Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

QoS on GRE/IPSec Tunnels


I have been tasked with implementing QoS over some GRE tunnels that a client has in place.

To give a general idea of the setup,

Central (hub) Site - Cisco 2811 connected to a 2048kbps Internet leased line - This holds down three GRE IPSec Tunnels to three seperate sites (spokes).

Each site is configured with a Cisco 1801 connected to an ADSL (estimated 8mb down, 800k up) links which are obviously the endpoints for each of the three GRE IPSec tunnels

2 of the sites mainly use Citrix traffic over the link back to the central site, whilst the third site is a larger branch office with their own Exchange Server, domain controller etc....

Most things performance wise are fine - However there is a UNIX based terminal app hosted at the central site which performs very poorly to the larger branch office (there arent enough Citrix Licenses to allow the branch office to use the Terminal based app over Citrix - So they are Telneting in directly to the server at the central site).

The larger branch office also sends the following over their Tunnel - smtp email, AD Replication, AD DNS etc....

So - I need to look at implementing some form of QoS on the network to hopefully improve the performance of the telnet based app in the first instance whilst not negatively impacting on the perfomance of all other apps.

I have some vague idea's about how to achieve this - but I just need some pointers to assist in achieveing my goal

For info the Tunnels are laid out in the following logical Interfaces

Central Site

Serial0/0/0 - Connected to the 2mb leased Line

Tunnel0 - Goes to the large Branch Office

Tunnel1 - Goes to small citrix based site

Tunnel2 - Goes to the second small citrix based site

All remote sites use logical interface Tunnel0 back to their respective Tunnel at the central site

I have enabled qos pre-classify on the GRE tunnels and crypto maps, from what I have read it would be the best starting point

I will try and post some config snippets from the devices if this info is needed.

As you can probably guess - Im quite new to QoS!! (the books are on order ;-)



New Member

Re: QoS on GRE/IPSec Tunnels

You might want to check the MTU size over GRE IPSec tunnels. Usually you see poor performance over GRE IPsec tunnels when the packets are fragmented by the intermediate routers.

See below link:

Also, since you have different protocols running over WAN, you will definitely need some QoS for better performance and monitoring

Super Bronze

Re: QoS on GRE/IPSec Tunnels

First thing you want to identify is where your bottlenecks are. From your description, for outbound from hub to spokes, your bottleneck is the hub's physical 2 Mbps interface, since each spoke can accept 8 Mbps. I.e. so you'll want QoS there.

For inbound, each spoke will bottleneck at the 800 Kbps. (NB: you have a second possible bottleneck, the hub's 2 Mbps inbound, since the aggregate of 3 sites at 800 Kbps could be up to 2.4 Mbps. Assuming typical asymmetric hub/spoke traffic, and the small oversubscription of 400 Kbps, I doubt it will be an issue. But if it is, shape the aggregate of your 3 sites not to exceed 2 Mbps.) Also for your spokes, assuming the ADSL is an Ethernet interface, we'll need to shape to the uplink speed.

Although we could make a very advanced QoS policy, simple is nice if it works. In this case, if we can implement FQ and/or WFQ, we may be able to avoid complex QoS.

For the spokes, see if you can implement a shaper for 800 Kbps on the outbound tunnel. Something like:

interface tunnel #

!shape for 800 Kbps

shape 800000

For the hub, since there are multiple tunnels, we need to do something at the physical interface. Try this:

interface tunnel 0

qos pre-classify

interface tunnel 1

qos pre-classify

interface tunnel 2

qos pre-classify

interface serial0/0/0


or for the serial, instead of fair-queue, try

policy-map CBWFQ

interface serial0/0/0

service-policy output CBWFQ

Assuming the above works, but we want even better treatment for Citrix and/or Telnet, you might next (additionally) try something like.

class-map match-any GoldTraffic

match protocol telnet

match protocol citrix

policy-map TagTraffic

class GoldTraffic

set ip precedence (2,3 or 4)

class class-default

set ip precedence 0

interface (fast)Ethernet #

service policy input TagTraffic

CreatePlease to create content