|
|
This document describes the solution for making Cisco IOS Quality of Service (QoS) features operate with tunneling and encryption features.
This document includes the following sections:
When packets are encapsulated by tunnel or encryption headers, Quality of Service (QoS) features are unable to examine the original packet headers and correctly classify the packets. Packets traveling across the same tunnel have the same tunnel headers, so the packets are treated identically if the physical interface is congested.
With the growing popularity of Virtual Private Networks (VPNs), the need to classify traffic within a traffic tunnel is gaining importance. QoS features have historically been unable to classify traffic within a tunnel. With the introduction of the Quality of Service for Virtual Private Networks (QoS for VPNs) feature, packets can now be classified before tunneling and encryption occur. The process of classifying features before tunneling and encryption is called preclassification.
The QoS for VPNs feature is designed for tunnel interfaces. When the new feature is enabled, the QoS features on the output interface classify packets before encryption, allowing traffic flows to be adjusted in congested environments. The end result is more effective packet tunneling.
The QoS for VPNs feature provides a solution for making Cisco IOS Quality of Service services operate in conjunction with tunneling and encryption on an interface. Cisco IOS software can classify packets and apply the appropriate QoS service before the data is encrypted and tunneled. In addition, when packets are marked using the IP Type of Service byte or differentiated services code point (DSCP) values, the markings are copied to the new, encrypted packet. This allows the service provider to treat mission critical or multi-service traffic with higher priority across their network.
The system must possess the ability to configure QoS features.
See the following sections for configuration tasks for the QoS for VPNs feature. Each task in the list indicates whether the task is optional or required.
For Generic Routing Encapsulation (GRE) and IP in IP (IPIP) tunnel protocols, the command is applied on the tunnel interface, making QoS for VPNs a configuration option on a per-tunnel basis.
For Layer 2 Forwarding (L2F) and Layer 2 Tunneling Protocol (L2TP) protocols, the command is applied on the virtual-template interface. L2TP clients belonging to identical VPDN groups inherit the preclassification setting. The command can be configured on a per-VPDN tunnel basis.
For IPSec tunnels, the command is applied on the crypto map, allowing configuration on a per-tunnel basis. QoS features on the physical interface carrying the crypto map are able to classify packets before encryption.
The QoS for VPNs feature, which is enabled by the qos pre-classify command, is restricted to tunnel and virtual-template interfaces, and crypto map configuration submodes.
| Step | Command | Purpose | ||
|---|---|---|---|---|
| | Enters interface configuration mode and specifies the tunnel or virtual interface to configure. | ||
| | Enables the QoS for VPNs feature. |
| Step | Command | Purpose | ||
|---|---|---|---|---|
| | Enters crypto map configuration mode and specifies the previously defined crypto map to configure. | ||
| | Enables the QoS for VPNs feature. |
Use the show interface or show crypto-map commands to verify that the QoS for VPNs feature has been successfully enabled on your router.
To verify that the QoS for VPNs feature has been successfully enabled on your router, use the show interfaces command. The following line in the output verifies that the QoS for VPNs feature is successfully enabled:
Queuing Strategy: fifo (QOS pre-classification)
Router#show interfaces Tunnel0 is up, line protocol is up Hardware is Tunnel Interface is unnumbered. Using address of Ethernet 3/2 (13.0.0.2) MTU 1476 bytes, BW 9 Kbit, DLY 500000usec, reliability 255/255. txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive set (10 sec) Tunnel source 13.0.0.2 (Ethernet 3/2), destination 13.0.0.1 Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled Checksumming of packets disabled, fast tunneling enabled Last input never, output 00:07:29, output hang never Last clearing of "show interface" counters 1d05h Queuing Strategy: fifo (QOS pre-classification)
To verify that the QoS for VPNs feature has been successfully enabled on your router, use the show crypto map command. The following line in the output verifies that the QoS for VPNs feature is successfully enabled:
QoS pre-classificationRouter#show crypto mapCrpyto Map "testtag" 10 ipsec-isakmpPeer = 13.0.0.1 Extended IP access list 102 access-list 102 permit gre host 13.0.0.2 host 13.0.0.1 Current peer:13.0.0.1 Security association lifetime: 4608000 kilobytes/86400 seconds PFS (Y/N): N Transform sets={ proposal1,} QoS pre-classification
The show queue command output displays packet information, including whether the packet is preclassified. In a congested environment, using the show queue command might assist in evaluating the environment and reconfiguring your router.
| Command | Purpose |
|---|---|
| Displays information regarding the tunnel or the virtual template, including the queueing strategy. |
| Displays information regarding the crypto map. If the QoS for VPNs feature is enabled, a "QOS Preclassification" line will appear in the command output. |
This section provides the following configuration examples:
In the following example, tunnel0 is the tunnel name. The qos pre-classify command enables the QoS for VPNs feature on tunnel0:
Router(config)#interface tunnel0
Router(config-if)#qos pre-classify
In the following example, virtual-template1 is the virtual-template name. The qos pre-classify command enables the QoS for VPNs feature on virtual-template1:
Router(config)#interface virtual-template1
Router(config-if)#qos pre-classify
In the following example, secured-partner-X is the crypto map name. The qos pre-classify command enables the QoS for VPNs feature on secured-partner-X:
Router(config)#crypto map secured-partner-X
Router(config-crypto-map)#qos pre-classify
This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publications.
To enable QoS preclassification, use the qos pre-classify command. Use the no form of this command to disable the QoS preclassification feature.
qos pre-classify
no qos pre-classify
This command has no arguments or keywords.
Disabled
Interface configuration
| Release | Modification |
|---|---|
12.0(5)XE3 | This command was introduced. |
This command is restricted to tunnel interfaces, virtual templates, and crypto maps. The qos pre-classify command is unavailable on all other interface types.
The qos pre-classify command can be enabled for IP packets only.
The following example enables the QoS for VPNs feature:
router(config-if)#qos pre-classify
| Command | Description |
|---|---|
show interfaces | Displays the contents of an interface. |
show queue | Displays the contents of a queue. |
QoS---Quality of Service. QoS refers to the capability of a network to provide better service to selected network traffic over various technologies, including Frame Relay, Asynchronous Transfer Mode (ATM), Ethernet and 802.1 networks, SONET, and IP-routed networks that may use any or all of these underlying technologies.
Posted: Tue Nov 16 17:42:03 PST 1999
Copyright 1989-1999©Cisco Systems Inc.