Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

QOS with IPSEC

Hi,

I have the following setup:

PC/IPPHONE---PIX------RTR/T1----INTERNET

|---IPSEC-----------------

I am trying to classify voice pakets within the IPSEC tunnel so that I can do LLQ on RTR. Is there a way to copy the DSCP tag from original packet to the IPSEC packet header?

Or is there a better way of doing it?

Thanks,

Peter

1 ACCEPTED SOLUTION

Accepted Solutions

Re: QOS with IPSEC

Hi Peter,

the IPSec RFC mandates to copy the TOS-Byte (includes DSCP) from the original IP header to the newly created IPSec IP header. So the best approach would be to mark before the encryption and to match on DSCP in the encrypted packets.

If the router itself does the encryption (not quite clear from your drawing) you could use "qos pre-classify" on the tunnel or crypto map. The router then keeps a copy of the original IP packet header associated with the IPSec packet allowing you to classify based on the original header. This however can only work within the router doing encryption, because once the IP packet leaves the box the content can not be detected (this is the idea of IPSec isn?t it? ;-).

So either qos pre-classify or DSCP marking before encryption would allow you to use LLQ/CBWFQ for encrypted VoIP and other applications.

Hope this helps! Please rate all posts.

regards, Martin

2 REPLIES

Re: QOS with IPSEC

Hi Peter,

the IPSec RFC mandates to copy the TOS-Byte (includes DSCP) from the original IP header to the newly created IPSec IP header. So the best approach would be to mark before the encryption and to match on DSCP in the encrypted packets.

If the router itself does the encryption (not quite clear from your drawing) you could use "qos pre-classify" on the tunnel or crypto map. The router then keeps a copy of the original IP packet header associated with the IPSec packet allowing you to classify based on the original header. This however can only work within the router doing encryption, because once the IP packet leaves the box the content can not be detected (this is the idea of IPSec isn?t it? ;-).

So either qos pre-classify or DSCP marking before encryption would allow you to use LLQ/CBWFQ for encrypted VoIP and other applications.

Hope this helps! Please rate all posts.

regards, Martin

New Member

Re: QOS with IPSEC

I am already marking before encryption so that makes it easy. I wasn't sure if the encrypted packets inherited the DSCP bits.

Thank you very much for your help!!!

339
Views
0
Helpful
2
Replies