Roglio is correct. Check out the following link for additional info. http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftqosvpn. html
Also, the end-to-end QoS design book states that the TOS markings are automatically copied to the tunnel header without any configuration, but when QoS-Preclassify is enabled, some additional information is added (I don't have the book in front of me to provide specifics - sorry). In testing a while back, I found that nothing is copied to the ToS field of the tunnel packet header unless the qos-preclassify is explicitly configured. It is possible that the automatic population of ToS information from the clear-side to encrypted-side was "turned off" in later IOS releases because it presents a potential covert channel. For instance, somebody could write a small program and run it on their computer that uses the ToS bits as a mechanism to transmit data from the trusted network to the untrusted network. Somebody on the untrusted network could then intercept the packets and reassemble the data passed via the ToS bit. Obviously, if your routers are configured to not trust incoming packets and rewrite the bit, this isn't possible... -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Rogelio Gamino Sent: Thursday, November 19, 2009 7:27 AM To: abdel el anazi Cc: [email protected] Subject: Re: [OSL | CCIE_RS] Rendom Early Detection on IPSEC I think you need "qos pre-classify" in your "crypto map" configuration. On Wed, Nov 18, 2009 at 4:08 PM, abdel el anazi <[email protected]> wrote: Hi all, I stumbled into a real life scenario where I had to avoid congestion on a leased line. So I try to use Random Early Detection on an output direction the same interface is having a crypto map applied to run ipsec in tunnel mode. Now I notice that when I use sh policy-map int fa0/2/0 RED is not dropping any traffic and not controlling the burst. I used allot of test with Jperf TCP, but dont see any diffrent on the performance when I enable RED or disable it. Is it posible that RED is not detecting the TCP flow becuse of the ipsec? is there any why to work around this issue. Best Regards ________________________________ Express yourself instantly with MSN Messenger! MSN Messenger <http://clk.atdmt.com/AVE/go/onm00200471ave/direct/01/> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
