qos preclassify command question

Unanswered Question
Jun 15th, 2007

If doing QOS on a tunnel which is using IPSec, do you put the pre-classify command on the tunnel interface or in the policy map?

here's the config I've been given, and I notice that they've put it in 2 places.


Lisa Gcrypto map CRX0 10 ipsec-isakmp

description To ATL-CRX-7206A router

set peer

set transform-set TSI

match address CUSTNAME-ATLCRX

qos pre-classify

interface Tunnel1

description GRE Tunnel to Atlanta

ip address TUNNEL1_IPADDR_toATL

ip mtu 1440

qos pre-classify

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Manoj Wadhwa Fri, 06/15/2007 - 14:21

The config is pretty correct. Generally, when using IPSec, qos-preclassify needs to be enabled under crypto map. When using GRE tunnel, it needs to be enabled on the tunnel interface. Since you are using both IPSec and GRE, hence its enabled under crypto map and tunnel interface. Thanks!

- Manoj

lgontarsk Mon, 06/18/2007 - 04:58

Thanks.... does this mean that the traffic gets pre-classified twice?

d.kratz Tue, 06/19/2007 - 02:41


In the fragment of config that you post don?t have the crypto-map applied to an interface... The traffic get out via this tunnel int?


d.kratz Tue, 06/19/2007 - 15:10


You need to see your routing table to get the pre-classify in use.

If you use ipsec tunnel mode the pre-classify in crypto-map are in use. If your tunnel is routed via serial, the first classification is into virtual interface tunnel.



royalblues Wed, 06/20/2007 - 12:02

I used IPSEC and a GRE caymen tunnel and to do qos enabled the qos pre-classify command only under the crypto map.

I was able to see the packets getting matched to the policy i defined



This Discussion