Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC with GRE, QOS possible?

We are currently testing IPSEC and GRE tunnels successfully. I am using CAR, for example, to give a particular tunnel a guaranteed 128K out of the serial interface into the ISP. Is it possible to use CBWFQ on traffic within a GRE tunnel? as you can on a normal physical interface?

5 REPLIES
New Member

Re: IPSEC with GRE, QOS possible?

Current Cisco IOS versions support the ability to copy the IP ToS values from the packet header into the tunnel header. With that the intermediate routers between each end of the tunnel can pay attention to these precedence bits so you can provide QoS such as CBWFQ. For more information, check out:

http://www.cisco.com/warp/public/cc/so/neso/vpn/vpne/qsvpn_wp.htm

Does anyone else here have some experience in this area? Your input would be helpful.

New Member

Re: IPSEC with GRE, QOS possible?

We need to set up QoS at our core routers. Our typical satellite connection uses PIX ipsec tunnels. What if the packet is already tunneled when it hits the router? On PIX<->PIX tunnels would'nt this ToS copy need to occur on PIX before exiting Outside interface?

New Member

Re: IPSEC with GRE, QOS possible?

PIX release 5.2(1) and higher corrects this behavior to make this ToS copy compliant with RFC2401. Refer to bug ID# CSCdr41431 which can be viewed using the Bug Toolkit at:

http://www.cisco.com/kobayashi/bugs/bugs.html

When upgrading to 5.2(x) code (as with any upgrade), please review the release notes to understand changes, caveats, and unresolved known issues. Release notes are located at:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/

New Member

Re: IPSEC with GRE, QOS possible?

If you you have a bit of patience, cisco introduced a command in 12.0(5)XE called "qos pre-classify" which went in an ipsec crypto map to cause traffic to be classified according to the physical interface's cbwfq policy prior to encryption. It gives you a lot more room to manoever. Unfortunately everything else in that release was broken. However, in 12.1(4)T they've got it working. The pre-classify command is no longer needed for straight IPSec in tunnel mode since they made that the default behaviour. You need the "qos pre-classify" command if you're doing a GRE tunnel.

Bottom line, you get to use the same policies you use elsewhere for your tunnels without having to try to remember what ToS/precedence value corresponds to each service.

Incidentally, just to plug something...I'm working on a graphing tool for graphing the info returned from the CBWFQ MIB. Since you get plots on flows in real-time as opposed to when the flow ends, these graphs will show the spikes that netflow can't. It's rather pre-alpha but it does work. If anyone has access to IOS that has the CBWFQ MIB and is interested, email me.

regards,

Steve

New Member

Re: IPSEC with GRE, QOS possible?

Yes the CBWFQ is supported on tunnel interfaces so you can apply a policy on output traffic (last IOS versions).

Also you must pay attention that the tunnel traffic goes out on a physical interface which also shoud guarantee the traffic generated by the tunnel interface (gre traffic).

222
Views
0
Helpful
5
Replies
CreatePlease to create content