When a packet is encapsulated using GRE for instance or encrypted using IPSec, by default, Cisco IOS router copies the ToS (Type of Service) byte into the new IP header of encapsulated/ encrypted packet from the original IP header. This allows the ISP to look up at least ToS byte to perform QoS functions.
However, in some case you might want to perform QoS features on the egress (i.e. outgoing interface towards ISP on R2 router above). But then the outgoing packets could be encrypted/encapsulated and original IP header information is not available.
Cisco IOS has a feature called QoS Pre-classification. On VPN endpoints, we can refer to the original IP header for QoS decisions even after the packet is encapsulated or encrypted. The IOS keeps the original unencrypted packet in the memory until QoS actions are taken.
QoS for IPSec VPN:
First, QoS for IPSec VPN is illustrated here. An IPSec VPN is setup between R2 and R3 routers. All ICMP traffic originating from R1 router towards R4 router and in reverse direction, will be forced through IPSec VPN.
Case 1: No QoS Pre-classification on R2 router and R1 router sends ICMP traffic with ToS = 160 (i.e IP Precedence = 5)
Now R1 router sends ICMP traffic to R4 router with IP Precedence 5 (ToS 160). By default, the ToS byte will be copied to the new IP header. So the following output shows that R2 router can recognize IP Precedence 5 packets from R1 router on its outgoing interface. However, the packet count for ESP traffic is 0. The reason being the IP Precedence 5 packets are matched first on R1 router since the policy-map has the IP Precedence 5 matching class before ESP/IPSec matching class.
Case 2: No QoS Pre-classification on R2 router and R1 router sends traffic with no IP Precedence values
This time the PREC_5 does not match the traffic since there is no IP Precedence values in the ICMP packets. However, the packets are recognized as ESP packets and hence classified by IPSEC_TRAFFIC class-map. This information is not useful and hence QoS Pre-classification is required.
Case 3: QoS Pre-classification on R2 router
The QoS Pre-classify feature can be enabled under crypto-map configuration. Another class-map matching ICMP traffic is added.
The output shows that now R2 can recognize the type of packet encrypted by IPSec. It can figure out that the encrypted traffic is ICMP.
However, in some case you might want to perform QoS features on the egress (i.e. outgoing interface towards ISP on R2 router above). But then the outgoing packets could be encrypted/encapsulated and original IP header information is not available.
Cisco IOS has a feature called QoS Pre-classification. On VPN endpoints, we can refer to the original IP header for QoS decisions even after the packet is encapsulated or encrypted. The IOS keeps the original unencrypted packet in the memory until QoS actions are taken.
QoS for IPSec VPN:
First, QoS for IPSec VPN is illustrated here. An IPSec VPN is setup between R2 and R3 routers. All ICMP traffic originating from R1 router towards R4 router and in reverse direction, will be forced through IPSec VPN.
Case 1: No QoS Pre-classification on R2 router and R1 router sends ICMP traffic with ToS = 160 (i.e IP Precedence = 5)
Now R1 router sends ICMP traffic to R4 router with IP Precedence 5 (ToS 160). By default, the ToS byte will be copied to the new IP header. So the following output shows that R2 router can recognize IP Precedence 5 packets from R1 router on its outgoing interface. However, the packet count for ESP traffic is 0. The reason being the IP Precedence 5 packets are matched first on R1 router since the policy-map has the IP Precedence 5 matching class before ESP/IPSec matching class.
Case 2: No QoS Pre-classification on R2 router and R1 router sends traffic with no IP Precedence values
This time the PREC_5 does not match the traffic since there is no IP Precedence values in the ICMP packets. However, the packets are recognized as ESP packets and hence classified by IPSEC_TRAFFIC class-map. This information is not useful and hence QoS Pre-classification is required.
Case 3: QoS Pre-classification on R2 router
The QoS Pre-classify feature can be enabled under crypto-map configuration. Another class-map matching ICMP traffic is added.
The output shows that now R2 can recognize the type of packet encrypted by IPSec. It can figure out that the encrypted traffic is ICMP.
No comments:
Post a Comment