Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1593
Views
0
Helpful
5
Replies

IPSEC with GRE, QOS possible?

andy.priest
Level 1
Level 1

‎08-28-2000 05:34 PM - edited ‎02-21-2020 11:14 AM

We are currently testing IPSEC and GRE tunnels successfully. I am using CAR, for example, to give a particular tunnel a guaranteed 128K out of the serial interface into the ISP. Is it possible to use CBWFQ on traffic within a GRE tunnel? as you can on a normal physical interface?

Labels:
0 Helpful
5 Replies 5

bob.short
Level 1
Level 1

‎09-05-2000 04:55 PM

Current Cisco IOS versions support the ability to copy the IP ToS values from the packet header into the tunnel header. With that the intermediate routers between each end of the tunnel can pay attention to these precedence bits so you can provide QoS such as CBWFQ. For more information, check out:

http://www.cisco.com/warp/public/cc/so/neso/vpn/vpne/qsvpn_wp.htm

Does anyone else here have some experience in this area? Your input would be helpful.

0 Helpful

cworrell
Level 1
Level 1
In response to bob.short

‎09-18-2000 11:01 AM

We need to set up QoS at our core routers. Our typical satellite connection uses PIX ipsec tunnels. What if the packet is already tunneled when it hits the router? On PIX<->PIX tunnels would'nt this ToS copy need to occur on PIX before exiting Outside interface?

0 Helpful

bob.short
Level 1
Level 1
In response to cworrell

‎09-29-2000 12:09 PM

PIX release 5.2(1) and higher corrects this behavior to make this ToS copy compliant with RFC2401. Refer to bug ID# CSCdr41431 which can be viewed using the Bug Toolkit at:

http://www.cisco.com/kobayashi/bugs/bugs.html

When upgrading to 5.2(x) code (as with any upgrade), please review the release notes to understand changes, caveats, and unresolved known issues. Release notes are located at:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/

0 Helpful

sbirn
Level 1
Level 1
In response to bob.short

‎09-29-2000 01:47 PM

If you you have a bit of patience, cisco introduced a command in 12.0(5)XE called "qos pre-classify" which went in an ipsec crypto map to cause traffic to be classified according to the physical interface's cbwfq policy prior to encryption. It gives you a lot more room to manoever. Unfortunately everything else in that release was broken. However, in 12.1(4)T they've got it working. The pre-classify command is no longer needed for straight IPSec in tunnel mode since they made that the default behaviour. You need the "qos pre-classify" command if you're doing a GRE tunnel.

Bottom line, you get to use the same policies you use elsewhere for your tunnels without having to try to remember what ToS/precedence value corresponds to each service.

Incidentally, just to plug something...I'm working on a graphing tool for graphing the info returned from the CBWFQ MIB. Since you get plots on flows in real-time as opposed to when the flow ends, these graphs will show the spikes that netflow can't. It's rather pre-alpha but it does work. If anyone has access to IOS that has the CBWFQ MIB and is interested, email me.

regards,

Steve

0 Helpful

dragos.stroescu
Level 1
Level 1

‎11-14-2000 12:42 AM

Yes the CBWFQ is supported on tunnel interfaces so you can apply a policy on output traffic (last IOS versions).

Also you must pay attention that the tunnel traffic goes out on a physical interface which also shoud guarantee the traffic generated by the tunnel interface (gre traffic).

0 Helpful
Customers Also Viewed These Support Documents