# Phase 1 Parameter
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2

# Phase 2 Parameter
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
 mode tunnel
crypto ipsec security-association lifetime seconds 28800

# PreSharedKey for all dynamic VPN partners
crypto isakmp key MYSECRETPASSWORD address 0.0.0.0 no-xauth
crypto dynamic-map DynamicNetworks 10
 description VPN from dynamic IPs
 set transform-set ESP-AES-SHA
 set pfs group2
 match address homeoffice1

ip access-list extended homeoffice1
 permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255
 permit ip 192.168.20.0 0.0.0.255 192.168.200.0 0.0.0.255
 permit ip 192.168.40.0 0.0.0.255 192.168.200.0 0.0.0.255

crypto map CompanyMap 210 ipsec-isakmp dynamic DynamicNetworks

interface GigabitEthernet0/1
 description WAN Interface
 crypto map CompanyMap

the Cisco router is now able to react on dynamic VPN peers. Keep in mind to “no-nat” VPN traffic, otherwhise you can’t reach the remote network.

After this I logged on into the ubiquiti interface and saw a very simple GUI :) so I connected to the shell via SSH and found some commands for configuring hidden VPN parameters. After some tries, here’s my final config:

configure

set vpn ipsec auto-firewall-nat-exclude enable

# Phase 1 Parameters
set vpn ipsec ike-group MyCompany lifetime 86400
set vpn ipsec ike-group MyCompany proposal 1 dh-group 2
set vpn ipsec ike-group MyCompany proposal 1 encryption aes128
set vpn ipsec ike-group MyCompany proposal 1 hash sha1

# Phase 2 Parameters
set vpn ipsec esp-group MyCompany lifetime 28800
set vpn ipsec esp-group MyCompany pfs dh-group2
set vpn ipsec esp-group MyCompany proposal 1 encryption aes128
set vpn ipsec esp-group MyCompany proposal 1 hash sha1

# PreSharedKey (11.22.33.44 is an example for the fixed VPN gateway IP address)
set vpn ipsec site-to-site peer 11.22.33.44 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 11.22.33.44 authentication pre-shared-secret MYSECRETPASSWORD
set vpn ipsec site-to-site peer 11.22.33.44 description MyCompany

set vpn ipsec site-to-site peer 11.22.33.44 local-address any
set vpn ipsec site-to-site peer 11.22.33.44 ike-group MyCompany

# Tunnel Definitions
set vpn ipsec site-to-site peer 11.22.33.44 tunnel 1 esp-group MyCompany
set vpn ipsec site-to-site peer 11.22.33.44 tunnel 1 local prefix 192.168.200.0/24
set vpn ipsec site-to-site peer 11.22.33.44 tunnel 1 remote prefix 192.168.10.0/24
set vpn ipsec site-to-site peer 11.22.33.44 tunnel 2 esp-group MyCompany
set vpn ipsec site-to-site peer 11.22.33.44 tunnel 2 local prefix 192.168.200.0/24
set vpn ipsec site-to-site peer 11.22.33.44 tunnel 2 remote prefix 192.168.20.0/24
set vpn ipsec site-to-site peer 11.22.33.44 tunnel 3 local prefix 192.168.200.0/24
set vpn ipsec site-to-site peer 11.22.33.44 tunnel 3 remote prefix 192.168.40.0/24
set vpn ipsec site-to-site peer 11.22.33.44 tunnel 3 esp-group MyCompany

commit

You can also connect an ubiquiti router to a Sophos UTM or other VPN gateway. Maybe this tutorial is usefull for someone :) have fun!

The post Site2Site VPN with ubiquiti and Cisco router appeared first on Network Guy.

http://www.citrix.com/go/lp/dne.html

If you have install problems. Follow the installation guide for the registry changes. Add a DWORD32 into HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Network with the name “MaxNumFilters” and value 14 and restart your machine. When you have problems with error reason 422, follow this instruction.

