Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
133
Views
0
Helpful
0
Replies
Highlighted
cco@leferguson.com
cco@leferguson.com Beginner
Beginner
‎07-21-2019 05:01 PM
‎07-21-2019 05:01 PM

IOSv QoS on IPSec tunnel, weird error, maybe wrong approach...

I am setting up QoS for the first time, to accomodate requirements from a specialized VoIP vendor, and testing on GNS3 with Viral IOSv images, and am running into two issues.  A pair of routers on each end communicate over a tunnel (on a semi-private link not the internet) to another pair at the other end.  I'm using multiple tunnels (for each router combination) and EIGRP to decide which tunnel to use on the WAN side, and HSRP on the LAN side for router failover.  All that is working in simulation.

 

The second problem I'm having (just to get it out first) is that when I try to attach the service-policy to the tunnel interface I get an error I can't find in goggle anywhere, "Cannot support MATCH METADATA on virtual interface".  This seems related to the access-groups which inspect the DSCP class of packets.  This is just the beginning of the setup, but it is what gives the error: 

 

 

class-map match-any Class_DSCP_EF
 match access-group name DSCP_EF
 match application rtp
class-map match-any Class_DSCP_CS2
 match access-group name DSCP_CS2
 match access-group name OAM
class-map match-any Class_DSCP_CS3
 match access-group name DSCP_CS3
 match access-group name DATA_CALL_CONTROL
!
policy-map xxxxx_QoS
 class Class_DSCP_EF
  set dscp ef
 class Class_DSCP_CS3
  set dscp cs3
 class Class_DSCP_CS2
  set dscp cs2
!
ip access-list extended DATA_CALL_CONTROL
permit tcp any any eq 9911 9999 7778 1234 9901 6601 9988 9960 9915
permit tcp any any eq 6665 9989 domain 20102 1723 5060 7777 8888
permit udp any any eq 5060 5063 9912 1234 domain
permit ip any host 225.1.77.78
permit ip any host 225.1.10.12
permit ip any host 239.9.1.1
permit ip any host 225.0.10.20
permit ip any host 225.1.10.11
permit ip any host 225.0.10.10

ip access-list extended DSCP_CS2
permit ip 10.40.0.0 0.0.255.255 10.50.0.0 0.0.255.255 dscp cs2
permit ip 10.50.0.0 0.0.255.255 10.40.0.0 0.0.255.255 dscp cs2
ip access-list extended DSCP_CS3
permit ip 10.40.0.0 0.0.255.255 10.50.0.0 0.0.255.255 dscp cs3
permit ip 10.50.0.0 0.0.255.255 10.40.0.0 0.0.255.255 dscp cs3
ip access-list extended DSCP_EF
permit ip 10.40.0.0 0.0.255.255 10.50.0.0 0.0.255.255 dscp ef
permit ip 10.50.0.0 0.0.255.255 10.40.0.0 0.0.255.255 dscp ef
ip access-list extended OAM
permit tcp any any eq 9912 5150 22 telnet 2000 3389 1433 www 443 1801
permit tcp any any eq 1801 135 2101 2103 2105 3527 1801 www 443
permit udp any any eq 3527 1801 1434
permit ip any host 225.1.10.13

When that is applied to the tunnel it gives the error.  I can apply it to the Gig interfaces. 

 

I think I can work around this issue by tagging in ingress and using a different service policy on egress, maybe, but... what does this mean?   That tunnel interfaces cannot do matches to DSCP?  This is an explicit tunnel not one from flexvpn (etc).   Is this a IOSv limitation I might not get in hardware (using 1100 series routers, due in this coming week).  Is it a sign that tunnel traffic cannot see DSCP?  Which brings me to the real issue...

 

But the first problem is perhaps more important -- how does QoS on an IPsec tunnel function.  Am I correct in trying to tag the unencrypted traffic and trusting that the encapsulation will respect the queuing specified?    Ensuring in back pressure from the tunnel that some traffic from each queue will be taken? 

 

Bottom line - what is the proper way to implement QoS when driving the data over a IPsec tunnel in a router (i.e. real tunnel interface; ikev2 if it matters)?  The tunnel is encrypted because this is a sensitive installation; the link is actually a private link not internet.  That said, I have no idea if it will honor QoS end to end; a state agency is involved and getting accurate info is not easy to come by. 

 

But I'd like to honor the QoS as traffic is encapsulated and output onto the WAN link, and may need to restrict certain classes to certain amounts of bandwidth.  Can that work in the tunnel interface?  At least on real hardware? 

 

Does encapsulation cause the tunnel packet  to inherit the DSCP tag (or associated CoS or whatever is appropriate) from the encapsulated packet?  Or is something separate needed to do that?  Like a separate service policy (and can those class maps "see" the contained packet? 


Sorry, I'm rambling now, hopefully that makes some sense.  Thanks in advance, Linwood

 

 

Labels:
0 Helpful
Reply
Latest Contents
Catalyst 9400 password Recovery
Created by Mohamed Alhenawy on 08-24-2019 03:58 AM
0
0
0
0
                                          &nb... view more
Cisco SD-Access Practical Deployment Best Practices - Scenar...
Created by Karthik Kumar Thatikonda on 08-22-2019 06:39 PM
0
0
0
0
Purpose of the document This document describes the general recommendations or best practices when designing and deploying the Cisco SD-Access technology. The document assumes that the reader has a general overview of Cisco's SD-Access for Distributed C... view more
Cisco Router ISR-4331 Show interface output interval issue?
Created by yihchin25 on 08-21-2019 10:46 PM
0
0
0
0
Dear All, When I use the show interface command on the Cisco Router ISR-4331, it will display as below information. The word that I mark red, it refresh every 5 seconds. But, I compare with the old router model like a Cisco 29XX or 28X... view more
Software-defined networking key theme at VMworld--and for IT...
Created by lhorwitz on 08-20-2019 12:09 PM
0
0
0
0
  Whether you're attending VMworld 2019 on-site or from afar, read the latest on the key themes to expect. They are also the key themes for IT management today, from software defined everything to cloud and automation to IoT and edgecomputing : http:... view more
Python Script using Netmiko Lib to SSH into network devices ...
Created by KrishnaTiwari8030 on 08-20-2019 04:39 AM
4
5
4
5
import netmikofrom netmiko import ConnectHandlerdevice = ConnectHandler(device_type="cisco-ios, ip="IP ADDRESS", username="USENAME", password="PASSWORD", secret="ENABLE PASSWORD")output1 = device.send_command("show running-config")print(output1)device.dis... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad
July's Community Spotlight Awards