Application description:
A VPN is established between the branch AR1830) and the Headquarters R3640) through IPSec. In actual environments, AR18xx uses the PPPoE-Client dialing method to access the Internet, its Dialer port dynamically obtains the IP address from the PPPoE Server,
This determines that the IPSec VPN between the PPPoE Client Branch and the headquarters has a fixed public IP address) can only be automatically negotiated by IKE. At the same time, in order to effectively and reasonably utilize network resources, enable OoS on the upstream port to ensure bandwidth for important data between IPSec VPNs.
Purpose: Enable QOS on the IPSec VPN of AR1830. The data stream sent from PC1 is defined as 5 with a Gold priority. at least 50% of the ADSL bandwidth must be guaranteed; data Streams sent from PC2 are defined as multimedia (priority 3). At least 20% of the ADSL bandwidth must be guaranteed; Network Management (Priority 7) must ensure 10% of the bandwidth, but when the network is not busy, each data stream can exceed the bandwidth defined by itself.
Implementation: The first step is to identify Gold and Multimedia on the Ethernet portal and set IP-precedence. for network management traffic, configure classifier to match data packets whose source address is Lo0 port, configure the car in the upstream port (adsl port) to set IP-precedence, and configure the EF queue to ensure priority forwarding. For the Multimedia and gold streams with IP-precedence typed at the Ethernet entry, make an AF queue on the uplink port to ensure bandwidth. Note that only the percentage bandwidth can be configured on the outbound interface, or only the specified digital bandwidth can be configured, you cannot configure the bandwidth as a percentage or 25%/25%/16 K as required by the customer. Therefore, you need to know the uplink bandwidth in advance and then calculate it by yourself, check whether the bandwidth is configured as a percentage or a digital bandwidth.
In addition, the QoS bandwidth of the ADSL interface is 640bps according to international standards.
Networking diagram:
discur # sysnameRouter # ikelocal-namefenbu # dialer-rule1ippermit # ikepeerzongbu exchange-modeaggressive pre-shared-keyfenbu id-typename remote-namezongbu remote-address162.105.66.36 nattraversal # ipsecproposalfenbu # ipsecpolicymap11isakmp securityacl3000 ike-peerzongbu proposalfenbu # interfaceDialer1 link-protocolppp mtu1450 ipaddressppp-negotiate dialerusertest dialer-group1 dialerbundle1 ipsecpolicymap1 # interfaceEthernet1/0 ipaddress202.150.1.31255.255.255.0 # interfaceAtm2/0 # interfaceAtm2/0.1p2p pvc4/33 mapbridgeVirtual-Ethernet1 # interfaceVirtual-Ethernet1 pppoe-clientdial-bundle-number1 # interfaceNULL0 # aclnumber3000 rule0permitipsource202.150.0.00.0.255.255destination202.150.0.00.0.255.255 rule1denyip aclnumber3001 rule0denyipdestination202.150.0.00.0.255.255 rule1permitip # iproute-static0.0.0.00.0.0.0Dialer1preference60 # user-interfacecon0 idle-timeout00 user-interfacevty04 authentication-modenone userprivilegelevel3 # return R3640 headquarters) Configuration: discur # sysnameRouter # ikelocal-namezongbu # ikepeerfenbu exchange-modeaggressive pre-shared-keyfenbu id-typename remote-namefenbu remote-address1.0.0.0255.255.255.254 nattraversal # ipsecproposalzongbu # ipsecpolicymap11isakmp securityacl3000 ike-peerfenbu proposalzongbu # # interfaceAux0 asyncmodeflow link-protocolppp # interfaceEthernet0/0 |
Related Articles]
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