/edit

I got adapter error messages while connecting. I installed and started ftp://files.citrix.com/winfix.exe (it tolded me that Cisco VPN client is using the DNE function. I cleaned it up anyway, did a restart, installed DNE again (ftp://files.citrix.com/dneupdate.msi 32-Bit / ftp://files.citrix.com/dneupdate64.msi 64-Bit). After a new restart I could connect via Cisco VPN)

The post Cisco VPN Error 27850 on Windows 10 appeared first on Network Guy.

interface Vlan2
description Main Provider Line
ip address 105.1.2.2 255.255.255.252
no ip unreachables
ip nat outside
crypto map CompanyMap

interface Vlan3
description Backup Provider Line
ip address 222.1.2.2 255.255.255.252
no ip unreachables
ip nat outside
crypto map CompanyMap

We will configure a fixed route to the Google DNS Server 8.8.8.8 (you can choose another public server for reachability if you want) to ping this server always over the main line:

ip route 8.8.8.8 255.255.255.255 105.1.2.1

now it’s time to configure the tracking of the Google server:

ip sla 10
icmp-echo 8.8.8.8 source-ip 105.1.2.2
timeout 1000
threshold 2
frequency 3

ip sla schedule 10 life forver start-time now

now the Cisco router is pinging the device. I always ping a server in the internet, because the provider router can be reachable but the internet line not. It’s also better for use with Dialer-Interfaces. In this case you will use “source-interface DialerX” instead of “source-ip”. To see if the script is working, you can view the statistics for this:

Router#show ip sla statistics
IPSLAs Latest Operation Statistics

IPSLA operation id: 10
Latest RTT: 56 milliseconds
Latest operation start time: *10:16:15.581 UTC Tue Mar 17 2015
Latest operation return code: Over threshold
Number of successes: 67
Number of failures: 0
Operation time to live: Forever

We will track the reachability of this ping script. On new Cisco router models (Cisco 886 for example) you will use:

track 10 ip sla 10 reachability

older devices like Cisco 876:

track 10 rtr 10 reachability

To use both lines active-standby you will need to configure two default-routes to the internet. One with the tracking of the main line and one fixed route with a higher administrative distance:

ip route 0.0.0.0 0.0.0.0 105.1.2.1 track 10
ip route 0.0.0.0 0.0.0.0 222.1.2.1 200

So if the tracking is not working (ping to 8.8.8.8 over main line) the second default-route will be used. To configure a redundant NAT, we will use route-maps for this:

ip access-list extended NAT-ACL
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip 192.168.99.0 0.0.0.255 any

route-map WAN-LINE-1 permit 10
match ip address NAT-ACL
match interface Vlan2

route-map WAN-LINE-2 permit 20
match ip address NAT-ACL
match interface Vlan3

ip nat inside source route-map WAN-LINE-1 interface Vlan2 overload
ip nat inside source route-map WAN-LINE-2 interface Vlan3 overload

to make a real fallback test I would recommend to pull out the main line and try to access the internet or your VPN location. In case you are using IPsec VPN, keep in mind to configure both peers and presharedkey for the second WAN line in your headquarter. VPN is only loosing one ping packet, internet access (surfing websites) is direct available, in some cases the NAT needs to change to the second line but this only tooks about 5-10 seconds in my case. If you have any further questions feel free to ask in the comments.

I wish you a nice sunny day :)

The post Redundant Internet access with Cisco routers appeared first on Network Guy.

choose “Create Domain Certificate”

create the new certificate with the suitable name.

choose your RootCA and a friendly name for your certificate

Now we will export the certificate to a pfx file containing the public certificate from your RootCA and the public and private certificate for your website / SSL VPN Gateway. We need to open the local computer certificate management console. Go to Start -> Run, type “mmc” and press Enter. Click on File -> Add/Remove Snap-In and choose “Certificates”. Choose “Computer account”, click Next, Finish and OK. Go to Personal -> Certificates and export your new certificate:

export the private key

choose “include all certificates…” because we need the public certificate from your RootCA

choose a password for export. In my case I used MyPasswordABC123. Save the file as sslvpncert.pfx on your desktop.

Copy the .pfx file to your Cisco router via TFTP. I always use TFTPD32 for this.

copy tftp flash

crypto pki import vpn.1337company.com pkcs12 sslvpncert.pfx password MyPasswordABC123

Reading file from usbflash0:sslvpncert.pfx
% You already have RSA keys named vpn.1337company.com.
% If you replace them, all router certs issued using these keys
% will be removed.
% Do you really want to replace them? [yes/no]: yes
CRYPTO_PKI: Imported PKCS12 file successfully.

now change to the new certificate:

webvpn gateway CompanySSLgateway
ip address 8.7.6.5 port 443
ssl trustpoint vpn.1337company.com

go to https://yourserveraddress to see if the certificate is bounded to the webserver. If you have any problems or suggestions, please write it in the comments below.

