Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
671
Views
3
Helpful
3
Replies

Qos on Tunnel

drnteam
Level 1
Level 1

‎06-30-2008 10:23 PM - edited ‎03-03-2019 10:33 PM

Hi,

I am using encripted tunnel for connecting the branches. Now my cocern is to applly Qos for certain traffic but the tunnel not supporting. How can i define a Qos in a tunnel? OR Is it possible to define it on the Physical interface.

Labels:
0 Helpful
3 Replies 3

n.nandrekar
Level 4
Level 4

‎06-30-2008 10:45 PM

hi!

Refer the following doc to apply qos policy on a tunnel interface :

http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a008017405e.shtml

You will have to use "qos-preclassify command to classify the traffic based on original ip headers rather than the tunnel headers.

Where Do I Apply the Service Policy?

You can apply a service policy to either the tunnel interface or to the underlying physical interface. The decision of where to apply the policy depends on the QoS objectives. It also depends on which header you need to use for classification.

*

Apply the policy to the tunnel interface without qos-preclassify when you want to classify packets based on the pre-tunnel header.

*

Apply the policy to the physical interface without qos-preclassify when you want to classify packets based on the post-tunnel header. In addition, apply the policy to the physical interface when you want to shape or police all traffic belonging to a tunnel, and the physical interface supports several tunnels.

*

Apply the policy to a physical interface and enable qos-preclassify when you want to classify packets based on the pre-tunnel header.

Regards,

Niranjan

(pls rate if the post helps)

drnteam
Level 1
Level 1
In response to n.nandrekar

‎06-30-2008 11:46 PM

Hi,

But a major thing is that I am using the encripted. Does the config remains same for the encryption also.

0 Helpful

n.nandrekar
Level 4
Level 4
In response to drnteam

‎06-30-2008 11:59 PM

hi!!!

You can use the following reference for ipsec / encryption on tunnel :

http://www.cisco.com/en/US/tech/tk543/tk757/technologies_tech_note09186a00800b3d15.shtml

the qos-preclassify would still work but you will have to give qos-preclassify under crypto-map :

Complete these steps to configure QoS preclassification with IPSec and GRE.

1.

Configure a crypto map and specify the qos pre-classify command in map configuration mode.

crypto map cryptomap_gre1 10 ipsec-isakmp

set peer 172.32.241.9

set transform-set transf_GRE1_transport

match address 130

qos pre-classify

2.

Use the show crypto map command to confirm your configuration.

2621vpn1#show crypto map

Crypto Map: "cryptomap_gre1" idb: Loopback0 local address: 172.31.247.1

Crypto Map "cryptomap_gre1" 10 ipsec-isakmp

Description: Crypto map on GRE1 tunnel mode transport - 10.240.252.0->3/30

Peer = 172.32.241.9

Extended IP access list 130

access-list 130 permit gre host 172.31.247.1 host 172.32.241.9

Current peer: 172.32.241.9

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={ transf_GRE1_transport, }

QOS pre-classification

3.

Define a GRE tunnel interface and apply the crypto map and qos pre-classify commands.

interface Tunnel0

ip address 10.240.252.1 255.255.255.252

qos pre-classify

tunnel source Loopback0

tunnel destination 172.32.241.9

crypto map cryptomap_gre1

4.

Use the show interface tunnel 0 command to confirm that QoS preclassification is enabled.

2621vpn1#show interface tunnel 0

Tunnel0 is up, line protocol is up

Hardware is Tunnel

Description: VPN resilience test - 1st GRE tunnel Interface mode transport - 10.240.252.0->3/3

Internet address is 10.240.252.1/30

Tunnel source 172.31.247.1 (Loopback0), destination 172.32.241.9

Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled

Checksumming of packets disabled, fast tunneling enabled

Last input 00:00:04, output 00:00:04, output hang never

Last clearing of "show interface" counters 00:00:51

Queueing strategy: fifo (QOS pre-classification)

Output queue 0/0, 0 drops; input queue 0/75, 0 drops

The above output illustrates that the tunnel interface continues to use first in, first out (FIFO) as the queuing strategy even with QoS preclassification and fancy queuing enabled. This is illustrated in the show command output with the line Queueing strategy: fifo (QOS pre-classification). Both GRE and IPSec tunnels require FIFO queuing since a destination device drops IPSec packets that arrive out of order.

Regards,

Niranjan

(pls rate if helpful)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card