QoS for IPSEC encrypted GRE tunnel

Discussion in 'Cisco' started by erikisme, Mar 18, 2008.

  1. erikisme

    erikisme Guest


    I have an DSL router connected to a central site via a GRE tunnel. The
    tunnel is encrypted by IPSEC and works fine.

    - cisco 836 IOS version c836-k9o3s8y6-mz.123-2.XA6.bin
    - DSL 7550kbps/864kbps
    - ipsec encrypted gre tunnel
    - ipsec tunnel mode

    I'm trying to implement QoS. The configuration is rather straight

    - class-maps for voip and citrix
    - policy-map - child and parent; with LLQ and CBWFQ; class based
    - qos pre-classify to classify packets prior to encryption
    - crypto commands to prevent fragmentation after encryption
    - expanded anti replay window
    - output service-policy on tunnel interface

    Two things don't work however.

    - 'shape average' command for policy-map. I can enter it but it
    doesn't show up in the configuration and no error message appears.

    - 'service-policy output parent' command on interface tunnel0. I can
    enter it but it doesn't show up in the configuration. Sometimes it
    says ' CBWFQ : Hierarchy supported only if shaping is configured in
    this class'. That's obvious because the 'shape average' won't stick.
    Funny thing however is that i do not get the error message when i
    enter the 'shape average' command in the policy-map first. But still
    they both won't show up.

    And the net result is that there is no active policy on the interface:

    dsl-router#sh policy-map
    Policy Map parent
    Class class-default
    service-policy child

    Policy Map child
    Class voip
    Strict Priority
    Bandwidth 30 (%)
    Class citrix
    Bandwidth 500 (kbps) Max Threshold 64 (packets)
    Class class-default
    Flow based Fair Queueing
    Bandwidth 0 (kbps) Max Threshold 64 (packets)
    set dscp default

    Anyone got a clue what's going wrong here?

    ---------------------config example---------------------
    crypto isakmp policy 1
    authentication pre-share
    crypto isakmp key 0 72e7823djijeaj281r84sokdij382883djj address
    crypto ipsec transform-set VPN-SITE-TRANS esp-3des esp-sha-hmac
    crypto ipsec security-association replay window-size 1024
    crypto df-bit set
    crypto ipsec fragmentation before-encryption
    crypto map VPN-SITE 1 ipsec-isakmp
    set peer 192.xxx.yyy.10
    set transform-set VPN-SITE-TRANS
    match address VPN-TO-CENTRAL
    class-map match-any voip
    match ip dscp ef
    class-map match-any citrix
    match access-group name citrix_ports
    policy-map child
    class voip
    priority percent 30 ! LLQ
    class citrix
    bandwidth 500 ! CBWFQ
    class class-default
    set dscp default
    policy-map parent
    class class-default
    shape average 400000 ! shape traffic to 400 kbps
    service-policy child
    interface Tunnel0
    description GRE tunnel
    ip address 137.aaa.bbb.2
    qos pre-classify
    service-policy output parent
    keepalive 10 3
    tunnel source BVI1
    tunnel destination 192.xxx.yyy.10
    crypto map VPN-SITE
    interface Ethernet0
    description LAN
    ip address
    ip helper-address
    ip tcp adjust-mss 1432
    no ip mroute-cache
    interface ATM0
    no ip address
    no ip mroute-cache
    no atm ilmi-keepalive
    pvc 0/35
    encapsulation aal5snap
    dsl operating-mode auto
    interface BVI1
    description towards outside dsl
    mac-address 0000.00c2.5911
    ip address dhcp
    no ip redirects
    qos pre-classify
    crypto map VPN-SITE
    router eigrp 20
    passive-interface BRI0
    passive-interface Ethernet0
    network 137.aaa.bbb.ccc
    no auto-summary
    ip access-list extended citrix_ports
    permit tcp any any eq 1494
    permit udp any any eq 1494
    permit tcp any any eq 1604
    permit udp any any eq 1604
    permit tcp any any eq 2598
    permit udp any any eq 2598
    deny ip any any
    ip access-list extended VPN-TO-CENTRAL
    permit gre any host 192.xxx.yyy.10
    erikisme, Mar 18, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.