Table of Contents
Advertisement
QoS on VPN
The XSR offers you two choices in applying QoS service policy:
•
before encryption on the VPN tunnel (virtual VPN) interface or,
•
after encryption on the underlying physical interface.
Copying of the ToS byte brings into play security concerns you must address. As described in
RFCs 2475 and 2983, copying of ToS bits may not always be desirable. This is because packets with
different ToS bits may reveal information about characteristics of the tunneled traffic and also may
be susceptible to Denial of Service attacks when a hacker changes ToS bits and resends the
packets. So, the decision to configure this feature is your choice. The XSR supports the following
QoS on VPN scenarios:
•
QoS on a physical interface - If you want to classify packets based solely on the outer header,
apply your service policy to the physical interface (e.g., S1/1.1).
•
QoS on the virtual tunnel interface - If you wants to classify packets based on the inner header -
before encryption - apply your service policy to the virtual tunnel interface (e.g., VPN1).
QoS over VPN Features
The XSR supports the following QoS over VPN features:
•
QoS on a physical interface
QoS on a VPN virtual interface, configured with the service-policy command
•
•
Values set on a VPN interface apply to all supported protocols: GRE, IPSec, PPTP, L2TP, e.g.
•
Packet classification, marking, policing and shaping
ToS bit copy option during encapsulation/decapsulation with the copy-tos command
•
•
On multi-point virtual interfaces, the QoS policy map is configured on the virtual interface.
When a connection is established with a particular user, the policy map is applied to that
neighbor and all neighbors are configured with the same policy map.
•
Control traffic traversing the virtual interface (RIP, OSPF, etc.) is internally marked and
prioritized on the output physical interface.
•
Classifying, marking and policing is not available for IPSec site-to-site tunnels not employing
the VPN interface but ToS bit is supported. Copying ToS bit is configurable on a per-per peer
with the crypto isamp peer command. In the case when an IPSec tunnel is copying ToS
bits configured on a VPN interface and for a peer, peer configuration takes precedence.
Configuring QoS on a Physical Interface
QoS applied to physical interfaces with a crypto map is not significantly different than QoS
applied to other interfaces. You should keep in mind that QoS set to an interface with a crypto
map classifies flows using the outer header of previously encrypted packets. As mentioned earlier
in this section, the inner header is encrypted and QoS can not classify packets based on the user
(inner) header. The only exception to this rule are the ToS bits. If you configure copy-tos, then the
inner header ToS byte is copied to the outer header and made accessible to QoS.
Configuring QoS on a Virtual Tunnel Interface
QoS on an virtual VPN tunnel requires classification to be applied before encryption (hardware or
software). The VPN interface represents a point-to-point tunnel and as each tunnel represents a
tunnel encapsulation mechanism, this process may also involve copying ToS bits from the inner to
12-18 Configuring Quality of Service
Advertisement
Table of Contents
Troubleshooting
