Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
967
Views
1
Helpful
5
Replies

COS to WAN ISP

Go to solution
Bob Greer
Level 4
Level 4

‎08-28-2017 04:02 PM - edited ‎03-05-2019 09:03 AM

Hi there,

Thanks for reading.

My ISP is dropping packets from our BE COS queue.  I just found out we're not marking properly and only 10% of our traffic is in the correct COS queue.  Based on legacy requests, the ISP has COS2 set as highest priority.  The interface is the termination for IPSEC tunnels.  I need to mark those outgoing packets on those tunnels for COS2.  I think i need a map and a policy and then attach that policy to tunnel interfaces?

 

Thanks!

Bob

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to Bob Greer

‎08-30-2017 12:29 AM

Hi Bob,

OK, only a slight tweak required for IOS-XE:

 

!
ip access-list extended IPSEC-ACL
  permit udp any eq isakmp any eq isakmp
  permit esp any any 
!
class-map IPSEC-CM
  match access-group IPSEC-ACL
!
policy-map IPSEC-PM
  class IPSEC-CM
    set cos 2
    set dcsp cs2
!
int <outbound_interface>
  service-policy output IPSEC-PM
!

 

More information can be found here:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/qos/configuration_guide/b_qos_3se_3850_cg/b_qos_3se_3850_cg_chapter_011.html#d9712e7502a1635

 

cheers,

Seb.

View solution in original post

5 Replies 5

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎08-29-2017 02:47 AM

Hi Bob,

Try the following:

 

!
ip access-list extended IPSEC-ACL
  permit udp any eq isakmp any eq isakmp
  permit esp any any 
!
class-map match-all IPSEC-CM
  match access-group name IPSEC-ACL
!
policy-map type qos IPSEC-PM
  class IPSEC-CM
    set cos 2
    set dscp cs2
!
int <outbound_interface>
  service-policy output IPSEC-PM
!

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/QoS-SRND-Book/IPSecQoS.html

 

cheers,

Seb.

0 Helpful

Go to solution
Bob Greer
Level 4
Level 4
In response to Seb Rupik

‎08-29-2017 11:43 AM

Hi Seb,

Thanks for writing!

My IOS doesn't have type qos under policy-map.  Here's what it DOES have.  None seem to lead to type QoS.  I'm using IOSXE  03.16.03.S

 

  access-control      
  appnav              
  control             
  inspect             
  packet-service      
  performance-monitor 
  service             
  service-chain     

 

Thanks!  

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to Bob Greer

‎08-30-2017 12:29 AM

Hi Bob,

OK, only a slight tweak required for IOS-XE:

 

!
ip access-list extended IPSEC-ACL
  permit udp any eq isakmp any eq isakmp
  permit esp any any 
!
class-map IPSEC-CM
  match access-group IPSEC-ACL
!
policy-map IPSEC-PM
  class IPSEC-CM
    set cos 2
    set dcsp cs2
!
int <outbound_interface>
  service-policy output IPSEC-PM
!

 

More information can be found here:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/qos/configuration_guide/b_qos_3se_3850_cg/b_qos_3se_3850_cg_chapter_011.html#d9712e7502a1635

 

cheers,

Seb.

Go to solution
Bob Greer
Level 4
Level 4
In response to Seb Rupik

‎08-30-2017 09:29 AM

Thanks Seb, I tried that and can confirm: your recommendations worked, including the IOSXE modification.

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎08-29-2017 05:34 AM

Most Cisco devices will copy a packet's ToS to the tunnel packet's ToS. So if you tag your packets as they enter the tunnel, the ToS should be copied.
Or, as an alternative, you might tag your tunnel packets as they pass out the physical egress interface. The difference with the latter, the tunnel packet's ToS can have a different marking from the original packet's.
Either of the above can be done by using a CBWFQ policy attached to an interface.
0 Helpful
Customers Also Viewed These Support Documents