We are currently testing IPSEC and GRE tunnels successfully. I am using CAR, for example, to give a particular tunnel a guaranteed 128K out of the serial interface into the ISP. Is it possible to use CBWFQ on traffic within a GRE tunnel? as you can on a normal physical interface?
Current Cisco IOS versions support the ability to copy the IP ToS values from the packet header into the tunnel header. With that the intermediate routers between each end of the tunnel can pay attention to these precedence bits so you can provide QoS such as CBWFQ. For more information, check out:
We need to set up QoS at our core routers. Our typical satellite connection uses PIX ipsec tunnels. What if the packet is already tunneled when it hits the router? On PIX<->PIX tunnels would'nt this ToS copy need to occur on PIX before exiting Outside interface?
If you you have a bit of patience, cisco introduced a command in 12.0(5)XE called "qos pre-classify" which went in an ipsec crypto map to cause traffic to be classified according to the physical interface's cbwfq policy prior to encryption. It gives you a lot more room to manoever. Unfortunately everything else in that release was broken. However, in 12.1(4)T they've got it working. The pre-classify command is no longer needed for straight IPSec in tunnel mode since they made that the default behaviour. You need the "qos pre-classify" command if you're doing a GRE tunnel.
Bottom line, you get to use the same policies you use elsewhere for your tunnels without having to try to remember what ToS/precedence value corresponds to each service.
Incidentally, just to plug something...I'm working on a graphing tool for graphing the info returned from the CBWFQ MIB. Since you get plots on flows in real-time as opposed to when the flow ends, these graphs will show the spikes that netflow can't. It's rather pre-alpha but it does work. If anyone has access to IOS that has the CBWFQ MIB and is interested, email me.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :