Monday, October 10, 2011

How to configure QOS with IPSEC VPN

In this blogtorial we will discuss how to do QOS with IPSec and the challenges that are associated with it. 

Consider the topology below and let's get started. 

Relevant configurations are posted below. 

This topology is very simple. We have 2 routers and we will build a IPSec over GRE tunnel and perform QOS.

Please note that we will be creating an IPSec Tunnel in "Tunnel Mode" which is the default mode. There is a IPSec transport mode in which the packet does not contain the GRE IP HEADER. 

The problem with QOS on VPN is that by the time the packet is encapsulated by IPSec, most of the data that we can use to classify packets are already encapsulated. There is TOS Byte preservation, in which the TOS byte field from the original header is copied to the newly created IPSec header. But, what if you wanted to classify traffic based on port numbers or any other criteria? Below you will find how we can use 'qos pre-classify' to match on port numbers, source-destination IP and etc.

First let's get R1 and R2 interfaces configured so we have a basic layer 3 connectivity.


Next let's get the crypto parameters and the access-list 101 configured.



Now apply the crypto map to the Ser1/0 interface on both routers and the ping packets should be IPSEC encapsulated. 


Now let's create a very simple QOS policy and apply it to the ser1/0 interface on R1 and see what happens.


What are we doing above? 
  1. We are creating an access-list to match any telnet traffic.
  2. We are creating a class-map to match the access-list we created. 
  3. We are creating a policy-map to match the class-map and reserving it 30% of the bandwidth.
  4. We are applying it to the R1 Serial 1/0 egress. 
Now let's telnet from R1 to R2 and see if the policy map is taking effect and that the telnet packets are getting classified. 


As you can see neither counters (access-list 120 or the class-map telnet) are increasing. So clearly the packets are not being matched and policed. Why?

Because by the time the telnet packets are encapsulated the information such as port numbers aren't available for the router to classify/match the traffic. 

This is where 'qos pre-classify' comes in. The 'qos pre-classify' commands enables the router to clone the IPv4 header information prior to encapsulation and matched after the packets have been encapsulated. Thus, giving us the ability to match on much more than just the TOS byte such as port numbers, source/destination IP and etc. 


Note that we have to apply qos pre-classify under both the crypto map and the tunnel interface. 

Now let's telnet to R2 and see the difference. 


Notice that both of the counters (access-list 120 counters and class-map telnet) counters are increasing. 


In summary, we can do QOS on IPSEC VPN by taking advantage of the TOS byte preservation, however to do QOS based on other information such as port numbers etc we will have to use 'qos pre-classify'. 

Many more articles to come so stay tuned. "Join this site" on the right ------->