The post Import Domain certificate from RootCA to your Cisco router appeared first on Network Guy.

*Aug 15 09:13:06.899: ISAKMP:(6035):Total payload length: 12
*Aug 15 09:13:06.899: ISAKMP:(6035): sending packet to 80.70.60.50 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Aug 15 09:13:06.899: ISAKMP:(6035):Sending an IKE IPv4 Packet.
*Aug 15 09:13:06.899: ISAKMP:(6035):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Aug 15 09:13:06.899: ISAKMP:(6035):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

*Aug 15 09:13:06.903: ISAKMP:(6035):Need config/address
*Aug 15 09:13:06.903: ISAKMP: set new node 1642552031 to CONF_ADDR
*Aug 15 09:13:06.903: ISAKMP:(6035):No IP address pool defined for ISAKMP!
*Aug 15 09:13:06.903: ISAKMP:(6035):peer does not do paranoid keepalives.
*Aug 15 09:13:06.903: ISAKMP:(6035):deleting SA reason “Fail to allocate ip address” state (R) CONF_ADDR     (peer 80.70.60.50)

*Aug 15 09:13:06.903: ISAKMP:(6035):deleting node 1642552031 error FALSE reason “No Error”
*Aug 15 09:13:06.903: ISAKMP:(6035):peer does not do paranoid keepalives.

*Aug 15 09:13:06.903: ISAKMP (6035): FSM action returned error: 2
*Aug 15 09:13:06.903: ISAKMP:(6035):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Aug 15 09:13:06.903: ISAKMP:(6035):Old State = IKE_P1_COMPLETE  New State = IKE_CONFIG_MODE_SET_SENT

Fail to allocate ip address? Within a site2site VPN? The problem was the command “crypto map XXXXX client configuration address initiate“. There was already a configured EasyVPN for clients. Normally I configure “crypto map XXXXX client configuration address respond” for giving the vpn-pool and other parameters to the connected clients. After I deleted the initiate command, the phase 2 was working great and the tunnel was established!

The post Cisco Site2Site VPN problem with “Fail to allocate ip address” appeared first on Network Guy.

Line: ADSL2+ over POTS
Type: Annex A
Speed: 20.000/1.024
VPI: 0
VCI: 35
Login via: PPPoA
Operating-Mode: vmux
PPPoE-Login and -Password: anything

We have chosen the model 887VA Router:

Router#show inventory
NAME: “887VA”, DESCR: “887VA chassis, Hw Serial#: xxx, Hw Revision: 1.0”
PID: CISCO887VA-SEC-K9 , VID: V02, SN: xxx

first I configured a normal dialer interface for login

interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname blabla
ppp chap password blabla
ppp pap sent-username blabla password blabla

after this we need the correct atm-config for this. Based on the information given by the provider, I tried this:

interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
no shutdown

the customer connected the delivered device directly to the adsl line and it worked from start :) didn’t thought that this would work like a charm!

The post Configuring internal DSL for Annex A line (like in Netherland) appeared first on Network Guy.

“Router on the edge” is different to “Router on a stick”. The cable-connects are the same but here we will route internal networks with a fast layer 3 switch.

In my example I will configure a Cisco router and a Dell switch as our core-routing-switch. I will also add code for a HP ProCurve switch. First we will plan our current network with three vlans:

VLAN 5 (Door to the Internet)
VLAN 10 (Servers)
VLAN 20 (Clients)
VLAN 30 (Guests)

