02-13-2011 10:32 AM - edited 02-21-2020 05:10 PM
Hello,
We are configuring IPSEC Encrypted GRE Tunnel Configuration, it is working ok, but we have a QoS configuration issue.
We have 4 diffferent Traffic Classes an want to configure and Policy Maps which will cover those 4 class-maps Our sample configuration is as below. We thought of applying "qos pre-classify" to the tunnel interfaces, and apply the Policy Map to the physical interface. This is one choice,
One other thought is to configure the same Class-maps and Configure a seperate Policy Map for each 4 Class-maps without Qos pre-classify command. Then apply the Policy-Map to the tunnel interface. Would this create the same affect on the physical interface as the first case, or the physical interface won't notice the packets since they're encrypted with IPSEC while going out?
The third choice is to configure "qos pre-classify" on the tunnel interface and apply the policy map to the tunnel interface. We did not meet such a configuration in the documentation. The hardware Platform is ASR1000 Series.
What's the difference between these 3 scenarios wrt to Scalability and Performance pespective.
Scenario 1:
crypto ipsec transform-set S2S_GRE_IPSEC esp-aes 256 esp-sha-hmac
!
crypto dynamic-map Dyn_S2S_GRE 10
set transform-set S2S_GRE_IPSEC
!
!
crypto map S2S_GRE_IPSEC 10 ipsec-isakmp dynamic Dyn_S2S_GRE
class-map CM_1
match ip address 111
class-map CM_2
match ip address 112
class-map CM_3
match ip address 113
class-map CM_4
match ip address 114
Policy-map PM_TEST
class-map CM_1
bandwidth 128
class-map CM_2
bandwidth 256
class-map CM_3
bandwidth 512
class-map CM_4
bandwidth 1024
interface tunnel0
description to_Tunnel_111
ip address 10.10.10.1 255.255.255.0
ip rip advertise 5
ip tcp adjust-mss 1360
keepalive 5 3
tunnel source 172.16.10.1
tunnel destination 172.16.10.2
tunnel pre-classify
interface tunnel1
description to_Tunnel_112
ip address 10.10.11.1 255.255.255.0
ip rip advertise 5
ip tcp adjust-mss 1360
keepalive 5 3
tunnel source 172.16.11.1
tunnel destination 172.16.11.2
tunnel pre-classify
interface G0/0/1
service-policy PM_TEST out
crypto map S2S_GRE_IPSEC
.
02-14-2011 03:10 AM
Hello,
The QoS Pre classify command is used to keep the original header in memory to classify it when QoS comes.
If you apply it the the tunnel interface, you don't need it, as the encapsulation & encryption come after the QoS on the interface.
Now, if you apply the QoS on the tunnel interface, it will apply the QoS inside the tunnel, but when the IPSEC packet will leave the physical interface, there won't be QoS applied to it, so it might be Best efforted.
It might be more simple to handle QoS through policy map on the tunnel interface, but in this case it may be a good option to allow bandwidth for the whole tunnel on the physical interface.
Hope This Help.
Thanks,
Bastien
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: