QoS on VPN

XSR(config)#policy-map Ser

XSR(config-pmap-Ser>)#class RTP1

XSR(config-pmap-c<RTP1>)#priority high 100

XSR(config-pmap-c<RTP1>)#exit

XSR(config-pmap-Ser>)#class FTP1

XSR(config-pmap-c<FTP1>)#bandwidth percent 20

XSR(config-pmap-c<FTP1>)#exit

XSR(config-pmap-Ser>)#class class-default

XSR(config-pmap-c<class-default>)#set ip dscp 8

Configure ACLs:

XSR(config)#access-list 100 permit ip 101.0.0.0 0.0.0.255 102.0.0.0 0.0.0.255 XSR(config)#access-list 110 permit udp any 102.0.0.0 0.0.0.255 eq 3020 XSR(config)#access-list 115 permit tcp any 102.0.0.0 0.0.0.255 range 20 21

Configure the IKE policy foo for pre-share keys:

XSR(config)#crypto isakmp proposal foo

XSR(config-isakmp)#authentication pre-share

XSR(config-isakmp)#hash md5

XSR(config-isakmp)#exit

XSR(config)#crypto isakmp peer 0.0.0.0 0.0.0.0

XSR(config-isakmp-peer)#proposal foo

Configure the IPSec SA:

XSR(config)#crypto ipsec transform-set test esp-3des esp-md5-hmac XSR(cfg-crypto-tran)#no set security-association lifetime kilobytes XSR(cfg-crypto-tran)#no set security-association lifetime seconds XSR(cfg-crypto-tran)#exit

XSR(config)#crypto map test 10

XSR(config-crypto-m)#set transform-set test

XSR(config-crypto-m)#match address 100

XSR(config-crypto-m)#set peer 10.10.10.2

Configure GigabitEthernet interface 2 and Serial sub-interface 1/0:0

XSR(config)#interface GigabitEthernet 2

XSR(config-if<G1>)#ip address 101.0.0.101 255.255.255.0

XSR(config-if<G1>)#no shutdown

XSR(config-if<G1>)#exit

XSR(config)#interface serial 1/0

XSR(config<S1/1>)#exit

XSR(config)#interface serial 1/0:0

XSR(config-if<S1/0:0>)#crypto map test

XSR(config-if<S1/0:0>)#encapsulation ppp

XSR(config-if<S1/0:0>)#ip address 10.10.10.1 255.255.255.0

XSR(config-if<S1/0:0>)#service-policy output Ser

XSR(config-if<S1/0:0>)#no shutdown

Configure output VPN interface 1 for ToS byte copying, GRE, and other values:

XSR User’s Guide 12-21

Page 303
Image 303
Enterasys Networks X-PeditionTM Configure ACLs, Configure the IKE policy foo for pre-share keys, Configure the IPSec SA