2 Replies Latest reply on Aug 26, 2013 6:12 AM by vmaxdawg05

    Applying QoS when using GRE over IPSec

    vmaxdawg05 Past_Featured_Member

      I have a three-site WAN configured using GRE Tunnels over IPSEC.  The WAN works great, but now we are introducing IP phones into the mix and the bosses do not want to shell out for the private circuits.  That being said, I need to configure QoS so I can at least get best effort.  I've done this plenty of times with straight-up IPSEC tunnels, but this is the first time using GRE over IPSEC.  My question is simple.  Does it work the same way?  I noticed that I cannot do traffic-shaping on GRE tunnels so I assume I would just need to apply traffic shaping and QoS policy on the public facing Internet interface? 

       

      My concern is that the traffic in the GRE Tunnel is encrypted with IPSec and the matched packets from the QoS map my not be seen.

        • Re: Applying QoS when using GRE over IPSec
          3l3mn8r New Member

          Here is what we have done on our 7100 and remote 6355 using GRE over IPsec.

           

          7100 configuration

           

          qos map VOIP 10

            match dscp 46 26

            priority unlimited

          !

          !

          interface eth 0/0

            description SuddenlinkWAN

            access-policy Public

            crypto map VPN

            media-gateway ip primary

            traffic-shape rate 1000000

            qos-policy out VOIP

            no awcp

            no shutdown

            no lldp send-and-receive

           

          interface vlan 1

            ip address  10.10.10.1  255.255.255.0

            access-policy Private

          media-gateway ip primary

            no shutdown

          !

          interface vlan 2

            ip address  10.10.20.1  255.255.255.0

            access-policy Private

          media-gateway ip primary

            no shutdown

          !

          interface tunnel 1

            description Tunnel

            ip address  10.100.100.1  255.255.255.252

            access-policy Tunnel

            media-gateway ip primary

            tunnel mode gre

            keepalive 60 5

            mtu 1397

            bandwidth 100000

            no shutdown

           

          6355 configuration

           

          qos map VOIP 30

            match dscp 46 26

            priority unlimited

          !

          !

          interface eth 0/0

            description WAN connection

            ip ffe

            access-policy Public

            crypto map VPN

            media-gateway ip primary

            traffic-shape rate 30000000

            qos-policy out VOIP

            no awcp

            no shutdown

            no lldp send-and-receive

          !

          interface vlan 1

            ip address  10.10.12.1  255.255.255.0

            ip ffe

            access-policy Private

            media-gateway ip primary

            no shutdown

          !

          interface vlan 2

            ip address  10.10.22.1  255.255.255.0

            ip ffe

            access-policy Private

            media-gateway ip primary

            no shutdown

          !

          interface tunnel 1

            description Tunnel

            ip address  10.100.101.2  255.255.255.252

            access-policy Tunnel

            media-gateway ip primary

            tunnel mode gre

            keepalive 60 5

            mtu 1397

            bandwidth 100000

            no shutdown

           

          This resolved issues with call degradation across our tunnels and we no longer experience dropped words, call lag, etc.

          Similar configuration could be done on most AOS devices with some modifications depending on your networks. Hope this helps.

          • Re: Applying QoS when using GRE over IPSec
            vmaxdawg05 Past_Featured_Member

            Thanks for the response.  I configured QoS on the WAN interfaces.  I can see that the packets are being matched.  The phone systems will not be going live for another month, but are in place so I can do testing. 

             

            R\