Re: GRE Tunnel protection and qos pre-classify

vzufferey · ‎10-18-2004

How to apply QoS on GRE/IPSec tunnels when the GRE tunnels are encrypted using the "tunnel protection ipsec profile" command? Cisco documentation "QoS for VPN" says pre-classify command have to be appy in tunnel interface AND in crypto-map. With GRE tunnel protection I don't have any crypo-map configured. I can apply pre-classify ony in tunnel interface... How works the QoS process with this configuration?

router#sh run brief

[...]

crypto pki certificate chain ca

certificate 00B6

certificate ca 01

!

crypto isakmp policy 10

encr 3des

group 5

!

crypto ipsec transform-set uset esp-3des esp-sha-hmac

!

crypto ipsec profile u-ipsec

set transform-set uset

set pfs group5

!

policy-map child

class class-default

fair-queue

!

policy-map qos_shaping

class class-default

shape average 200000

service-policy child

!

interface Tunnel140162

ip unnumbered Loopback1

service-policy output qos_shaping

qos pre-classify

tunnel source GigabitEthernet0/2.12

tunnel destination 172.16.16.2

tunnel protection ipsec profile u-ipsec

!

router#sh crypto map

Crypto Map "Tunnel140162-head-0" 65537 ipsec-isakmp

Map is a PROFILE INSTANCE.

Peer = 172.16.16.2

Extended IP access list access-list permit gre host 172.16.9.20 host 172.16.16.2

Current peer: 172.16.16.2

PFS (Y/N): Y

DH group: group5

Transform sets={

uniset,

}

dmitry · ‎10-19-2004

The service-policy output qos_shaping should go to the physical intf. the Tunnel140162 uses. In this case the policy-map will be able to see the tunnel's payload before encryption. You can leave the service-policy on the tunnel as it is now and do not have to use qos pre-classify, the only condition for MQC in this case: it has to be parent-child with the shaping in parent, otherwise it won't be configured on Tunnel.