The Steps of QoS Preclassification Configuration with IPSec and GRE

The qos pre-classify mechanism allows Cisco routers to make a copy of the inner IP header and to run a QoS classification before encryption based on fields in the inner IP header. Without this feature, the classification engine sees only a single encrypted and tunneled flow since all packets that traverse across the same tunnel have the same tunnel header and receive the same treatment in the event of congestion.

If your classification policy matches with the ToS byte, you do not need to use the qos pre-classify command since the ToS value is copied to the outer header by default. You can create a simple QoS policy which sorts traffic into classes based on IP precedence. However, to differentiate traffic within a class and to separate it into multiple flow-based queues, the qos pre-classify command is required.

Note: ToS byte copying is done by the tunneling mechanism and not by the qos pre-classify command.

The qos pre-classify command can be applied at various points in your configuration, as illustrated here.

  • GRE only - Configure the qos pre-classify command on the tunnel interface.

    interface Tunnel0   ip address 1.1.1.1 255.255.255.252   qos pre-classify   tunnel source 12.2.2.8   tunnel destination 12.2.2.6 ! interface serial 0/0   ip address 12.2.2.8 255.255.255.0   fair-queue

  • IPSec only - Configure the qos pre-classify command under the crypto map.

    crypto map TEST 10 ipsec-isakmp   set peer 5.5.5.5   set transform-set SET   match address Test   qos pre-classify ! interface serial 0/0   ip address 5.5.5.4 255.255.255.0   crypto map TEST   random-detect   random-detect flow

  • IPSec and GRE - Configure the qos pre-classify command on the tunnel interface and under the crypto map.

    crypto map TEST 10 ipsec-isakmp   set peer 12.2.2.6   set transform-set SET   match address Test   qos pre-classify ! interface Tunnel0   ip address 1.1.1.1 255.255.255.252   qos pre-classify   tunnel source 12.2.2.8   tunnel destination 12.2.2.6   crypto map TEST ! interface serial 0/0   ip address 12.2.2.8 255.255.255.0   service-policy out matchPORTnumbers   crypto map TEST

Complete these steps to configure QoS preclassification with IPSec and GRE.

  1. Configure a crypto map and specify the qos pre-classify command in map configuration mode.

    crypto map cryptomap_gre1 10 ipsec-isakmp  set peer 172.32.241.9  set transform-set transf_GRE1_transport  match address 130  qos pre-classify

  2. Use the show crypto map command to confirm your configuration.

    2621vpn1#show crypto map Crypto Map: "cryptomap_gre1" idb: Loopback0 local address: 172.31.247.1 Crypto Map "cryptomap_gre1" 10 ipsec-isakmp         Description: Crypto map on GRE1 tunnel mode transport - 10.240.252.0->3/30         Peer = 172.32.241.9         Extended IP access list 130             access-list 130 permit gre host 172.31.247.1 host 172.32.241.9         Current peer: 172.32.241.9         Security association lifetime: 4608000 kilobytes/3600 seconds         PFS (Y/N): N         Transform sets={ transf_GRE1_transport, }         QOS pre-classification

  3. Define a GRE tunnel interface and apply the crypto map and qos pre-classify commands.

    interface Tunnel0 ip address 10.240.252.1 255.255.255.252 qos pre-classify tunnel source Loopback0 tunnel destination 172.32.241.9 crypto map cryptomap_gre1

  4. Use the show interface tunnel 0 command to confirm that QoS preclassification is enabled.

    2621vpn1#show interface tunnel 0 Tunnel0 is up, line protocol is up   Hardware is Tunnel   Description: VPN resilience test - 1st GRE tunnel Interface mode transport - 10.240.252.0->3/3   Internet address is 10.240.252.1/30   Tunnel source 172.31.247.1 (Loopback0), destination 172.32.241.9   Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled   Checksumming of packets disabled,  fast tunneling enabled   Last input 00:00:04, output 00:00:04, output hang never   Last clearing of "show interface" counters 00:00:51   Queueing strategy: fifo (QOS pre-classification)   Output queue 0/0, 0 drops; input queue 0/75, 0 drops

The above output illustrates that the tunnel interface continues to use first in, first out (FIFO) as the queuing strategy even with QoS preclassification and fancy queuing enabled. This is illustrated in the show command output with the line Queueing strategy: fifo (QOS pre-classification). Both GRE and IPSec tunnels require FIFO queuing since a destination device drops IPSec packets that arrive out of order.

In a VPN environment, you can apply a QoS service policy to the tunnel interface or to the underlying physical interface. The decision of whether you need to configure the qos pre-classify command depends on which header and which header values you want to use for classification.

  • If you want to classify packets based on the inner header, apply the policy to the tunnel interface without the qos pre-classify command.

  • If you want to classify packets based on the outer header, apply the policy to the physical interface without the qos pre-classify command.

  • If you want to classify packets based on the inner header and apply the policy to the physical interface since the physical interface may be a congestion point, apply the policy to a physical interface and enable the qos pre-classify command.

