Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1464
  • Last Modified:

How do you implement QOS in a VPN tunnel?

I need to know what Cisco solution / services will allow VPN encrypted traffic to be inspected throughout the tunnel for QOS markings? If traffic is encrypted in a GRE tunnel, I know the GRE header can carry the IP precedence but is this the case for IP Sec? how do you confiure this at the edge and what do I tell the provider?  
0
murphymail
Asked:
murphymail
  • 3
  • 2
1 Solution
 
magicommincCommented:
This should give you a good start point:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1834/products_feature_guide09186a0080080404.html
Basically "qos pre-classfy" will enable QoS for IPSec VPN.
Remember, Cisco QoS for VPN is to classify packets before tunneling and encryption occur. The process of classifying features before tunneling and encryption is called preclassification.
you can also use a cisco called "parent-child" policymap structure to shape your upstream.
http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a00800b2d29.shtml


0
 
murphymailAuthor Commented:
Will this pre-classify tag the Ipsec header (and with what) so the provider can apply QOS polices to the encrypted packets? How do you enable the IOS to "see" these tags while passing thru the tunnel?
0
 
magicommincCommented:
As far as I understand, I don't think you can set any TOS bits in your IPSec header and once the IPSec traffic leaves your egress port to your ISP, no one surpose to be able to read what's inside since it's all encrypted, that's why Cisco has this pre-classfy features for VPN traffic. Your ISP still can do some traffic engineering for those non-IPSec, and setup some sort of policy to treat IPSec and non-IPSec differently, or based on the destination IP etc., but they wouldn't be able to apply anything inside your IPSec VPN tunnel.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
murphymailAuthor Commented:
Thats what I thought. But GRE apparently after IOS ver 11.0 does mark the IP precedence in the GRE header which allows QOS to work against this packet while in the tunnel. Why isn't this an option for IpSec?
0
 
magicommincCommented:
Are you right, IOS 11.3T enabled router to copy the IP precedence bit values of the ToS byte to the tunnel or GRE IP header that encapsulates the inner packet, and intermediate routers between the tunnel endpoints can use the IP precedence values to classify the packets for QoS features.
IPSec (IP Security) was introduced after 11.3(3)T, it meant to encrypt data, so that it can be transmitted across a public network without fear of observation, modification, or spoofing. In IPSec VPN Tunnel mode, a new IP and IPSec header were added to the packet; both the IP and ULP headers are encrypted, so intermediate route along the IPSec tunnel endpoints wouldn't be able to observe the packet inside (porpose of encryprtion). You can find tones of docs about IPSec, here is the cisco one:
http://www.cisco.com/warp/public/105/IPSECpart1.html
0
 
lrmooreCommented:
You can enable QoS over Dynamic multipoint GRE with IPSEC encryption...
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801e6206.shtml

0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now