I've got my main campus dans a remote site connected with a GRE over IPsec tunnel in tunnel mode. The GRE/IPsec works just fine. My problem is with my outbound policy-map. This one is used to police the traffic to the Bw of the remote site. It got a child policy to do LLQ for the voice traffic matching on precedence 5 since I'm doing qos pre classify.
In the parent policy-map, I'm trying to match only some traffic because this is a router on a stick configuration. It trying to match on ESP from host A to host B where those host are the two vpn gateway. I've got no match in my acl counter. That's bizarre!
Now, I add to my ACL the permit ip any 10.4.0.0 0.0.255.255. This is my remote site IP range. I've got hits !!! That IP should be buried in GRE. GRE should be encapsulated in ESP. How can a outbound QOS policy (it should be applied last on the traffic, after encryption) be able to match on a encrypted IP field inside the packet? That's really really bizarre!!!
QOS pre-classify only copy the inside TOS to the outside header. That would explain why inner policy-map is doing it's job. I can match on ip precedence there but not on udp port.
My question is more about the outbound parent policy. Since the packet are IPSec, I should match on esp packets. Problem is, I'm matching on the encrypted IPs.
Still, my link is working fine. The way I see this, it could be a cosmetic bug issue or something related to the configuration of my GRE tunnel. The traffic is entering the router and leaving by the same physical interface. That interface is the source interface of the GRE tunnel and encryption is put on that interface. It's a bit messy.
The next step might be to move the source of the GRE tunnel to a loopback interface. What do you think? I cant add a new physical interface because all the other slot are populated by links from my other remotes sites.
>> The traffic is entering the router and leaving by the same physical interface.
probably you are in very specific case.
However, I think that QoS preclassify does more then copying TOS to outside header for the simple reason that even without qos-preclassify this happens in most scenarios for example we used it on a Cisco 877 with IPSec/GRE tunnel.
About making changes if you haven't the additional interface I don't see any reason to do it.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...