Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

QOS and GRE over IPsec

Hi,

I've got my main campus dans a remote site connected with a GRE over IPsec tunnel in tunnel mode. The GRE/IPsec works just fine. My problem is with my outbound policy-map. This one is used to police the traffic to the Bw of the remote site. It got a child policy to do LLQ for the voice traffic matching on precedence 5 since I'm doing qos pre classify.

Problem :

In the parent policy-map, I'm trying to match only some traffic because this is a router on a stick configuration. It trying to match on ESP from host A to host B where those host are the two vpn gateway. I've got no match in my acl counter. That's bizarre!

Now, I add to my ACL the permit ip any 10.4.0.0 0.0.255.255. This is my remote site IP range. I've got hits !!! That IP should be buried in GRE. GRE should be encapsulated in ESP. How can a outbound QOS policy (it should be applied last on the traffic, after encryption) be able to match on a encrypted IP field inside the packet? That's really really bizarre!!!

Can anyone tell me what I'm missing here?

3 REPLIES
Hall of Fame Super Silver

Re: QOS and GRE over IPsec

Hello Dominic,

what you see could be the effect of the qos pre classify command that moves back the point of view for the QoS application

see

http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_q1.html#wp1046954

Otherwise the ACL should match in the first formulation on GRE hosts as you noted

Hope to help

Giuseppe

Re: QOS and GRE over IPsec

QOS pre-classify only copy the inside TOS to the outside header. That would explain why inner policy-map is doing it's job. I can match on ip precedence there but not on udp port.

My question is more about the outbound parent policy. Since the packet are IPSec, I should match on esp packets. Problem is, I'm matching on the encrypted IPs.

Still, my link is working fine. The way I see this, it could be a cosmetic bug issue or something related to the configuration of my GRE tunnel. The traffic is entering the router and leaving by the same physical interface. That interface is the source interface of the GRE tunnel and encryption is put on that interface. It's a bit messy.

The next step might be to move the source of the GRE tunnel to a loopback interface. What do you think? I cant add a new physical interface because all the other slot are populated by links from my other remotes sites.

Hall of Fame Super Silver

Re: QOS and GRE over IPsec

Hello Dominic,

>> The traffic is entering the router and leaving by the same physical interface.

probably you are in very specific case.

However, I think that QoS preclassify does more then copying TOS to outside header for the simple reason that even without qos-preclassify this happens in most scenarios for example we used it on a Cisco 877 with IPSec/GRE tunnel.

About making changes if you haven't the additional interface I don't see any reason to do it.

(golden rule: works ? don't touch it)

Hope to help

Giuseppe

220
Views
0
Helpful
3
Replies
CreatePlease to create content