06-30-2008 10:23 PM - edited 03-03-2019 10:33 PM
Hi,
I am using encripted tunnel for connecting the branches. Now my cocern is to applly Qos for certain traffic but the tunnel not supporting. How can i define a Qos in a tunnel? OR Is it possible to define it on the Physical interface.
06-30-2008 10:45 PM
hi!
Refer the following doc to apply qos policy on a tunnel interface :
http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a008017405e.shtml
You will have to use "qos-preclassify command to classify the traffic based on original ip headers rather than the tunnel headers.
Where Do I Apply the Service Policy?
You can apply a service policy to either the tunnel interface or to the underlying physical interface. The decision of where to apply the policy depends on the QoS objectives. It also depends on which header you need to use for classification.
*
Apply the policy to the tunnel interface without qos-preclassify when you want to classify packets based on the pre-tunnel header.
*
Apply the policy to the physical interface without qos-preclassify when you want to classify packets based on the post-tunnel header. In addition, apply the policy to the physical interface when you want to shape or police all traffic belonging to a tunnel, and the physical interface supports several tunnels.
*
Apply the policy to a physical interface and enable qos-preclassify when you want to classify packets based on the pre-tunnel header.
Regards,
Niranjan
(pls rate if the post helps)
06-30-2008 11:46 PM
Hi,
But a major thing is that I am using the encripted. Does the config remains same for the encryption also.
06-30-2008 11:59 PM
hi!!!
You can use the following reference for ipsec / encryption on tunnel :
http://www.cisco.com/en/US/tech/tk543/tk757/technologies_tech_note09186a00800b3d15.shtml
the qos-preclassify would still work but you will have to give qos-preclassify under crypto-map :
Complete these steps to configure QoS preclassification with IPSec and GRE.
1.
Configure a crypto map and specify the qos pre-classify command in map configuration mode.
crypto map cryptomap_gre1 10 ipsec-isakmp
set peer 172.32.241.9
set transform-set transf_GRE1_transport
match address 130
qos pre-classify
2.
Use the show crypto map command to confirm your configuration.
2621vpn1#show crypto map
Crypto Map: "cryptomap_gre1" idb: Loopback0 local address: 172.31.247.1
Crypto Map "cryptomap_gre1" 10 ipsec-isakmp
Description: Crypto map on GRE1 tunnel mode transport - 10.240.252.0->3/30
Peer = 172.32.241.9
Extended IP access list 130
access-list 130 permit gre host 172.31.247.1 host 172.32.241.9
Current peer: 172.32.241.9
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ transf_GRE1_transport, }
QOS pre-classification
3.
Define a GRE tunnel interface and apply the crypto map and qos pre-classify commands.
interface Tunnel0
ip address 10.240.252.1 255.255.255.252
qos pre-classify
tunnel source Loopback0
tunnel destination 172.32.241.9
crypto map cryptomap_gre1
4.
Use the show interface tunnel 0 command to confirm that QoS preclassification is enabled.
2621vpn1#show interface tunnel 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Description: VPN resilience test - 1st GRE tunnel Interface mode transport - 10.240.252.0->3/3
Internet address is 10.240.252.1/30
Tunnel source 172.31.247.1 (Loopback0), destination 172.32.241.9
Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled
Checksumming of packets disabled, fast tunneling enabled
Last input 00:00:04, output 00:00:04, output hang never
Last clearing of "show interface" counters 00:00:51
Queueing strategy: fifo (QOS pre-classification)
Output queue 0/0, 0 drops; input queue 0/75, 0 drops
The above output illustrates that the tunnel interface continues to use first in, first out (FIFO) as the queuing strategy even with QoS preclassification and fancy queuing enabled. This is illustrated in the show command output with the line Queueing strategy: fifo (QOS pre-classification). Both GRE and IPSec tunnels require FIFO queuing since a destination device drops IPSec packets that arrive out of order.
Regards,
Niranjan
(pls rate if helpful)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide