The Steps of QoS Preclassification Configuration with IPSec and GRE

The qos pre-classify mechanism allows Cisco routers to make a copy of the inner IP header and to run a QoS classification before encryption based on fields in the inner IP header. Without this feature, the classification engine sees only a single encrypted and tunneled flow since all packets that traverse across the same tunnel have the same tunnel header and receive the same treatment in the event of congestion.

If your classification policy matches with the ToS byte, you do not need to use the qos pre-classify command since the ToS value is copied to the outer header by default. You can create a simple QoS policy which sorts traffic into classes based on IP precedence. However, to differentiate traffic within a class and to separate it into multiple flow-based queues, the qos pre-classify command is required.

Note: ToS byte copying is done by the tunneling mechanism and not by the qos pre-classify command.

The qos pre-classify command can be applied at various points in your configuration, as illustrated here.

  • GRE only - Configure the qos pre-classify command on the tunnel interface.

    interface Tunnel0   ip address 1.1.1.1 255.255.255.252   qos pre-classify   tunnel source 12.2.2.8   tunnel destination 12.2.2.6 ! interface serial 0/0   ip address 12.2.2.8 255.255.255.0   fair-queue
  • IPSec only - Configure the qos pre-classify command under the crypto map.

    crypto map TEST 10 ipsec-isakmp   set peer 5.5.5.5   set transform-set SET   match address Test   qos pre-classify ! interface serial 0/0   ip address 5.5.5.4 255.255.255.0   crypto map TEST   random-detect   random-detect flow
  • IPSec and GRE - Configure the qos pre-classify command on the tunnel interface and under the crypto map.

    crypto map TEST 10 ipsec-isakmp   set peer 12.2.2.6   set transform-set SET   match address Test   qos pre-classify ! interface Tunnel0   ip address 1.1.1.1 255.255.255.252   qos pre-classify   tunnel source 12.2.2.8   tunnel destination 12.2.2.6   crypto map TEST ! interface serial 0/0   ip address 12.2.2.8 255.255.255.0   service-policy out matchPORTnumbers   crypto map TEST

Complete these steps to configure QoS preclassification with IPSec and GRE.

  1. Configure a crypto map and specify the qos pre-classify command in map configuration mode.

    crypto map cryptomap_gre1 10 ipsec-isakmp  set peer 172.32.241.9  set transform-set transf_GRE1_transport  match address 130  qos pre-classify
  2. Use the show crypto map command to confirm your configuration.

    2621vpn1#show crypto map Crypto Map: "cryptomap_gre1" idb: Loopback0 local address: 172.31.247.1 Crypto Map "cryptomap_gre1" 10 ipsec-isakmp         Description: Crypto map on GRE1 tunnel mode transport - 10.240.252.0->3/30         Peer = 172.32.241.9         Extended IP access list 130             access-list 130 permit gre host 172.31.247.1 host 172.32.241.9         Current peer: 172.32.241.9         Security association lifetime: 4608000 kilobytes/3600 seconds         PFS (Y/N): N         Transform sets={ transf_GRE1_transport, }         QOS pre-classification
  3. Define a GRE tunnel interface and apply the crypto map and qos pre-classify commands.

    interface Tunnel0 ip address 10.240.252.1 255.255.255.252 qos pre-classify tunnel source Loopback0 tunnel destination 172.32.241.9 crypto map cryptomap_gre1
  4. Use the show interface tunnel 0 command to confirm that QoS preclassification is enabled.

    2621vpn1#show interface tunnel 0 Tunnel0 is up, line protocol is up   Hardware is Tunnel   Description: VPN resilience test - 1st GRE tunnel Interface mode transport - 10.240.252.0->3/3   Internet address is 10.240.252.1/30   Tunnel source 172.31.247.1 (Loopback0), destination 172.32.241.9   Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled   Checksumming of packets disabled,  fast tunneling enabled   Last input 00:00:04, output 00:00:04, output hang never   Last clearing of "show interface" counters 00:00:51   Queueing strategy: fifo (QOS pre-classification)   Output queue 0/0, 0 drops; input queue 0/75, 0 drops

The above output illustrates that the tunnel interface continues to use first in, first out (FIFO) as the queuing strategy even with QoS preclassification and fancy queuing enabled. This is illustrated in the show command output with the line Queueing strategy: fifo (QOS pre-classification). Both GRE and IPSec tunnels require FIFO queuing since a destination device drops IPSec packets that arrive out of order.

In a VPN environment, you can apply a QoS service policy to the tunnel interface or to the underlying physical interface. The decision of whether you need to configure the qos pre-classify command depends on which header and which header values you want to use for classification.

  • If you want to classify packets based on the inner header, apply the policy to the tunnel interface without the qos pre-classify command.

  • If you want to classify packets based on the outer header, apply the policy to the physical interface without the qos pre-classify command.

  • If you want to classify packets based on the inner header and apply the policy to the physical interface since the physical interface may be a congestion point, apply the policy to a physical interface and enable the qos pre-classify command.

Post a Comment

Popular posts from this blog

Pairwise Master Key (PMK) vs Parewise Transient Key(PTK) vs PseudoRandom Function(PRF) vs GTK (Groupwise Transient Key)

DSSS(直接序列展頻技術) vs OFDM(正交頻率多重分割)

DTMF Relay : RTP-NTE vs SIP INFO vs SIP NOTIFY