Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1300
Views
12
Helpful
5
Replies

QoS on IPSEC Tunnel

cplatt01
Level 1
Level 1

‎12-15-2006 08:06 AM - edited ‎03-14-2019 07:15 PM

I am piloting a site with IP Phones over an IPSEC tunnel. Because of the Internet, I know my tagging is lost once it leaves the LAN, but want the QOS to be optimized at the very least.

Should the policy map be applied to the gig interface or the tunnel interface?

Labels:
0 Helpful
5 Replies 5

Mark Turpin
Level 5
Level 5

‎12-15-2006 08:11 AM

Check out http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns109/networking_solutions_white_paper09186a008018913f.shtml I think this is what you're looking for (with config examples).

Good luck!

-Mark

--
-Mark Turpin

paolo bevilacqua
Hall of Fame
Hall of Fame
In response to Mark Turpin

‎12-15-2006 04:04 PM

The matter with the approach explained in the WP, is that essentially you are limiting bandwidth to tunnels, to whatever you believe the internet performance to be. Traffic in excess is dropped, (TCP senders will benefit however) and a quasi-LLQ is given to voice traffic. If you have no issue with that, then works fine. But will never get full circuit capacity or at least need a fine tuning.

aman_chugh
Level 1
Level 1

‎12-15-2006 11:33 PM

We are running 10 ipphone on an Ipsec tunnel with Qos with a centralied ccm deployement for over a year.We do see occasional Voice quality issues primarily when we see a increase in round trip times.Some of the things which you should consider in this deployement is

1. Use LLQ in your Qos policy to priortize voice traffic

2. Provide guarnteed bandwitdh for signalling trafic to aviod unregistrations of ipphones.

3.Use an ISP which can provide a SLA on Latency,packet drops.

4.Use hardware encryption and decryption as much as possible.

Hope this helps

Thanks

Aman

0 Helpful

kamal-learn
Level 4
Level 4

‎12-16-2006 03:14 AM

hi Chris

i think the url provided by Mark is good link

but the topic discussed in there will work only for static address, a criterion that you know in advance, so what if ,if you dont know the address or you want to classify your traffic based on other caracteristics of the packets such ports number whitch in this situation will be encrypted whicth mean you cannot access them!!!!

the solution for such case is the use of (QOS pre-classify) command under the tunnel or the crypto map, that command will keep a copy of the packet before it hits the tunnel.

but if you want to classify your traffic by the marking done before by the ipphone or others , here the IOS will copy automaticaly the TOS field of the original packet the TOS field of the encapsulating packet IPSEC, so it works without difficulties!

HTH

please do rate if it does clarify

paolo bevilacqua
Hall of Fame
Hall of Fame
In response to kamal-learn

‎12-16-2006 06:37 AM

Indeed the clean approach is like kamal said, if you directly map between DSCP for packets inside and outside, even if these arrive out of sequence because queuing in the ISP cloud, IPSEC is smart enough to deal with the cypherstream details and no problem should occur.

0 Helpful
Customers Also Viewed These Support Documents