cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
966
Views
1
Helpful
5
Replies

COS to WAN ISP

Bob Greer
Level 4
Level 4

Hi there,

Thanks for reading.

My ISP is dropping packets from our BE COS queue.  I just found out we're not marking properly and only 10% of our traffic is in the correct COS queue.  Based on legacy requests, the ISP has COS2 set as highest priority.  The interface is the termination for IPSEC tunnels.  I need to mark those outgoing packets on those tunnels for COS2.  I think i need a map and a policy and then attach that policy to tunnel interfaces?

 

Thanks!

Bob

1 Accepted Solution

Accepted Solutions

Hi Bob,

OK, only a slight tweak required for IOS-XE:

 

!
ip access-list extended IPSEC-ACL
  permit udp any eq isakmp any eq isakmp
  permit esp any any 
!
class-map IPSEC-CM
  match access-group IPSEC-ACL
!
policy-map IPSEC-PM
  class IPSEC-CM
    set cos 2
    set dcsp cs2
!
int <outbound_interface>
  service-policy output IPSEC-PM
!

 

More information can be found here:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/qos/configuration_guide/b_qos_3se_3850_cg/b_qos_3se_3850_cg_chapter_011.html#d9712e7502a1635

 

cheers,

Seb.

View solution in original post

5 Replies 5

Seb Rupik
VIP Alumni
VIP Alumni

Hi Bob,

Try the following:

 

!
ip access-list extended IPSEC-ACL
  permit udp any eq isakmp any eq isakmp
  permit esp any any 
!
class-map match-all IPSEC-CM
  match access-group name IPSEC-ACL
!
policy-map type qos IPSEC-PM
  class IPSEC-CM
    set cos 2
    set dscp cs2
!
int <outbound_interface>
  service-policy output IPSEC-PM
!

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/QoS-SRND-Book/IPSecQoS.html

 

cheers,

Seb.

Hi Seb,

Thanks for writing!

My IOS doesn't have type qos under policy-map.  Here's what it DOES have.  None seem to lead to type QoS.  I'm using IOSXE  03.16.03.S

 

  access-control      
  appnav              
  control             
  inspect             
  packet-service      
  performance-monitor 
  service             
  service-chain     

 

Thanks!  

Hi Bob,

OK, only a slight tweak required for IOS-XE:

 

!
ip access-list extended IPSEC-ACL
  permit udp any eq isakmp any eq isakmp
  permit esp any any 
!
class-map IPSEC-CM
  match access-group IPSEC-ACL
!
policy-map IPSEC-PM
  class IPSEC-CM
    set cos 2
    set dcsp cs2
!
int <outbound_interface>
  service-policy output IPSEC-PM
!

 

More information can be found here:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/qos/configuration_guide/b_qos_3se_3850_cg/b_qos_3se_3850_cg_chapter_011.html#d9712e7502a1635

 

cheers,

Seb.

Thanks Seb, I tried that and can confirm: your recommendations worked, including the IOSXE modification.

Joseph W. Doherty
Hall of Fame
Hall of Fame
Most Cisco devices will copy a packet's ToS to the tunnel packet's ToS. So if you tag your packets as they enter the tunnel, the ToS should be copied.
Or, as an alternative, you might tag your tunnel packets as they pass out the physical egress interface. The difference with the latter, the tunnel packet's ToS can have a different marking from the original packet's.
Either of the above can be done by using a CBWFQ policy attached to an interface.