Qos on Tunnel

Unanswered Question
Jun 30th, 2008


I am using encripted tunnel for connecting the branches. Now my cocern is to applly Qos for certain traffic but the tunnel not supporting. How can i define a Qos in a tunnel? OR Is it possible to define it on the Physical interface.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
n.nandrekar Mon, 06/30/2008 - 22:45


Refer the following doc to apply qos policy on a tunnel interface :


You will have to use "qos-preclassify command to classify the traffic based on original ip headers rather than the tunnel headers.

Where Do I Apply the Service Policy?

You can apply a service policy to either the tunnel interface or to the underlying physical interface. The decision of where to apply the policy depends on the QoS objectives. It also depends on which header you need to use for classification.


Apply the policy to the tunnel interface without qos-preclassify when you want to classify packets based on the pre-tunnel header.


Apply the policy to the physical interface without qos-preclassify when you want to classify packets based on the post-tunnel header. In addition, apply the policy to the physical interface when you want to shape or police all traffic belonging to a tunnel, and the physical interface supports several tunnels.


Apply the policy to a physical interface and enable qos-preclassify when you want to classify packets based on the pre-tunnel header.



(pls rate if the post helps)

drnteam Mon, 06/30/2008 - 23:46


But a major thing is that I am using the encripted. Does the config remains same for the encryption also.

n.nandrekar Mon, 06/30/2008 - 23:59


You can use the following reference for ipsec / encryption on tunnel :


the qos-preclassify would still work but you will have to give qos-preclassify under crypto-map :

Complete these steps to configure QoS preclassification with IPSec and GRE.


Configure a crypto map and specify the qos pre-classify command in map configuration mode.

crypto map cryptomap_gre1 10 ipsec-isakmp

set peer

set transform-set transf_GRE1_transport

match address 130

qos pre-classify


Use the show crypto map command to confirm your configuration.

2621vpn1#show crypto map

Crypto Map: "cryptomap_gre1" idb: Loopback0 local address:

Crypto Map "cryptomap_gre1" 10 ipsec-isakmp

Description: Crypto map on GRE1 tunnel mode transport ->3/30

Peer =

Extended IP access list 130

access-list 130 permit gre host host

Current peer:

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={ transf_GRE1_transport, }

QOS pre-classification


Define a GRE tunnel interface and apply the crypto map and qos pre-classify commands.

interface Tunnel0

ip address

qos pre-classify

tunnel source Loopback0

tunnel destination

crypto map cryptomap_gre1


Use the show interface tunnel 0 command to confirm that QoS preclassification is enabled.

2621vpn1#show interface tunnel 0

Tunnel0 is up, line protocol is up

Hardware is Tunnel

Description: VPN resilience test - 1st GRE tunnel Interface mode transport ->3/3

Internet address is

Tunnel source (Loopback0), destination

Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled

Checksumming of packets disabled, fast tunneling enabled

Last input 00:00:04, output 00:00:04, output hang never

Last clearing of "show interface" counters 00:00:51

Queueing strategy: fifo (QOS pre-classification)

Output queue 0/0, 0 drops; input queue 0/75, 0 drops

The above output illustrates that the tunnel interface continues to use first in, first out (FIFO) as the queuing strategy even with QoS preclassification and fancy queuing enabled. This is illustrated in the show command output with the line Queueing strategy: fifo (QOS pre-classification). Both GRE and IPSec tunnels require FIFO queuing since a destination device drops IPSec packets that arrive out of order.



(pls rate if helpful)


This Discussion