https://community.cisco.com/t5/routing-and-sd-wan/applying-qos-within-ipsec-and-gre-tunnels/m-p/1978290#M194686 <HTML><HEAD></HEAD><BODY><P>Hello Jit,</P><P></P><P>Firstly, I'm not from Cisco <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN> Neither the information i have provided below is a view of Cisco. </P><P></P><P>IMHO, this is not possible. The reason is, your packet is already encrypted &amp; gets inside the tunnel. Your ISP is just a transit path for you thats all. Not sure as to why you would like your ISP to respect your marking when you have a tunnel going on between sites? You need QoS between your sites, so you can keep your ISP apart from it. </P><P></P><P>Regards,</P><P>Vivek.</P></BODY></HTML> Tue, 03 Jul 2012 13:24:38 GMT Vivek Ganapathi 2012-07-03T13:24:38Z https://community.cisco.com/t5/routing-and-sd-wan/applying-qos-within-ipsec-and-gre-tunnels/m-p/1978289#M194685 <TABLE border="1" cellpadding="3" cellspacing="0" class="jiveBorder" style="width: 100%; border: 1px solid #000000;"><TBODY><TR><TH align="center" style="background-color: #6690bc;" valign="middle"><SPAN style="color: #ffffff;"><STRONG>Tunnel Diagram</STRONG></SPAN></TH></TR><TR><TD><IMG src="https://community.cisco.com/legacyfs/online/legacy/5/6/4/94465-QoS%20setup.jpg" alt="QoS setup.jpg" class="jive-image-thumbnail jive-image" onclick="" width="450" /></TD></TR></TBODY></TABLE><P></P><P>Hi all, I have an uncommon situation and would like Cisco’s take on it.As per the above diagram </P><P></P><P>We have a requirement where we need to classify and mark traffic on the egress (on the CE routers). </P><P></P><P></P><P></P><P>The transmission media for this traffic is PPPoE. This PPPoE transmission is via RF and get’s terminated on the ISP PE routers (as per attached figure).</P><P></P><P></P><P></P><P>Once we have L3 reachability between CE sites we build GRE tunnels from the hub site (C) to the two spokes (A &amp; B). Over the GRE we run IPSec . Inside IPSec we enable BGP.</P><P></P><P></P><P></P><P><STRONG style="text-decoration: underline; ">The question</STRONG><SPAN style="text-decoration: underline;">:</SPAN></P><P></P><P></P><P></P><P>Our egress classification and marking is meant to be acknowledged and prioritised by the ISP, as you can see this traffic is within two tunnels - can this be done? Assuming both us &amp; the ISP are using Cisco devices running code 12.4 or higher.&nbsp;&nbsp;&nbsp; </P><P></P><P></P><P>Many thnaks,</P><P></P><P>Jit</P> Tue, 05 Mar 2019 00:51:42 GMT https://community.cisco.com/t5/routing-and-sd-wan/applying-qos-within-ipsec-and-gre-tunnels/m-p/1978289#M194685 jitendraanbu 2019-03-05T00:51:42Z https://community.cisco.com/t5/routing-and-sd-wan/applying-qos-within-ipsec-and-gre-tunnels/m-p/1978290#M194686 <HTML><HEAD></HEAD><BODY><P>Hello Jit,</P><P></P><P>Firstly, I'm not from Cisco <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN> Neither the information i have provided below is a view of Cisco. </P><P></P><P>IMHO, this is not possible. The reason is, your packet is already encrypted &amp; gets inside the tunnel. Your ISP is just a transit path for you thats all. Not sure as to why you would like your ISP to respect your marking when you have a tunnel going on between sites? You need QoS between your sites, so you can keep your ISP apart from it. </P><P></P><P>Regards,</P><P>Vivek.</P></BODY></HTML> Tue, 03 Jul 2012 13:24:38 GMT https://community.cisco.com/t5/routing-and-sd-wan/applying-qos-within-ipsec-and-gre-tunnels/m-p/1978290#M194686 Vivek Ganapathi 2012-07-03T13:24:38Z https://community.cisco.com/t5/routing-and-sd-wan/applying-qos-within-ipsec-and-gre-tunnels/m-p/1978291#M194687 <HTML><HEAD></HEAD><BODY><P>Hello there, thanks for your response. This is exactly how I feel about this as well. It is not doable, as the packets are encrypted &amp; it's transparent to the ISP.</P><P></P><P>Rgds,</P><P>Jit</P></BODY></HTML> Wed, 04 Jul 2012 03:25:22 GMT https://community.cisco.com/t5/routing-and-sd-wan/applying-qos-within-ipsec-and-gre-tunnels/m-p/1978291#M194687 jitendraanbu 2012-07-04T03:25:22Z https://community.cisco.com/t5/routing-and-sd-wan/applying-qos-within-ipsec-and-gre-tunnels/m-p/1978292#M194688 <HTML><HEAD></HEAD><BODY><P>Hello Jit,</P><P></P><P>Right. End-to-End QoS would be between your sites within the GRE tunnel. So, ISP wouldn't know as the QoS marking would be encapsulated as well within the GRE header. </P><P></P><P>So frankly speaking, you must not bother about the ISP's involvement to have your markings acknowledged. Remember, you are running GRE, so you would have the End-to-End QoS between your endpoints only. </P><P></P><P>Regards</P><P>Vivek</P><P></P><P><EM>*Please rate helpful posts</EM></P></BODY></HTML> Wed, 04 Jul 2012 04:08:00 GMT https://community.cisco.com/t5/routing-and-sd-wan/applying-qos-within-ipsec-and-gre-tunnels/m-p/1978292#M194688 Vivek Ganapathi 2012-07-04T04:08:00Z https://community.cisco.com/t5/routing-and-sd-wan/applying-qos-within-ipsec-and-gre-tunnels/m-p/1978293#M194689 <HTML><HEAD></HEAD><BODY><P>Agai, I agree with you Vivek.</P><P></P><P>Disappointing no one from Cisco has commented on this.</P><P></P><P>Rgds,</P><P>Jit</P></BODY></HTML> Wed, 04 Jul 2012 05:57:51 GMT https://community.cisco.com/t5/routing-and-sd-wan/applying-qos-within-ipsec-and-gre-tunnels/m-p/1978293#M194689 jitendraanbu 2012-07-04T05:57:51Z