cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1804
Views
0
Helpful
1
Replies

What is the Difference Between Policy Map Applied to Tunnel Interface vs. Physical Interface in IPSEC Encrypted GRE Tunnel?

canero
Level 1
Level 1

Hello,

We are configuring IPSEC Encrypted GRE Tunnel Configuration, it is working ok, but we have a QoS configuration issue.

We have 4 diffferent Traffic Classes an want to configure and Policy Maps which will cover those 4 class-maps  Our sample configuration is as below. We thought of applying "qos pre-classify" to the tunnel interfaces, and apply the Policy Map to the physical interface. This is one choice,

One other thought is to configure the same Class-maps and Configure a seperate  Policy Map for each 4 Class-maps without Qos pre-classify command. Then apply the Policy-Map to the tunnel interface. Would this create the same affect on the physical interface as the first case, or the physical interface won't notice the packets since they're encrypted with IPSEC while going out?

The third choice is to configure    "qos pre-classify" on the tunnel interface and apply the policy map to the tunnel interface. We did not meet such a configuration in the documentation. The hardware Platform is ASR1000 Series.

What's the difference between these 3 scenarios wrt to Scalability and Performance pespective.

Scenario 1:

crypto ipsec transform-set S2S_GRE_IPSEC esp-aes 256 esp-sha-hmac
!
crypto dynamic-map Dyn_S2S_GRE 10
set transform-set S2S_GRE_IPSEC
!
!
crypto map S2S_GRE_IPSEC 10 ipsec-isakmp dynamic Dyn_S2S_GRE

class-map CM_1

match ip address 111

class-map CM_2

match ip address 112

class-map CM_3

match ip address 113

class-map CM_4

match ip address 114

Policy-map PM_TEST

class-map CM_1

bandwidth 128

class-map CM_2

bandwidth 256

class-map CM_3

bandwidth 512

class-map CM_4

bandwidth 1024

interface tunnel0

description to_Tunnel_111

ip address 10.10.10.1  255.255.255.0
ip rip advertise 5
ip tcp adjust-mss 1360
keepalive 5 3
tunnel source 172.16.10.1
tunnel destination 172.16.10.2

tunnel pre-classify

interface tunnel1

description to_Tunnel_112

ip address 10.10.11.1  255.255.255.0
ip rip advertise 5
ip tcp adjust-mss 1360
keepalive 5 3
tunnel source 172.16.11.1
tunnel destination 172.16.11.2

tunnel pre-classify

interface G0/0/1

service-policy PM_TEST out

crypto map S2S_GRE_IPSEC

.

1 Reply 1

Bastien Migette
Cisco Employee
Cisco Employee

Hello,

The QoS Pre classify command is used to keep the original header in memory to classify it when QoS comes.

If you apply it the the tunnel interface, you don't need it, as the encapsulation & encryption come after the QoS on the interface.

Now, if you apply the QoS on the tunnel interface, it will apply the QoS inside the tunnel, but when the IPSEC packet will leave the physical interface, there won't be QoS applied to it, so it might be Best efforted.

It might be more simple to handle QoS through policy map on the tunnel interface, but in this case it may be a good option to allow bandwidth for the whole tunnel on the physical interface.

Hope This Help.


Thanks,
Bastien

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: