Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

QoS for GRE tunnels


Does anybody know is following design possible:

Network is hub and spoke. Locations are connected through ISP and network uses GRE tunnels. Network carries various traffic so there is need for QoS. Each tunnel has hierarchical QoS with parent-child policy. Parent policy shapes whole traffic for particular tunnel at desired bandwidth and child policy treats each traffic class at different way.

Looking at the physical interface that connect to ISP, its physical speed and service that is available from ISP are not the same so there is also QoS traffic shaping at physical interface that adjusts interface bandwidth to ISP available bandwidth. 

Device that has this config is Cisco 2900 and has high CPU although there is not much traffic going through it.


Is it possible to do shaping twice - on GRE tunnel interface and on physical interface at the same time? It can be configured but is it working at all and what effect that has on Cisco 2900 box. I didn't find any reference for this configuration. 



Hello.On 2900 you can't run


On 2900 you can't run QoS on physical link and inside the tunnel simultaneously.

But you can run 2 routers (or 2 VRFs): the first for GRE QoS and the second (CE) for link shaping.

PS: regarding CPU utilization - do you have IPSec on your tunnels?

New Member

Hi, Thanks for answering.Do



Thanks for answering.

Do you maybe know about a document (configuration guide or platform architecture document) that can verify that this is not possible. I wasn't able to find any information - neither that is possible neither that is not possible. But it can be configured without any error. 

It would also be interesting to know which QoS feature is done with this config - I suppose one on GRE tunnel because this happens before packet goes to physical interface.

And IPSec is not used or any other encription.

Hello.Yes, it's a HFQ


Yes, it's a HFQ:

Currently, certain QoS deployments include a service policy with queuing features applied at the tunnel or a virtual interface, and a service policy with queuing features applied at the physical interface. In Release 12.4(20)T, a service policy with queuing features can only be supported at one of these interfaces. When migrating to Release 12.4(20)T, a router configuration containing service policies at both interfaces will only keep the one applied to the physical interface.

Regarding CPU.Please provide

Regarding CPU.

Please provide " sh int summ" and "sh proc cpu sort 1min".

Super Bronze

DisclaimerThe Author of this


The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.


What model 2900 and define "not much traffic".

Is packet fragmentation possible?