QOS Policy: GRE / IPSEC / Priority Queing

Unanswered Question
Oct 31st, 2008
User Badges:

If I have a gigabit ethernet router connection to a WAN service that's rate limited to 200 Mbps in the cloud, and I'm running a GRE tunnel that's encrypted with IPSEC, how can I configure my router to

1) shape all outbound traffic to 200 Mbps on the Gig interface that connects to the WAN provider

2) within the shaped traffic prioritize a particular class and give it up to 50 Mbps bandwidth

3) allow all the other traffic to fall into the default class with best effort delivery

I'm thinking that I first need to create a parent policy for the shaping, and a child policy under that for the priority, but am not really sure.

Also, does the plicy get applied to the physical gigabit ethernet interface or to the Tunnel interface ?

Any thoughts or suggestions would be very greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Istvan_Rabai Fri, 10/31/2008 - 11:03
User Badges:
  • Gold, 750 points or more

Hi Richard,

I would do this task the way similar to this:

class-map C-PRIORITY - this will classify your priority traffic

match .....


class class-default

shape average 200000000

service-policy PRIORITIZE

policy-map PRIORITIZE


priority 50000

set dscp ef

class class-default

set dscp default

interface Gig1/1

service-policy output SHAPINGPOLICY

interface Tunnel0

qos pre-classify


qos pre-classify


"qos pre-classify" command is needed only when you classify your traffic with the C-PRIORITY class-map based on fields other than the TOS byte in the original IP header.

If you classify your traffic based on the TOS-byte of the incoming traffic, then you can omit this command at both places. The TOS byte is by default copied from the original IP header to the tunnel IP header.

If you apply the service-policy to the physical interface then the QoS policies will take effect on all Tunnel interfaces sending traffic through Gig1/1.

If you apply the service-policy to the Tunnel interface then the QoS policies will be applied to the given Tunnel interface only.

In this case, too, you need to omit the qos pre-classify commands.



rbauer Fri, 10/31/2008 - 11:23
User Badges:


This works perfectly.

Note: I'm using an extended ACL for class-map C-priority.

class-map match-any c-priority

match access-group 120

Thank you.


Istvan_Rabai Fri, 10/31/2008 - 12:30
User Badges:
  • Gold, 750 points or more

Hi Rich,

I'm glad I could help you.

Please rate my post if you think my post was valuable for you.




This Discussion