10-4 Quality of Service for VPNs

• IP packets are classified before they are encrypted and sent over a VPN tunnel.

• QoS classification is performed based on the original source and destination addresses and port numbers .

• If a packet is fragmented after encryption, only the first fragment can be preclassified.

• GRE, IP-in-IP, L2F, L2TP, and IPSec tunnels are all supported.

Configuration

1. (GRE tunnel) Specify a VPN tunnel interface:

    (global)  interface   tunnel-name  

2. (L2F or L2TP tunnel) Specify a VPN virtual template interface:

    (global)  interface   virtual-template-name  

   For a Layer 2 Forwarding (L2F) or Layer 2 Tunneling Protocol (L2TP), specify the virtual template interface.

3. (IPSec tunnel) Specify the IPSec crypto map:

    (global)  crypto map   map-name  

   If an IPSec tunnel is used, specify the crypto map itself, rather than an interface.

4. Enable QoS preclassification on the tunnel:

    (interface or crypto-map)  qos pre-classify  

QoS for VPNs Example

A crypto map is configured for an IPSec tunnel to peer 4.3.50.234. QoS preclassification is performed on traffic that matches the crypto map, before the encryption is performed.

  access-list 102 permit ip 192.3.3.0 0.0.0.255 192.168.200.0 0.0.0.255   crypto map Clients 10 ipsec-isakmp   match address 102   set peer 4.3.50.234   set transform-set basic-3des   qos pre-classify