Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

IPsec over MPLS

I've this situation (different QoS needed):

traffic_1 priority = 1

traffic_2 priority = 2

traffic_3 priority = 3

The traffic is flowing among different sites. Sites are connected by the service provider's MPLS network. I use MPLS to give the QoS needed (different label for different priority)

traffic_1 --> --------- --> label_1[traffic_1]

traffic_2 --> |MPLS CE| --> label_2[traffic_2]

traffic_3 --> --------- --> label_3[traffic_3]

I don't trust the provider, I'd like to add IPsec to protect my traffic (I guess in transport mode).

traffic_1 --> ----------- ---------

traffic_2 --> |IPsec box| --> |MPLS CE| --> MPLS NTW

traffic_3 --> ----------- ---------

If I use IPsec before the CE is it still possible for the CE discriminate the traffic for the MPLS labeling? or IPsec hide the fields used to discriminate traffic? I think this is true for IPsec-ESP but not for AH


New Member

Re: IPsec over MPLS


Unless you are encrypting end to end (i.e. client to host) you will need to use tunnel mode.

With both tunnel and transport mode IPSEC and IKE use their own IP protocol ID, so you won't be able to classify your traffic anymore based on their original protocol ID and port.

New Member

Re: IPsec over MPLS

What about using TOS field to labal to packet? I read that IPsec even in Tunnel mode copy the TOS field from the original packet to the new IP header.

Do I have to use Tunnel mode even if the VPN is provided by MPLS itself? the MPLS is used first to create VPN site to site over the provider's public network and secondly to provide different QoS for traffic flowing inside the VPN itself.


New Member

Re: IPsec over MPLS

I've also heard that the TOS is carried through, but I haven't tested this.

IPSEC Tunnel mode is independent of how the MPLS VPN is provided.

If a router is providing the IPSEC for a number of client connections normally the client's packet will come in with ipaddress_a and then be placed in an IPSEC tunnel with source ipaddress_b which is the ip address of the router. Perhaps some routers can provide transport mode, and retain the source ipaddress_a even in ipsec, but I haven't come across this. I would be interested if others have.

New Member

Re: IPsec over MPLS

You can try and use "qos pre-classification" feature of Cisco IOS to do TOS Byte reflection of the actual packet to the IPSec VPN Tunnel header.


CreatePlease to create content