IP packets are classified before they are encrypted and sent over a VPN tunnel.
QoS classification is performed based on the original source and destination addresses and port numbers .
If a packet is fragmented after encryption, only the first fragment can be preclassified.
GRE, IP-in-IP, L2F, L2TP, and IPSec tunnels are all supported.
(GRE tunnel) Specify a VPN tunnel interface:
(global) interface tunnel-name
(L2F or L2TP tunnel) Specify a VPN virtual template interface:
(global) interface virtual-template-name
For a Layer 2 Forwarding (L2F) or Layer 2 Tunneling Protocol (L2TP), specify the virtual template interface.
(IPSec tunnel) Specify the IPSec crypto map:
(global) crypto map map-name
If an IPSec tunnel is used, specify the crypto map itself, rather than an interface.
Enable QoS preclassification on the tunnel:
(interface or crypto-map) qos pre-classify
A crypto map is configured for an IPSec tunnel to peer 4.3.50.234. QoS preclassification is performed on traffic that matches the crypto map, before the encryption is performed.
access-list 102 permit ip 192.3.3.0 0.0.0.255 192.168.200.0 0.0.0.255 crypto map Clients 10 ipsec-isakmp match address 102 set peer 4.3.50.234 set transform-set basic-3des qos pre-classify