I don’t use default VLAN 1 because in case of a forgotten non-tagged port, the device connected to it, will be in this VLAN. Now we will configure the Dell switch with several VLANs. I choose three /24 Class C networks and a /30 network between the core switch and the Cisco router (192.168.5.1):

vlan database
vlan 5,10,20,30

ip routing
ip route 0.0.0.0 0.0.0.0 192.168.5.1

interface vlan 5
name “Door-to-Internet”
routing
ip address 192.168.5.2 255.255.255.252
no ip proxy-arp

interface vlan 10
name “Server”
routing
ip address 192.168.10.1 255.255.255.0
no ip proxy-arp

interface vlan 20
name “Clients”
routing
ip address 192.168.20.1 255.255.255.0
no ip proxy-arp

interface vlan 30
name “Guests”
routing
ip address 192.168.30.1 255.255.255.0
no ip proxy-arp

interface ethernet 1/g1
description “Here is the Cisco router connected”

interface range ethernet 1/g2-1/g10
description “Here are servers connected”
switchport access vlan 10

interface range ethernet 1/g2-11/g20
description “Here are clients connected”
switchport access vlan 20

interface range ethernet 1/g21-1/g24
description “This is for guests”
switchport access vlan 30

Routing is now enabled between your networks. You can also configure access-lists for your vlan interfaces. The following allows the dhcp relay option (ip-helper address pointed to your central DHCP server), blocks connection into other private networks connected to the core switch but let all internet traffic through the interface. We will use this for our guests vlan:

access-list guests_in permit udp any any eq 67
access-list guests_in permit udp any any eq 68
access-list guests_in permit icmp 192.168.30.0 0.0.0.255 192.168.30.1 0.0.0.0
access-list guests_in deny ip 192.168.30.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list guests_in deny ip 192.168.30.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list guests_in deny ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list guests_in permit ip 192.168.30.0 0.0.0.255 any

interface vlan 30
ip access-group guests_in in 1

To bring the devices online, we will configure our router like this:

interface GigabitEthernet0/0
description Connect to core switch
ip address 192.168.5.1 255.255.255.252
ip nat inside
ip inspect lan in
ip virtual-reassembly
ip tcp adjust-mss 1452

interface GigabitEthernet0/1
description Connect to service provider
ip address 80.60.50.40 255.255.255.0
ip nat outside

ip access-list extended NAT-ACL
deny ip any 10.0.0.0 0.255.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 172.16.0.0 0.15.255.255
permit ip 192.168.0.0 0.0.255.255 any

ip nat inside source list NAT-ACL interface GigabitEthernet0/1 overload

ip route 192.168.10.0 255.255.255.0 192.168.5.2
ip route 192.168.20.0 255.255.255.0 192.168.5.2
ip route 192.168.30.0 255.255.255.0 192.168.5.2
ip route 0.0.0.0 0.0.0.0 80.60.50.1

This also works with a Dialer interface as the default gateway. Keep in mind that you need to configure backward routes to the internal networks via the directly connected core switch and always configure access-lists nearest to the source (so every access-list will be configured and bound in the core switch). The nat overload rule is natting all packets beginning with “192.168.”.

For users with HP ProCurve Switches you can take this config:

ip routing

vlan 5
name “Door-to-Internet”
untagged 1
ip address 192.168.5.2 255.255.255.252

vlan 10
name “Server”
untagged 2-10
ip address 192.168.10.1 255.255.255.0

interface vlan 20
name “Clients”
untagged 11-20
ip address 192.168.20.1 255.255.255.0

interface vlan 30
name “Guests”
untagged 21-24
ip address 192.168.30.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.5.1
ip default-gateway 192.168.5.1

in case that you are use the routing feature on a HP ProCurve switch, the “ip default-gateway” needs to be extended with “ip route 0.0….” because this is the gateway for all packets routed by the vlan interfaces.

Feel free to ask and comment this article. I think I will also explain “router on the edge” with a Sophos UTM appliance for beeing the way to the internet :) happy weekend!

The post Router on the edge appeared first on Network Guy.

I want to describe several VPN configurations on a Cisco router, ASA firewall and Sophos UTM. I will start with Cisco IOS on a Cisco router. In this example you will learn to configure a site2site VPN tunnel with a coincident client VPN access.

First we will configure the basic IPsec VPN settings. Start with Phase 1:

crypto isakmp policy 10
encr aes
authentication pre-share
group 2

There are other commands you can use for this like hash or lifetime. Not seeing this in your config means, that the default value is configured. For example: lifetime is by default 86400 seconds (1 day). After this we will configure the site2site parameters like remote IP address, pre shared key and Phase 2 values. In our example we (subnet 192.168.10.0 /24) want to connect to 44.55.66.77 to our Brasilia branch office (subnet 172.16.8.0 /24).

