Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CBWFQ & IPSec VPN

Hello,

We have an IPSec tunnel established between our office and another site using 2 ASA 5510s running 8.0(3).

We have a T1 connecting these sites. I want to be able to use CBWFQ on the serial interfaces of the routers. How can I copy the "copy" the DSCP value into the IP header of the ESP packet on the ASA, if the DSCP is set on the ingress interface of the ASA? I want certain VPN traffic to be placed into different queues on the serial interfaces. I see there the "qos pre-classify" command that exists for routers. Does the ASA have something simular? If no, what can I do?

Thanks!

  • Security Management
2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: CBWFQ & IPSec VPN

I thought the DSCP bit is automatically coped from the inner header to the outer header as per the RFC?

QOS pre-classify is only required if you need to apply QOS policies based on other parameters (not copied or visible) at the egress interace.

E.g. in case of IPSEC tunnel mode the layer 4 port-numbers are not visible. For transport mode more fields are visible.

Regards

Farrukh

Re: CBWFQ & IPSec VPN

good luck

please, if helpful rate

6 REPLIES

Re: CBWFQ & IPSec VPN

I thought the DSCP bit is automatically coped from the inner header to the outer header as per the RFC?

QOS pre-classify is only required if you need to apply QOS policies based on other parameters (not copied or visible) at the egress interace.

E.g. in case of IPSEC tunnel mode the layer 4 port-numbers are not visible. For transport mode more fields are visible.

Regards

Farrukh

Re: CBWFQ & IPSec VPN

i agree with Farrukh

according to cisco SRND

In Cisco AVVID solutions, the IP Phone and gateways provide the capability to set the ToS byte so

routers can make the appropriate QoS decision. However, most data applications do not set the ToS byte

and queuing decisions must be based on other fields of the IP header, including source/destination IP

address, port numbers, and protocol

Once the original IP packet is encrypted by IPSec, fields other than ToS byte, such as port numbers,

protocol and source/destination IP address fields, are no longer in clear text and cannot match an output

service policy. QoS Pre-Classify is an Cisco IOS software feature to allow fancy queuing,

CBWFQ/WFQ, at the output interface to match on these other fields in the original IP header, even after

the original IP header is encrypted

howver

u can use matching in the calss map and make the matching based on ur vpn tunnel-gourp that u have

in the case u can play with priority or bandwidth limitation

check the following link

PIX/ASA 7.x and Later: Bandwidth Management(Rate Limit) Using QoS Policies

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml

good luck

please, if helpful Rate

New Member

Re: CBWFQ & IPSec VPN

Awesome! I did not realize the RFC called for that ToS bytes to be copied from the inner header to the outer header. I was planning on testing this out today by creating the policy-maps and running a capture on the other VPN endpoint to see if I see the DSCP bits set in the outer headers. I will let you guys know what I find.

Thanks!

Re: CBWFQ & IPSec VPN

good luck

please, if helpful rate

New Member

Re: CBWFQ & IPSec VPN

It does work! Thanks for letting me know this! See attached picture.

Thanks!!!!

Re: CBWFQ & IPSec VPN

Brantley this is 5+ :)

407
Views
5
Helpful
6
Replies
This widget could not be displayed.