Comments

Post a Comment

Popular posts from this blog

L2TPv3 Enables Layer 2 Services for IP Networks

Image
White Paper -------------------------------------------------------------------------------- Layer 2 Tunneling Protocol Version 3 Enables Layer 2 Services for IP Networks The competitive environment for service providers has changed considerably since the Internet became a global force in the 1990s. Enterprises are no longer signing up for new IP-based services for the novelty or out of fear of being left behind by the competition. The challenge for service providers today is to grow their businesses by expanding their customer base and service revenue in a more cautious spending environment. Most enterprises are taking a more conservative approach to network investments. New IP-based services give enterprises an opportunity to improve their productivity and competitiveness while lowering their existing network expenses. Service providers that offer these services and savings can grow their customer base and service revenue. This white paper focuses on one such opportunity—offering tra
Read More »

TCP/IP 明確擁塞通知 (ECN)

Image
當路由器擁塞的程度已經達到填滿傳入封包緩衝區而開始捨棄封包時,會影響網路而縮減頻寬,對資料損失敏感或具時效性的傳輸量流動會進而受到衝擊,而且可能在擁塞之後產生連結閒置時間。TCP/IP 明確擁塞通知 (ECN) 讓路由器能夠通知「傳輸控制通訊協定」(TCP) 對等體,由於網路擁塞,緩衝區已滿。TCP 對等體會以減緩資料傳輸來回應,協助防止封包損失。 明確擁塞通知(Explicit Congestion Notification) TCP/IP 的 ECN 支援同時使用 IP 及 TCP 標頭中的未使用位元。 • 在 (IP) 網際網路層上,轉送封包時,傳送主機必須能夠表示有能力執行 ECN,而路由器則必須能夠指出所遇到的擁塞狀況。 • 在 (TCP) 傳輸層,TCP 對等體必須彼此表明有能力執行 ECN。接收端對等體必須能夠通知傳送端對等體,已經從遇到擁塞狀況的路由器接到封包;傳送端對等體必須能夠通知接收端對等體,已經從接收端對等體接到擁塞指標,並且已經降低傳輸速率。 IP 中的 ECN 支援 IP 標頭中的 8 位元 [Type of Service (TOS)] 欄位最先定義於 RFC 791 中,指出封包由路由器進行非預設傳送的傳送優先順序、延遲、輸送量、可靠性,以及成本等特性。TOS 欄位在 RFC 2474 中重新定義,以包含 6 位元區別服務代碼點 (Differentiated Services Code Point, DSCP) 及兩個未使用的位元。DSCP 值表示的傳送優先順序會對應於先前在內部網路的路由器中設定的佇列。IP 中的 ECN 支援使用 RFC 2474 所定義 TOS 欄位的兩個未使用位元。[圖 1] 顯示 ECN 中 TOS 欄位的新定義。 圖 1:ECN 中 TOS 欄位的新定義 RFC 2474 所定義 TOS 欄位中的兩個未使用位元在 RFC 3168 中定義為 ECN 欄位,欄位的值如下: • 00 傳送主機不支援 ECN。 • 01 或 10 傳送主機支援 ECN。 • 11 路由器已遇到擁塞狀況。 具備 ECN 功能的主機傳送其封包時,會將 ECN 欄位設定為 01 或 10。對於具備 ECN 功能的主機所傳送的封包,如果路徑中的路由器具備 ECN 功能,但是正遇到擁塞狀況,則 ECN 欄位會設定為 11。一旦 ECN
Read More »

Q-in-Q(Dot1Q Tunnel) Sample Configuration

透過IEEE 802.1q in IEEE 802.1q(Q-in-Q)的方式,我們可以讓VLAN的數量增加超過4096(4096*4096),也可以讓客戶自行設定Trunk穿過Service Provider所提供的Ethernet Solution(如:FTTx)。 假設現在的網路架構為: SW1 F0/1 <- SP VLAN 10 -> SW2 F0/1 兩端的設備都是連接到VLAN 10,因此在兩端的Switch啟用Dot1q Tunnel建立Trunk SW1(config)#vlan dot1q tag native !預設,Native VLAN不會加上tag,如果在Q-in-Q中要針對native vlan加tag,必須使用上述指令 SW1(config)#int f0/1 SW1(config-if)#switchport mode dot1q-tunnel SW1(config-if)#switchport access vlan 10 SW1(config)#system mtu 1508 !一般Switch預設system mtu 1500,為了支援多層tag,必須加大MTU,設定完成必須reload switch SW2(config)#vlan dot1q tag native !預設,Native VLAN不會加上tag,如果在Q-in-Q中要針對native vlan加tag,必須使用上述指令 SW2(config)#int f0/1 SW2(config-if)#switchport mode dot1q-tunnel SW2(config-if)#switchport access vlan 10 SW2(config)#system mtu 1508 !一般Switch預設system mtu 1500,為了支援多層tag,必須加大MTU,設定完成必須reload switch
Read More »