https://community.cisco.com/t5/network-security/cbwfq-ipsec-vpn/m-p/1059190#M1004626 <P>Hello,</P><P></P><P>We have an IPSec tunnel established between our office and another site using 2 ASA 5510s running 8.0(3).</P><P></P><P>We have a T1 connecting these sites. I want to be able to use CBWFQ on the serial interfaces of the routers. How can I copy the "copy" the DSCP value into the IP header of the ESP packet on the ASA, if the DSCP is set on the ingress interface of the ASA? I want certain VPN traffic to be placed into different queues on the serial interfaces. I see there the "qos pre-classify" command that exists for routers. Does the ASA have something simular? If no, what can I do?</P><P></P><P>Thanks!</P> Fri, 21 Feb 2020 10:57:45 GMT support 2020-02-21T10:57:45Z https://community.cisco.com/t5/network-security/cbwfq-ipsec-vpn/m-p/1059190#M1004626 <P>Hello,</P><P></P><P>We have an IPSec tunnel established between our office and another site using 2 ASA 5510s running 8.0(3).</P><P></P><P>We have a T1 connecting these sites. I want to be able to use CBWFQ on the serial interfaces of the routers. How can I copy the "copy" the DSCP value into the IP header of the ESP packet on the ASA, if the DSCP is set on the ingress interface of the ASA? I want certain VPN traffic to be placed into different queues on the serial interfaces. I see there the "qos pre-classify" command that exists for routers. Does the ASA have something simular? If no, what can I do?</P><P></P><P>Thanks!</P> Fri, 21 Feb 2020 10:57:45 GMT https://community.cisco.com/t5/network-security/cbwfq-ipsec-vpn/m-p/1059190#M1004626 support 2020-02-21T10:57:45Z https://community.cisco.com/t5/network-security/cbwfq-ipsec-vpn/m-p/1059191#M1004627 <HTML><HEAD></HEAD><BODY><P>I thought the DSCP bit is automatically coped from the inner header to the outer header as per the RFC?</P><P></P><P>QOS pre-classify is only required if you need to apply QOS policies based on other parameters (not copied or visible) at the egress interace.</P><P>E.g. in case of IPSEC tunnel mode the layer 4 port-numbers are not visible. For transport mode more fields are visible.</P><P></P><P>Regards</P><P></P><P>Farrukh</P><P></P><P></P></BODY></HTML> Tue, 12 Aug 2008 01:26:19 GMT https://community.cisco.com/t5/network-security/cbwfq-ipsec-vpn/m-p/1059191#M1004627 Farrukh Haroon 2008-08-12T01:26:19Z https://community.cisco.com/t5/network-security/cbwfq-ipsec-vpn/m-p/1059192#M1004628 <HTML><HEAD></HEAD><BODY><P>i agree with Farrukh </P><P></P><P>according to cisco SRND</P><P>In Cisco AVVID solutions, the IP Phone and gateways provide the capability to set the ToS byte so</P><P>routers can make the appropriate QoS decision. However, most data applications do not set the ToS byte</P><P>and queuing decisions must be based on other fields of the IP header, including source/destination IP</P><P>address, port numbers, and protocol</P><P>Once the original IP packet is encrypted by IPSec, fields other than ToS byte, such as port numbers,</P><P>protocol and source/destination IP address fields, are no longer in clear text and cannot match an output</P><P>service policy. QoS Pre-Classify is an Cisco IOS software feature to allow fancy queuing,</P><P>CBWFQ/WFQ, at the output interface to match on these other fields in the original IP header, even after</P><P>the original IP header is encrypted</P><P></P><P>howver</P><P>u can use matching in the calss map and make the matching based on ur vpn tunnel-gourp that u have</P><P>in the case u can play with priority or bandwidth limitation</P><P></P><P>check the following link</P><P></P><P>PIX/ASA 7.x and Later: Bandwidth Management(Rate Limit) Using QoS Policies</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml</A></P><P></P><P>good luck</P><P></P><P>please, if helpful Rate</P></BODY></HTML> Tue, 12 Aug 2008 02:00:32 GMT https://community.cisco.com/t5/network-security/cbwfq-ipsec-vpn/m-p/1059192#M1004628 Marwan ALshawi 2008-08-12T02:00:32Z https://community.cisco.com/t5/network-security/cbwfq-ipsec-vpn/m-p/1059193#M1004629 <HTML><HEAD></HEAD><BODY><P>Awesome! I did not realize the RFC called for that ToS bytes to be copied from the inner header to the outer header. I was planning on testing this out today by creating the policy-maps and running a capture on the other VPN endpoint to see if I see the DSCP bits set in the outer headers. I will let you guys know what I find.</P><P></P><P>Thanks!</P></BODY></HTML> Tue, 12 Aug 2008 12:49:13 GMT https://community.cisco.com/t5/network-security/cbwfq-ipsec-vpn/m-p/1059193#M1004629 support 2008-08-12T12:49:13Z https://community.cisco.com/t5/network-security/cbwfq-ipsec-vpn/m-p/1059194#M1004630 <HTML><HEAD></HEAD><BODY><P>good luck</P><P></P><P>please, if helpful rate</P></BODY></HTML> Tue, 12 Aug 2008 13:55:08 GMT https://community.cisco.com/t5/network-security/cbwfq-ipsec-vpn/m-p/1059194#M1004630 Marwan ALshawi 2008-08-12T13:55:08Z https://community.cisco.com/t5/network-security/cbwfq-ipsec-vpn/m-p/1059195#M1004632 <HTML><HEAD></HEAD><BODY><P>It does work! Thanks for letting me know this! See attached picture.</P><P></P><P>Thanks!!!!</P><P></P><P> </P><P></P></BODY></HTML> Tue, 12 Aug 2008 17:26:40 GMT https://community.cisco.com/t5/network-security/cbwfq-ipsec-vpn/m-p/1059195#M1004632 support 2008-08-12T17:26:40Z https://community.cisco.com/t5/network-security/cbwfq-ipsec-vpn/m-p/1059196#M1004634 <HTML><HEAD></HEAD><BODY><P>Brantley this is 5+ <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Wed, 13 Aug 2008 04:35:58 GMT https://community.cisco.com/t5/network-security/cbwfq-ipsec-vpn/m-p/1059196#M1004634 Marwan ALshawi 2008-08-13T04:35:58Z