I have a VoIP gateway that is marking packets with DiffServ CS1 and CS2 levels. These packets first hit an internal router that has a GRE/IPSec transport mode tunnel to another router on the public Internet. The internal router uses its FastEthernet port to connect to a second in-house router that has a T1 connection to the Internet. In order to setup some QoS I would like do the following:
1) On the internal router I am not going to setup any actual QoS policies but I want to use the "qos pre-classify" commands on the crypto map and the tunnel interface in order preserve the DCSP info on the IPSec encrypted packets that will be processed by the Internet router
2) On the Internet router I will setup a policy that matches DCSP packets and assigns them to a LLQ using the "priority" command.
Since the IPSec tunnel also carries non-VoIP traffic my objective here is to prioritize only IPSec packets that have voice. Non-voice IPSec and all other traffic will be treated in best-effort mode.
Since IOS 11.3T, the TOS bits of the IP header is copied automatically to the TOS bits of the GRE header. However, there was a problem. While the subsequent routers could use this info in the TOS field of the GRE header, the router doing this initial copying itself was unable to prioritize based on the TOS bits. The 'qos pre-classify' command solves this problem. With the command configured, the packets will be correctly classified and the qos policy applied on the headend router too.
The information ultimately copied into the TOS bit of the new header, mirrors the TOS bit in the original header. Also, the TOS bit is copied regardless of the 'qos pre-classify' command.
I am pretty sure the above setup will prioritize IPSec packets over non-IPSec, but what about the packets inside the tunnel? Will this prioritize "inside" the tunnel. My ultimate goal would be the following:
IPSec packets from VoIP host should have highest priority
IPSec packets from all other hosts and non-IPSec traffic should share remaining bandwidth and be treated with equal priority.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :