cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

Applying QoS when using GRE over IPSec

Jump to solution

I have a three-site WAN configured using GRE Tunnels over IPSEC.  The WAN works great, but now we are introducing IP phones into the mix and the bosses do not want to shell out for the private circuits.  That being said, I need to configure QoS so I can at least get best effort.  I've done this plenty of times with straight-up IPSEC tunnels, but this is the first time using GRE over IPSEC.  My question is simple.  Does it work the same way?  I noticed that I cannot do traffic-shaping on GRE tunnels so I assume I would just need to apply traffic shaping and QoS policy on the public facing Internet interface? 

My concern is that the traffic in the GRE Tunnel is encrypted with IPSec and the matched packets from the QoS map my not be seen.

Labels (4)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Applying QoS when using GRE over IPSec

Jump to solution

Here is what we have done on our 7100 and remote 6355 using GRE over IPsec.

7100 configuration

qos map VOIP 10

  match dscp 46 26

  priority unlimited

!

!

interface eth 0/0

  description SuddenlinkWAN

  access-policy Public

  crypto map VPN

  media-gateway ip primary

  traffic-shape rate 1000000

  qos-policy out VOIP

  no awcp

  no shutdown

  no lldp send-and-receive

interface vlan 1

  ip address  10.10.10.1  255.255.255.0

  access-policy Private

media-gateway ip primary

  no shutdown

!

interface vlan 2

  ip address  10.10.20.1  255.255.255.0

  access-policy Private

media-gateway ip primary

  no shutdown

!

interface tunnel 1

  description Tunnel

  ip address  10.100.100.1  255.255.255.252

  access-policy Tunnel

  media-gateway ip primary

  tunnel mode gre

  keepalive 60 5

  mtu 1397

  bandwidth 100000

  no shutdown

6355 configuration

qos map VOIP 30

  match dscp 46 26

  priority unlimited

!

!

interface eth 0/0

  description WAN connection

  ip ffe

  access-policy Public

  crypto map VPN

  media-gateway ip primary

  traffic-shape rate 30000000

  qos-policy out VOIP

  no awcp

  no shutdown

  no lldp send-and-receive

!

interface vlan 1

  ip address  10.10.12.1  255.255.255.0

  ip ffe

  access-policy Private

  media-gateway ip primary

  no shutdown

!

interface vlan 2

  ip address  10.10.22.1  255.255.255.0

  ip ffe

  access-policy Private

  media-gateway ip primary

  no shutdown

!

interface tunnel 1

  description Tunnel

  ip address  10.100.101.2  255.255.255.252

  access-policy Tunnel

  media-gateway ip primary

  tunnel mode gre

  keepalive 60 5

  mtu 1397

  bandwidth 100000

  no shutdown

This resolved issues with call degradation across our tunnels and we no longer experience dropped words, call lag, etc.

Similar configuration could be done on most AOS devices with some modifications depending on your networks. Hope this helps.

View solution in original post

0 Kudos
2 Replies
Anonymous
Not applicable

Re: Applying QoS when using GRE over IPSec

Jump to solution

Here is what we have done on our 7100 and remote 6355 using GRE over IPsec.

7100 configuration

qos map VOIP 10

  match dscp 46 26

  priority unlimited

!

!

interface eth 0/0

  description SuddenlinkWAN

  access-policy Public

  crypto map VPN

  media-gateway ip primary

  traffic-shape rate 1000000

  qos-policy out VOIP

  no awcp

  no shutdown

  no lldp send-and-receive

interface vlan 1

  ip address  10.10.10.1  255.255.255.0

  access-policy Private

media-gateway ip primary

  no shutdown

!

interface vlan 2

  ip address  10.10.20.1  255.255.255.0

  access-policy Private

media-gateway ip primary

  no shutdown

!

interface tunnel 1

  description Tunnel

  ip address  10.100.100.1  255.255.255.252

  access-policy Tunnel

  media-gateway ip primary

  tunnel mode gre

  keepalive 60 5

  mtu 1397

  bandwidth 100000

  no shutdown

6355 configuration

qos map VOIP 30

  match dscp 46 26

  priority unlimited

!

!

interface eth 0/0

  description WAN connection

  ip ffe

  access-policy Public

  crypto map VPN

  media-gateway ip primary

  traffic-shape rate 30000000

  qos-policy out VOIP

  no awcp

  no shutdown

  no lldp send-and-receive

!

interface vlan 1

  ip address  10.10.12.1  255.255.255.0

  ip ffe

  access-policy Private

  media-gateway ip primary

  no shutdown

!

interface vlan 2

  ip address  10.10.22.1  255.255.255.0

  ip ffe

  access-policy Private

  media-gateway ip primary

  no shutdown

!

interface tunnel 1

  description Tunnel

  ip address  10.100.101.2  255.255.255.252

  access-policy Tunnel

  media-gateway ip primary

  tunnel mode gre

  keepalive 60 5

  mtu 1397

  bandwidth 100000

  no shutdown

This resolved issues with call degradation across our tunnels and we no longer experience dropped words, call lag, etc.

Similar configuration could be done on most AOS devices with some modifications depending on your networks. Hope this helps.

0 Kudos
Anonymous
Not applicable

Re: Applying QoS when using GRE over IPSec

Jump to solution

Thanks for the response.  I configured QoS on the WAN interfaces.  I can see that the packets are being matched.  The phone systems will not be going live for another month, but are in place so I can do testing. 

R\