cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
577
Views
0
Helpful
6
Replies

QOS over frame-relay with IPSEC and GRE

steve.kerr
Level 1
Level 1

I am attempting to cofigure QOS over a frame relay circuit which also uses GRE tunnels with IPSEC.

How can I show that the QOS profile is having the desired affect?

6 Replies 6

mheusinger
Level 10
Level 10

Hello,

per RFC the TOS byte of the original IP header will be copied into the new IPSec header. So in an output policy you can f.e. match on IP precedence, if this has been set in the original packet.

A second option is to use "qos pre-classify" on the tunnel interface or crypto policy. This will keep a copy of the original header to be used for classification on the output interface.

A description of the options is given at "Configuring QoS for Virtual Private Networks"

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800c75d3.html

I am assuming you use MQC (class-map, policy-map, service-policy). Then you can execute

show policy-map MyMAP interface Serial0/0

which will tell you all the counters about IP packets treated by this policy. The counters are also available through SNMP (f.e. through QoS Policy Manager).

Hope this helps! Please rate all posts.

pkhatri
Level 11
Level 11

You should be able to use the 'show policy-map interface' command to see what the service policy is doing.

Also, when using tunnels, you should be careful about where you place the service-policy and whether you need to use qos-preclassify ...

Pls do remember to rate posts.

Paresh

Thanks for the response, but I have a question regarding the output below from one of my routers.

How is it determining the bandwidth? I have 2 PVC's on sub-interfaces s0/0.1 and s0/0.2, each has the command "bandwidth 32000" configured and yet the bandwidths indicated using the show command are wildley different?

Class-map: output-fos (match-any)

22112 packets, 2993222 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: ip precedence 2

22112 packets, 2993222 bytes

5 minute rate 0 bps

Queueing

Output Queue: Conversation 265

Bandwidth 25 (%)

Bandwidth 386 (kbps) Max Threshold 64 (packets)

(pkts matched/bytes matched) 3414/675064

(depth/total drops/no-buffer drops) 0/0/0

Class-map: output-atm (match-any)

173201 packets, 11967873 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: ip precedence 1

173201 packets, 11967873 bytes

5 minute rate 0 bps

Queueing

Output Queue: Conversation 266

Bandwidth 15 (%)

Bandwidth 231 (kbps) Max Threshold 64 (packets)

(pkts matched/bytes matched) 5864/957600

(depth/total drops/no-buffer drops) 0/0/0

Class-map: output-creditease (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: ip precedence 2

0 packets, 0 bytes

5 minute rate 0 bps

Queueing

Output Queue: Conversation 267

Bandwidth 10 (%)

Bandwidth 154 (kbps) Max Threshold 64 (packets)

(pkts matched/bytes matched) 0/0

(depth/total drops/no-buffer drops) 0/0/0

This is the configuration that I am using:

class-map match-any input-fos

match access-group 152

class-map match-any input-atm

match access-group 153

class-map match-any output-creditease

match ip precedence 2

class-map match-any input-creditease

match access-group 154

class-map match-any output-fos

match ip precedence 2

class-map match-any output-atm

match ip precedence 1

!

!

policy-map setToS

class input-fos

set precedence 2

class input-atm

set precedence 1

class input-creditease

set precedence 2

policy-map useToS

class output-fos

bandwidth percent 25

class output-atm

bandwidth percent 15

class output-creditease

bandwidth percent 10

policy-map use-tos

I have added the policies to interfaces as shown below:

interface FastEthernet0/0

description Harbour Front Branch LAN

ip address xxx.xxx.xxx.xxx 255.255.255.0

service-policy input setToS

ip route-cache flow

duplex auto

speed auto

(ip address removed for security reasons)

!

interface Serial0/0

no ip address

service-policy output useToS

encapsulation frame-relay IETF

cdp enable

frame-relay lmi-type q933a

int s0/0 configured as two sub-interfaces s0/0.1 and s0/0.2. s0/0.1 is the live interface, s0/0.2 connects to DR and passes no traffic in normal operation.

and I have used the qos pre-classify command on the crypto maps and the tunnels interfaces

Hello,

the config for a single PVC should look like this:

interface Serial0/0

enc fram

frame-relay traffic-shaping

interface Serial0/0.1 point-to-point

ip address ...

frame-relay interface-dlci 100

class MyPVC

map-class frame-relay MyPVC

frame-relay cir 32000

service-policy output useTOS

(from the top of my head, so minor IOS inconsistencies might exist ;-)

This will allow you to get the proper bandwidth in the policies.

Hope this helps! Please rate all posts.

Regards, Martin

Martin,

how does this tie in with my GRE tunnel interfaces as all of my data goes down the tunnels, therefore all the serials interfaces and sub-interfaces will see is GRE with IPSEC 3DES on top?

Regards

Steve

Hi Martin,

Additionally, when I try to add the "frame-relay traffic-shaping" command to the s0/0 interface, I receive the following message:

Harbour_RTR01(config-if)#frame-relay traffic-shaping

Cannot set FCFS interface queueing.

Frame relay traffic-shaping not configured.

Review Cisco Networking for a $25 gift card