GRE Tunnels
Generic Routing Encapsulation (GRE) tunnels add a GRE header and a
tunnel IP header to the packet. By default, TOS markings on the original
packet are copied into the tunnel IP header. When the packet arrives at the
physical interface, classification and queuing are based on the markings in
the tunnel IP header.
IPsec Tunnels
IP Security (IPSec) can operate in either tunnel mode or transport mode. In
tunnel mode, it creates a tunnel through the underlying network. In transport
mode, it provides security over normal physical links or over a tunnel
created with a different protocol. IPSec can also provide either authentication
alone using Authentication Headers (AH) or encryption and authentication
using Encapsulation Security Protocol (ESP). Table 4-4 describes the
differences between AH and ESP.
IPSec AH and ESP
AH ESP
Protocol 51 50
Fields Added Authentication ESP Header, ESP
Header Trailer, ESP
Authentication
Trailer
IP Header— Creates new tunnel Creates new tunnel
Tunnel Mode IP header IP header
IP Header— Uses original Uses original
Transport Mode IP header IP header
TOS Byte— Copies original TOS Copies original TOS
Transport Mode markings to new markings to new
IP header IP header
TOS Byte— Original TOS byte Original TOS byte
Transport Mode is available is available
Payload Change None Encrypts payload
Authentication MD5, SHA MD5, SHA
Protocols Supported
Encryption None DES, 3DES, AES
Protocols Supported
MD5 = Message Digest 5
SHA = Secure Hash Algorithm
DES = Data Encryption Standard
AES = Advanced Encryption Standard
Although both GRE and IPSec allow traffic to be classified based on its
original TOS markings, there are times when you might want to classify
based on other fields, such as port number or original IP address. In that
case, packets must be classified before the original IP header is hidden or
encrypted. To do this, use the qos pre-classify command. This command
causes the router to make a copy of the original IP header, and classify the
packet based on that information.
qos pre-classify can be given on a tunnel interface, in a crypto map, or on
a virtual template interface, and it works only on IP packets. Use it on the
tunnel interface for a GRE tunnel, on the virtual interface for a L2TP tunnel,
and under both the crypto map and the tunnel interface for an IPSec tunnel—
IF classification must be done on non-TOS fields.