Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Tunnel vs Transport mode and Qos

I have a few site to site VPN's enabled all in tunnel mode. They are all 1700 series so I cannot use the qos pre-classify command. If I change the tunnels to transport mode, I will be able to use Qos features. Will I have to change my configuration at all to accomadate transport mode?

Thanks,

RJ

  • Other Security Subjects
5 REPLIES
Bronze

Re: Tunnel vs Transport mode and Qos

I believe that the qos pre-classify command is supported on the 1751s in 12.2(4)YB IOS.

http://www.cisco.com/warp/public/cc/pd/rt/1700/prodlit/1706_pp.htm

New Member

Re: Tunnel vs Transport mode and Qos

Thanks for the info, but I only have 1720's. Does transport mode for IPSec require a different configuration than tunnel mode other than specifying transport mode in the config?

Thanks,

RJ

New Member

Re: Tunnel vs Transport mode and Qos

Yes, and in a fairly big way. Using transport mode pre-supposes that the traffic between the sites has already been tunneled by some other means such as GRE. This is a perfectly valid way of doing things, but you will need to read up on using crypto with GRE so that you know what is involved

New Member

Re: Tunnel vs Transport mode and Qos

So, I actually have a config that uses GRE and IPSec vs. just IPSec in tunnel Mode. So, I can actually use transport mode and QoS, since GRE tunnels the packet first and then IPSec is applied, correct? I just need to apply the crypto map to the tunnel interface and the physical interface?

Thanks,

RJ

New Member

Re: Tunnel vs Transport mode and Qos

I run the exact same setup that your are wanting to do. I have a HUB VPN router (2621 Series with AIM Encryption Module) and 14 sites running VPN into thta hub router (remote sites have 2621's also).

What you are going to do is create a GRE tunnel between the external interfaces on your routers. It's best to create and verify that the tunnel operates prior to applying a crypto map. Then you are going to modify your IPSEC transform set to use "transport" mode rather than tunnel mode. Once the GRE tunnel is up, and you have created an access-list defining what traffic to encrypt, you can apply the crypto map (to both routers) and encrypt the packets that pass through the tunnel.

After that, setup your QOS and apply that to your tunnel interfaces.

A couple of important things to remember. First, never apply or change an access-list while the crypto map is applied to the tunnel interface. Something freaks out when you do that and it takes the physical interface down so bad that you need to perform a physical reboot. Second, running your system in this manner allows you to do some things that arent possible with IPSEC tunnels...QOS is one of them, but routing is another. You can broadcast your routes out your Tunnel interface and your remote router will pick them up. It's also a good troubleshooting tool. Lets say you apply a crypto map and it doesn't work for some reason. If you can see your remote router getting routing updates, you know your GRE tunnel is up and running, so your problem is narrowed down to a misconfiguration on your IPSEC encryption setup (access-lists usually!).

One last thing, if you plan to router internet traffic through your GRE tunnel (we do because we monitor traffic outbound at our firewall), look up the whitepaper on Cisco's web site about not being able to browse through a GRE tunnel. You might have to add the command "ip tcp mss adjust 1400" to your tunnel interface to enable browsing. Not a big deal really, but it took me some time to figure out my firewall wasn't at fault.

300
Views
0
Helpful
5
Replies