Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Qos for ipsec traffic over MPLS cloud

Hi there,

i have two vpn routers in my datacenter which is connected to MPLS cloud and around 1000 branch connected to mpls cloud by using BGP. i want to configure Qos for the ip sec traffic and make sure that this ipsec traffic is getting high priority than the other traffic. kindly find the attach file for my network topology.

i need some clarifications about few points below.

1. if it is  ipsec traffic, the MPLS service provider unable to view the QOS marking (DSCP or IP precedence) because it the encrypted data so is it possible to mark the ipsec traffic in such way that MPLS service provider can receive and map it to MPLS exp bit 5.

2.  if i just add the qos-preclassify command under crypto map and mark the traffic with DSCP or IP precedence or any value , will the service provider can able to identify the traffic and map it to EXP bit.

Kindly let us know the solution for this.


Hariharan k

  • MPLS

Re: Qos for ipsec traffic over MPLS cloud

Dear Hariharan

Yes you are right.

Because whenever a tunnel packet is generated, the new ip header is created where tos byte from original ip header
is copied to this newly created header and this header is copied infront of encrypted original packet.

like    [new ip header----encrypted original packet]

So if you have marking before packet enters the tunnel this marking will be available to provider network.

But assume that you have applied qos on egress interface then original packet header will be lost. But with help of
qos-preclassify the original uncrypted packet is kept is memory until qos actions have take.

Like in your case if you have qos between your switch and vpn router then preclassify is not required. But if you are putting qos between vpn
router and mpls cloud then pre-classification is must.

Hope this is helpful to you


This widget could not be displayed.