Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
575
Views
0
Helpful
3
Replies

QOS and GRE over IPsec

dominic.caron
Level 5
Level 5

‎01-08-2009 12:09 PM - edited ‎03-04-2019 03:23 AM

Hi,

I've got my main campus dans a remote site connected with a GRE over IPsec tunnel in tunnel mode. The GRE/IPsec works just fine. My problem is with my outbound policy-map. This one is used to police the traffic to the Bw of the remote site. It got a child policy to do LLQ for the voice traffic matching on precedence 5 since I'm doing qos pre classify.

Problem :

In the parent policy-map, I'm trying to match only some traffic because this is a router on a stick configuration. It trying to match on ESP from host A to host B where those host are the two vpn gateway. I've got no match in my acl counter. That's bizarre!

Now, I add to my ACL the permit ip any 10.4.0.0 0.0.255.255. This is my remote site IP range. I've got hits !!! That IP should be buried in GRE. GRE should be encapsulated in ESP. How can a outbound QOS policy (it should be applied last on the traffic, after encryption) be able to match on a encrypted IP field inside the packet? That's really really bizarre!!!

Can anyone tell me what I'm missing here?

Labels:
0 Helpful
3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎01-08-2009 02:21 PM

Hello Dominic,

what you see could be the effect of the qos pre classify command that moves back the point of view for the QoS application

see

http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_q1.html#wp1046954

Otherwise the ACL should match in the first formulation on GRE hosts as you noted

Hope to help

Giuseppe

0 Helpful

dominic.caron
Level 5
Level 5
In response to Giuseppe Larosa

‎01-09-2009 12:31 PM

QOS pre-classify only copy the inside TOS to the outside header. That would explain why inner policy-map is doing it's job. I can match on ip precedence there but not on udp port.

My question is more about the outbound parent policy. Since the packet are IPSec, I should match on esp packets. Problem is, I'm matching on the encrypted IPs.

Still, my link is working fine. The way I see this, it could be a cosmetic bug issue or something related to the configuration of my GRE tunnel. The traffic is entering the router and leaving by the same physical interface. That interface is the source interface of the GRE tunnel and encryption is put on that interface. It's a bit messy.

The next step might be to move the source of the GRE tunnel to a loopback interface. What do you think? I cant add a new physical interface because all the other slot are populated by links from my other remotes sites.

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to dominic.caron

‎01-10-2009 09:47 AM

Hello Dominic,

>> The traffic is entering the router and leaving by the same physical interface.

probably you are in very specific case.

However, I think that QoS preclassify does more then copying TOS to outside header for the simple reason that even without qos-preclassify this happens in most scenarios for example we used it on a Cisco 877 with IPSec/GRE tunnel.

About making changes if you haven't the additional interface I don't see any reason to do it.

(golden rule: works ? don't touch it)

Hope to help

Giuseppe

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card