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

crypto isakmp key MyLittlePr3Sh@r3dK3y address 44.55.66.77 no-xauth

crypto map MyCompanyMap 10 ipsec-isakmp
set peer 44.55.66.77
set security-association lifetime seconds 28800
set transform-set ESP-AES-SHA
match address vpn-brasilia

ip access-list extended vpn-brasilia
permit ip 192.168.10.0 0.0.0.255  172.16.8.0 0.0.0.255

interface Dialer1
description My WAN Link (can also be a Ethernet-Interface)
ip access-group wan_in in
crypto map MyCompanyMap

ip access-list extended wan_in
remark Protocols for VPN
permit ahp any any
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp

ip route 0.0.0.0 0.0.0.0 Dialer1

ip access-list extended tonat
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip 192.168.10.0 0.0.0.255 any

ip nat inside source list tonat interface Dialer1 overload

be sure to allow the protocols from outside to inside. I always choose AES and SHA because its more secure and much more faster than 3DES (three times DES). I also got problems with MD5 between Cisco and Juniper. On Brasilia Router you need to configure the same only with the opposite values such remote peer address and the access-list for vpn-interested traffic like our “vpn-brasilia”. Keep in mind to not (!) nat into this networks!

To add Cisco Client VPN (EasyVPN) to this config you need to add this:

We will use local authentication but you can also use a RADIUS server for this.

aaa new-model
aaa authentication login userauth local
aaa authorization network groupauth local

username drdoom password !nh3LL

!define the IP address pool for the connected VPN clients:
ip local pool vpn-pool 192.168.255.1 192.168.255.254

!define the network where your vpn clients can connect to; this will also be the route(s) for your client
ip access-list extended vpn-clients
permit ip 192.168.10.0 0.0.0.255 192.168.255.0 0.0.0.255

!configure a new VPN group; you can configure more than one
crypto isakmp client configuration group myVPNclients
key The3ndIsN3@r
dns 192.168.10.6
domain mycompany.local
pool vpn-pool
acl vpn-clients
netmask 255.255.255.0
!this will enable saving the clients password to the cisco vpn client; its very insecure because the password is stored (encrypted) locally at C:\Program Files (x86)\Cisco Systems\VPN Client\Profiles
save-password

crypto dynamic-map DynamicPeers 10
set transform-set ESP-AES-SHA

crypto map MyCompanyMap client authentication list userauth
crypto map MyCompanyMap isakmp authorization list groupauth
crypto map MyCompanyMap client configuration address respond
crypto map MyCompanyMap 200 ipsec-isakmp dynamic DynamicPeers
! the dynamic crypto map needs to have the highest order number at the crypto map MyCompanyMap because your VPN clients are always coming from a dynamic WAN address and in other case the fix site2site VPN tunnels are not working.

 

Now you can download the Cisco VPN client at www.cisco.com with a CCO account and can configure a new entry:

Feel free to comment and ask to this post, I can explaine in more detail and can extend this tutorial.

The post Site2Site VPN Tunnel with ClientVPN @ Cisco IOS appeared first on Network Guy.

We will configure a task which pings every three seconds to a self-defined target (for example the central-office router):

ip sla 10
icmp-echo 99.22.11.44
timeout 1000
threshold 2
frequency 3

ip sla schedule 10 life forever start-time now

Now we will define that the target needs to be reachable

track 10 rtr 1 reachability

/edi: On Version 15.x use this:

track 10 ip sla 10 reachability

the primary WAN uplink / default-route will only be used when the target is reachable and will only use our secondary WAN link (in this example a dialer-interface) in case the icmp echo is not working. So we also add a default-route out to the dialer-interface with a higher distance metric administrative distance:

ip route 0.0.0.0 0.0.0.0 88.77.66.55 track 10
ip route 0.0.0.0 0.0.0.0 Dialer1 200

to be on the safe side we will also NAT overload for both interfaces:

ip access-list extended tonat_wan1
deny   ip any 10.0.0.0 0.255.255.255
deny   ip any 172.16.0.0 0.15.255.255
deny   ip any 192.168.0.0 0.0.255.255
permit ip 192.168.23.0 0.0.0.255 any

ip access-list extended tonat_wan2
deny   ip any 10.0.0.0 0.255.255.255
deny   ip any 172.16.0.0 0.15.255.255
deny   ip any 192.168.0.0 0.0.255.255
permit ip 192.168.23.0 0.0.0.255 any

ip nat inside source list tonat_primary_wan interface FastEthernet0 overload

ip nat inside source list tonat_secondary_wan interface Dialer1 overload

you can also bind your VPN crypto map to both WAN uplinks so you will also have a VPN fallback. Keep in mind to configure “ip tcp adjust-mss 1452” at your internal LAN interface, otherwise you can’t surf on webservers in the internet.

