Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

QoS for IPSEC encrypted GRE tunnel

I have an DSL router connected to a central site via a GRE tunnel. The tunnel is encrypted by IPSEC and works fine.

- cisco 836 IOS version c836-k9o3s8y6-mz.123-2.XA6.bin

- DSL 7550kbps/864kbps

- ipsec encrypted gre tunnel

- ipsec tunnel mode

I'm trying to implement QoS. The configuration is rather straight forward.

- class-maps for voip and citrix

- policy-map - child and parent; with LLQ and CBWFQ; class based shaping

- qos pre-classify to classify packets prior to encryption

- crypto commands to prevent fragmentation after encryption

- expanded anti replay window

- output service-policy on tunnel interface

Two things don't work however.

- 'shape average' command for policy-map. I can enter it but it doesn't show up in the configuration and no error message appears.

- 'service-policy output parent' command on interface tunnel0. I can enter it but it doesn't show up in the configuration. Sometimes it says ' CBWFQ : Hierarchy supported only if shaping is configured in this class'. That's obvious because the 'shape average 400000' won't stick. Funny thing however is that i do not get the error message when i enter the 'shape average' command in the policy-map first. But still they both won't show up.

And the net result is that there is no active policy on the interface:

dsl-router#sh policy-map

Policy Map parent

Class class-default

service-policy child

Policy Map child

Class voip

Strict Priority

Bandwidth 30 (%)

Class citrix

Bandwidth 500 (kbps) Max Threshold 64 (packets)

Class class-default

Flow based Fair Queueing

Bandwidth 0 (kbps) Max Threshold 64 (packets)

set dscp default

Also tried other IOS versions. Same result. Anyone got a clue what's going wrong here?

---------------------config example---------------------

crypto isakmp policy 1

authentication pre-share

!

crypto isakmp key xxx address 192.xxx.yyy.10

crypto ipsec transform-set VPN-SITE-TRANS esp-3des esp-sha-hmac

crypto ipsec security-association replay window-size 1024

crypto df-bit set

crypto ipsec fragmentation before-encryption

!

crypto map VPN-SITE 1 ipsec-isakmp

set peer 192.xxx.yyy.10

set transform-set VPN-SITE-TRANS

match address VPN-TO-CENTRAL

!

class-map match-any voip

match ip dscp ef

class-map match-any citrix

match access-group name citrix_ports

!

policy-map child

class voip

priority percent 30 ! LLQ

class citrix

bandwidth 500 ! CBWFQ

class class-default

fair-queue

set dscp default

policy-map parent

class class-default

shape average 400000 ! shape traffic to 400 kbps

service-policy child

!

interface Tunnel0

description GRE tunnel

ip address 137.aaa.bbb.2 255.255.255.252

qos pre-classify

service-policy output parent

keepalive 10 3

tunnel source BVI1

tunnel destination 192.xxx.yyy.10

crypto map VPN-SITE

!

interface Ethernet0

description LAN

ip address 10.19.245.254 255.255.255.0

ip helper-address 10.11.12.13

ip tcp adjust-mss 1432

no ip mroute-cache

!

interface ATM0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

pvc 0/35

encapsulation aal5snap

!

dsl operating-mode auto

!

interface BVI1

description towards outside dsl

mac-address 0000.00c2.5911

ip address dhcp

no ip redirects

qos pre-classify

crypto map VPN-SITE

!

router eigrp 20

passive-interface BRI0

passive-interface Ethernet0

network 10.0.0.0

network 137.aaa.bbb.ccc

no auto-summary

!

ip access-list extended citrix_ports

permit tcp any any eq 1494

permit udp any any eq 1494

permit tcp any any eq 1604

permit udp any any eq 1604

permit tcp any any eq 2598

permit udp any any eq 2598

deny ip any any

!

ip access-list extended VPN-TO-CENTRAL

permit gre any host 192.xxx.yyy.10

!

end

3 REPLIES
Super Bronze

Re: QoS for IPSEC encrypted GRE tunnel

Don't know the exact fix, but some suggestions:

The parent policy is shaping at 400 Kbps but the child has a (Citrix) class with 500 Kbps?

CBWFQ is sensitive to interface bandwidth, you might try defining a bandwidth on the tunnel to a virtual 1 Mbps or so. (BTW: sometimes CBWFQ will place errors in the log not seen at the command line.)

You might also consider using the policy on the outbound physical interface. Amend the parent to only apply to the tunnel traffic and use DSCP markings, copied to the encrypted packet's header, for VoIP and Citrix traffic.

PS:

You might also consider, if available, using NBAR to match Citrix.

Super Bronze

Re: QoS for IPSEC encrypted GRE tunnel

Cisco Employee

Re: QoS for IPSEC encrypted GRE tunnel

Hi,

Have you tried to attach your parent policy to the physical interface and not to the tunnel?

interface Tunnel0

description GRE tunnel

ip address 137.aaa.bbb.2 255.255.255.252

qos pre-classify

keepalive 10 3

tunnel source BVI1

tunnel destination 192.xxx.yyy.10

crypto map VPN-SITE

!

interface BVI1

description towards outside dsl

mac-address 0000.00c2.5911

ip address dhcp

service-policy output parent

no ip redirects

qos pre-classify

crypto map VPN-SITE

Hope this helps! Please use the rating system.

Regards, Martin

545
Views
0
Helpful
3
Replies
CreatePlease to create content