address IPSEC-ACL
 qos pre-classify

interface GigabitEthernet0/0/0
 description ### Connected to backhaul ###
 bandwidth 3000
 ip address x.x.x.x 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 load-interval 30
 duplex auto
 speed auto
 no lldp transmit
 no lldp receive
 no mop enabled
 crypto map QQQQQ
 service-policy output FTP-PRIORITY

ip access-list extended MGMT-TRAFFIC
 permit tcp host 11.1.1.10 host 10.1.1.10 eq ftp ftp-data
ip access-list extended IPSEC-ACL
 permit ip 11.1.1.0 0.0.0.255 any

ReneMolenaar · February 15, 2018, 1:00pm

You might want to check your access-lists:

ip access-list extended MGMT-TRAFFIC
 permit tcp host 10.1.1.10 host 11.1.1.10 eq ftp ftp-data

and

ip access-list extended MGMT-TRAFFIC
 permit tcp host 11.1.1.10 host 10.1.1.10 eq ftp ftp-data

Is 11.1.1.10 your FTP server and 10.1.1.10 your client? If so, the first access-list is correct but the second one isn’t.

If you use passive FTP, you also need to add some extra port numbers.