QOS in VPN

Hi,

I'm currently working on a project with involves qos in vpn environment. there are 2 sites connecting via ipsec over gre tunnel.
my QoS policy has been applied to outside interface of the border router in head office site
I'm using nbar to classify traffic on inside interface of the same router
i applied "qos pre classify" to the tunnel interface as well as crypto map
but no traffic is tagged according to the policy i applied
if i run nabr in outer interface i cannot see any rtp traffic or tcp traffic, onlything i can see is gre and ipsec traffic
sh policy-map int s0/0/0(outside interface) shows me that none of the packets has been marked that i defined

i tried to use access-lists to classify traffic, but it's confusing to me

please give some advice

thanks

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

accely

I'd love to hear more about this as well... it's one of the topics I'm studying in my ONT.

Ryan82

Take this advice with a grain of salt considering I just failed my ONT exam!

But if you are applying a QoS policy to a tunnel interface based upon pre-tunnel headers you do not need qos pre-classify. You need to utilize qos pre-classify if applying it to the physical interface while maintaining pre-tunnel headers.

HTH

Sepiraph

I am studying for this topic in ONT as well, the scenario you have is the following:

- to apply a QoS policy to an interface (s0/0/0)

When you apply a policy to the physical interface, in order to classify packets based on pretunnel header, you have to enable qos pre-classify.

Quality of Service Options on GRE Tunnel Interfaces - Cisco Systems

Upon further reading, found this in Cisco doc:

For generic routing encapsulation (GRE) and IP in IP (IPIP) tunnel protocols, the qos pre-classify command is applied on the tunnel interface, making QoS for VPNs a configuration option on a per-tunnel basis.

For Layer 2 Forwarding (L2F) and Layer 2 Tunneling Protocol (L2TP) protocols, the qos pre-classify command is applied on the virtual template interface. L2TP clients belonging to identical virtual private dial-up network (VPDN) groups inherit the preclassification setting. The qos pre-classify command can be configured on a per-VPDN tunnel basis.

For IPSec tunnels, the qos pre-classify command is applied on the crypto map, allowing configuration on a per-tunnel basis. QoS features on the physical interface carrying the crypto map are able to classify packets before encryption.

Cisco IOS Quality of Service Solutions Configuration*Guide, Release*12.2 - Configuring QoS for Virtual Private Networks [Cisco IOS Software Releases 12.2 Mainline] - Cisco Systems

Also have you also test the QoS policy without any of the tunneling to see if any of the traffic is actually tagged? Perhaps your problem is with the policy-map or class-map itself.