DisclaimerThe Author of this

tahscolony · ‎09-21-2015

When there is a GRE/IPSec tunnel off G0/0, and a service policy applied outbound on G0/0 for specific traffic, say IP based ACL, or port based ACL to assign bandwidth limits, and all traffic other than basic routing for the GRE tunnel, flows through the IPSec/GRE tunnel, what traffic does the service policy see? In which order is the traffic processed going out G0/0?

Is it service policy first, then encrypted and sent out the tunnel? Would it be better to apply the policy to the tunnel itself?

paul driver · ‎09-21-2015

Hello

You can enable qos pre-classify to the tunnel

Where Do I Apply the Service Policy?

You can apply a service policy to either the tunnel interface or to the underlying physical interface. The decision of where to apply the policy depends on the QoS objectives. It also depends on which header you need to use for classification.

Apply the policy to the tunnel interface without qos-preclassify when you want to classify packets based on the pre-tunnel header.
Apply the policy to the physical interface without qos-preclassify when you want to classify packets based on the post-tunnel header. In addition, apply the policy to the physical interface when you want to shape or police all traffic belonging to a tunnel, and the physical interface supports several tunnels.
Apply the policy to a physical interface and enable qos-preclassify on a tunnel interface when you want to classify packets based on the pre-tunnel header.

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

tahscolony · ‎09-21-2015

What I am looking to accomplish is to prioritize or reserve a set amount of bandwidth for one network, and restrict how much bandwidth another network uses. When I look at netflow stats on G0/0 all I see is ESP, but when I look at the policy I am seeing that ACL based traffic appears to be hitting. This is what is prompting my question.

So does the traffic get prioritized before going through the tunnel when the policy is applied to the physical interface? If thats the case, then I can just continue to modify the existing policy.

Joseph W. Doherty · ‎09-21-2015

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Is it service policy first, then encrypted and sent out the tunnel?

The policy applies to traffic "seen" on the interface. Normally, the policy would see encrypted tunnel traffic's encapsulated packet's headers, but as Paul's posting notes, if you use qos pre-classify, your policy "sees" the original packet's header. Note, however, some QoS techniques, such as NBAR, examine more than a packet's headers, and I've found those will not work on encapsulated packets, even when qos pre-classify is used.

Would it be better to apply the policy to the tunnel itself?

It depends on what your policy is attempting to do. I've used policies on the tunnel, on the physical egress interface supporting a tunnel, sometimes on both at the same time (if supported by the platform).

WAN, GRE and QOS

Where Do I Apply the Service Policy?