What is the Difference Between Policy Map Applied to Tunnel Interface vs. Physical Interface in IPSEC Encrypted GRE Tunnel?
We are configuring IPSEC Encrypted GRE Tunnel Configuration, it is working ok, but we have a QoS configuration issue.
We have 4 diffferent Traffic Classes an want to configure and Policy Maps which will cover those 4 class-maps Our sample configuration is as below. We thought of applying "qos pre-classify" to the tunnel interfaces, and apply the Policy Map to the physical interface. This is one choice,
One other thought is to configure the same Class-maps and Configure a seperate Policy Map for each 4 Class-maps without Qos pre-classify command. Then apply the Policy-Map to the tunnel interface. Would this create the same affect on the physical interface as the first case, or the physical interface won't notice the packets since they're encrypted with IPSEC while going out?
The third choice is to configure "qos pre-classify" on the tunnel interface and apply the policy map to the tunnel interface. We did not meet such a configuration in the documentation. The hardware Platform is ASR1000 Series.
What's the difference between these 3 scenarios wrt to Scalability and Performance pespective.
Re: What is the Difference Between Policy Map Applied to Tunnel
The QoS Pre classify command is used to keep the original header in memory to classify it when QoS comes.
If you apply it the the tunnel interface, you don't need it, as the encapsulation & encryption come after the QoS on the interface.
Now, if you apply the QoS on the tunnel interface, it will apply the QoS inside the tunnel, but when the IPSEC packet will leave the physical interface, there won't be QoS applied to it, so it might be Best efforted.
It might be more simple to handle QoS through policy map on the tunnel interface, but in this case it may be a good option to allow bandwidth for the whole tunnel on the physical interface.
IntroductionComponentsISE ConfigurationEnd user perspective and Validation
Cisco Identity Services Engine (ISE) gives you intelligent Integrated protection through intent-based policy and compliance solution. ISE supports external MDM ...
This video provides the steps to configure the Cisco Threat Response (CTR) and ESA Integration.
This is live on the portal:https://video.cisco.com/video/6159336218001
And on YouTube:https://www.youtube.com/watch?v=UCKIdx5rdFg
I need to migrate from C170 to C190 and have already match to the same Firmware Version. I have a question. Is there any method that can export and import the configuration file instead of form cluster ?
This AMA will serve as the Q&A for the Cisco Live Digital breakout DGTL-BRKSEC-1011 - "A Challenger Appears: Defending Mailboxes in the Cloud" which covers a brand new product which will be announced during the event: Cloud Mailbox Defense.