The post Configuring a fallback for default-route on a Cisco router appeared first on Network Guy.

class-map match-any MyCompleteTraffic
match any

this will be our access-list and class-map which defines our “interesting” priority-packets:

ip access-list extended QoS_Packets
permit tcp any any eq 5904
permit tcp any eq 5904 any

class-map match-any MyPriorityPackets
match access-group name QoS_Packets

A very important thing is to configure the bandwidth in the WAN interface which is going to the world wide web. Even if you have a FastEthernet interface connected to the ISP router with a speed (for example) a 5 MBit sync line because the default bandwidth on a FastEthernet interface is 100MBit! Our WAN interface is a Dialer for a standard ADSL line:

interface Dialer1
description ADSL line with 6/0,7 MBit Up/Down
bandwidth 6000
bandwidth receive 700

Now we will configure policy-maps where we bind the pre-defined class-maps:

policy-map SIP_Priority
class MyPriorityPackets
priority percent 20 // here we will define the granted bandwidth for our SIP traffic in Kbits or in percent
class class-default
fair-queue
random-detect

policy-map OutgoingTraffic
class MyCompleteTraffic
shape average percent 95 // take the nearly complete upload bandwidth which is available in bits or also configure a percentage number
service-policy SIP_Priority

We need to configure QoS pre-classify on the specific crypto-map and bind the service-policy for all outgoing traffic to the ip nat outside interface:

Router(config-crypto-map)#qos ?
pre-classify  Enable QOS classification before packets are tunnel encapsulated

crypto map CompanyMap 10 ipsec-isakmp
description Tunnel to central office
set peer x.x.x.x
set transform-set ESP-AES-SHA
match address vpn_traffic
qos pre-classify

interface Dialer1
crypto map CompanyMap
service-policy output OutgoingTraffic

To define the reservated upload for your VoIP traffic can be calculated. I found a cool website calculator @ http://www.asteriskguru.com/tools/bandwidth_calculator.php. In my case I had only one IP phone at the branch office so 32 kbit would be the recommondation for the SIP traffic.

To check the QoS configuration you can look to the priorized packets with “show policy-map interface Dialer1”:

 Dialer1

Service-policy output: OutgoingTraffic

Class-map: MyCompleteTraffic (match-any)
17999 packets, 1960216 bytes
5 minute offered rate 3000 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
shape (average) cir 5700000, bc 57000, be 57000
target shape rate 5700000

Service-policy : SIP_Priority

queue stats for all priority classes:

queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0

Class-map: MyPriorityPackets (match-any)
6713 packets, 490018 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name QoS_Packets
6713 packets, 490018 bytes
5 minute rate 0 bps
Priority: 20% (600 kbps), burst bytes 15000, b/w exceed drops: 0

Class-map: class-default (match-any)
11286 packets, 1470198 bytes
5 minute offered rate 3000 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops/flowdrops) 0/0/0/0
(pkts output/bytes output) 0/0
Fair-queue: per-flow queue limit 16
Exp-weight-constant: 9 (1/512)
Mean queue depth: 0 packets
class     Transmitted       Random drop      Tail/Flow drop Minimum Maximum Mark
pkts/bytes    pkts/bytes       pkts/bytes    thresh  thresh  prob

0               0/0               0/0              0/0                 20            40  1/10
1               0/0               0/0              0/0                 22            40  1/10
2               0/0               0/0              0/0                 24            40  1/10
3               0/0               0/0              0/0                 26            40  1/10
4               0/0               0/0              0/0                 28            40  1/10
5               0/0               0/0              0/0                 30            40  1/10
6               0/0               0/0              0/0                 32            40  1/10
7               0/0               0/0              0/0                 34            40  1/10

Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0

If you have any other wishes for QoS instructions, please just let me know! Have a nice weekend!

The post Quality of Service within a VPN tunnel over Dialer-Interface appeared first on Network Guy.