Using QoS Policies on VPN Interfaces

Tunnel interfaces support many of the same QoS features as physical interfaces.

In VPN environments, a QoS service policy can be applied to the tunnel interface or to the underlying physical interface.

The decision about whether to configure the qos pre-classify command depends on which header is used for classification.

Classification defines the process of matching one or more fields in a packet header in Layer 2, 3, or 4, and then placing that packet in a group or class of traffic. Using packet classification, you can partition network traffic into multiple priority levels or classes of service.

When configuring IPSec with GRE, the simplest classification approach is to match on IP precedence or differentiated services code point (DSCP) values. Cisco IOS software Release 11.3T introduced support for IPSec. Along with this support was the ToS byte preservation feature in which the router automatically copies the ToS header value from the original IP packet to the encapsulating IP header when using IPSec in tunnel mode.

ToS byte preservation also applies to AH. ESP in transport mode retains the original IP header, and the original ToS value is transmitted even without ToS byte preservation. If packets arrive at the router without set IP precedence or DSCP values, class-based marking is used to re-mark the packet headers before encryption or encapsulation. When the packets reach the egress interface, the QoS output policy can match and act on the re-marked values.

Alternately, you may need to classify traffic based on values other than IP Precedence or DSCP. For example, you may need to classify packets based on IP flow or Layer 3 information, such as source and destination IP address. To do so, you must use the QoS for VPNs feature enabled with the qos pre-classify command. This feature is available for Cisco 7100 series VPN routers and Cisco 7200 series routers (since Release 12.1(5)T) and for 2600 and 3600 series routers (since Release 12.2(2)T).

Using QoS Policies on VPN Interfaces (Cont.)

Note: ToS byte copying is done by the tunneling mechanism and not by the qos pre-classify command

Systems, Inc. All rights reserved.

Note: ToS byte copying is done by the tunneling mechanism and not by the qos pre-classify command

Systems, Inc. All rights reserved.

The QoS preclassify mechanism allows Cisco routers to make a copy of the inner IP header and to run a QoS classification before encryption, based on fields in the inner IP header. Without this feature, the classification engine sees only a single encrypted and tunneled flow, because all packets traversing across the same tunnel have the same tunnel header and therefore will receive the same treatment in the event of congestion.

If the classification policy matches on the ToS byte, it is not necessary to use the qos preclassify command, because the ToS value is copied to the outer header by default. In addition, a simple QoS policy that sorts traffic into classes based on IP precedence can be created. However, differentiating traffic within a class and separating it into multiple flow-based queues requires the qos pre-classify command.

You can apply a service policy to either the tunnel interface or to the underlying physical interface. The decision about where to apply the policy depends on the QoS objectives and on which header you need to use for classification, as follows:

■ Apply the policy to the tunnel interface without qos pre-classify when you want to classify packets based on the pre-tunnel header.

■ Apply the policy to the physical interface without qos pre-classify when you want to classify packets based on the post-tunnel header. In addition, apply the policy to the physical interface when you want to shape or police all traffic belonging to a tunnel, and the physical interface supports several tunnels.

■ Apply the policy to a physical interface and enable qos pre-classify when you want to classify packets based on the pre-tunnel header.

Note ToS byte copying is done by the tunneling mechanism and not by the qos pre-classify command.

Was this article helpful?

0 0

Post a comment