Enterasys Networks Security Router X-PeditionTM User Manual

QoS on VPN

XSR User’s Guide 12-21

XSR(config)#policy-map Ser
XSR(config-pmap-Ser>)#class RTP1
XSR(config-pmap-c<RTP1>)#priority high 100
XSR(config-pmap-c<RTP1>)#exit
XSR(config-pmap-Ser>)#class FTP1
XSR(config-pmap-c<FTP1>)#bandwidth percent 20
XSR(config-pmap-c<FTP1>)#exit
XSR(config-pmap-Ser>)#class class-default
XSR(config-pmap-c<class-default>)#set ip dscp 8

Configure ACLs:

XSR(config)#access-list 100 permit ip 101.0.0.0 0.0.0.255 102.0.0.0 0.0.0.255
XSR(config)#access-list 110 permit udp any 102.0.0.0 0.0.0.255 eq 3020
XSR(config)#access-list 115 permit tcp any 102.0.0.0 0.0.0.255 range 20 21

Configure the IKE policy foo for pre-share keys:

XSR(config)#crypto isakmp proposal foo
XSR(config-isakmp)#authentication pre-share
XSR(config-isakmp)#hash md5
XSR(config-isakmp)#exit

XSR(config)#crypto isakmp peer 0.0.0.0 0.0.0.0
XSR(config-isakmp-peer)#proposal foo

Configure the IPSec SA:

XSR(config)#crypto ipsec transform-set test esp-3des esp-md5-hmac
XSR(cfg-crypto-tran)#no set security-association lifetime kilobytes
XSR(cfg-crypto-tran)#no set security-association lifetime seconds
XSR(cfg-crypto-tran)#exit

XSR(config)#crypto map test 10
XSR(config-crypto-m)#set transform-set test
XSR(config-crypto-m)#match address 100
XSR(config-crypto-m)#set peer 10.10.10.2

Configure GigabitEthernet interface 2 and Serial sub-interface 1/0:0

XSR(config)#interface GigabitEthernet 2
XSR(config-if<G1>)#ip address 101.0.0.101 255.255.255.0
XSR(config-if<G1>)#no shutdown
XSR(config-if<G1>)#exit

XSR(config)#interface serial 1/0
XSR(config<S1/1>)#exit
XSR(config)#interface serial 1/0:0
XSR(config-if<S1/0:0>)#crypto map test
XSR(config-if<S1/0:0>)#encapsulation ppp
XSR(config-if<S1/0:0>)#ip address 10.10.10.1 255.255.255.0
XSR(config-if<S1/0:0>)#service-policy output Ser
XSR(config-if<S1/0:0>)#no shutdown

Configure output VPN interface 1 for ToS byte copying, GRE, and other values: