i have two vpn routers in my datacenter which is connected to MPLS cloud and around 1000 branch connected to mpls cloud by using BGP. i want to configure Qos for the ip sec traffic and make sure that this ipsec traffic is getting high priority than the other traffic. kindly find the attach file for my network topology.
i need some clarifications about few points below.
1. if it is ipsec traffic, the MPLS service provider unable to view the QOS marking (DSCP or IP precedence) because it the encrypted data so is it possible to mark the ipsec traffic in such way that MPLS service provider can receive and map it to MPLS exp bit 5.
2. if i just add the qos-preclassify command under crypto map and mark the traffic with DSCP or IP precedence or any value , will the service provider can able to identify the traffic and map it to EXP bit.
Kindly let us know the solution for this.
1) By default, IOS IPSec will preserve the dscp/precedence marking of the data packet in the encapsulating header, so a transit router would still be able to have visibility to that marking even though the payload itself is completely encrypted.
2) Again, if the data packet has the dscp/precedence bits marked (either from the end host or through re-marking via an inbound service policy), the marking will be carried over to the outer encapsulating header by default, you shouldn't need to configure qos pre-classify for that. What qos pre-classify will do for you is to give you visibility to the data packet's other L3/L4 information at the time of classification.
Hope this helps,