© 2006 Cisco Systems, Inc. All rights reserved.ONT v Implement the DiffServ QoS Model Implementing QoS Preclassify
© 2006 Cisco Systems, Inc. All rights reserved.ONT v Virtual Private Networks
© 2006 Cisco Systems, Inc. All rights reserved.ONT v Virtual Private Networks A VPN carries private traffic over a public network using advanced encryption and tunnels to protect: Confidentiality of information Integrity of data Authentication of users
© 2006 Cisco Systems, Inc. All rights reserved.ONT v VPN Types Remote access: –Client-initiated –Network access server Site-to-site: –Intranet –Extranet
© 2006 Cisco Systems, Inc. All rights reserved.ONT v Encryption Overview
© 2006 Cisco Systems, Inc. All rights reserved.ONT v VPN Protocols ProtocolDescriptionStandard GREGeneric Routing Encapsulation RFC 1701, RFC 1702, RFC 2748 IPsecInternet Protocol Security RFC 4301
© 2006 Cisco Systems, Inc. All rights reserved.ONT v Implementing QoS with Preclassification
© 2006 Cisco Systems, Inc. All rights reserved.ONT v QoS Preclassify VPNs are growing in popularity. The need to classify traffic within a traffic tunnel is also gaining importance. QoS preclassify is a Cisco IOS feature that allows packets to be classified before tunneling and encryption occur. Preclassification allows traffic flows to be adjusted in congested environments.
© 2006 Cisco Systems, Inc. All rights reserved.ONT v QoS Preclassify Applications
© 2006 Cisco Systems, Inc. All rights reserved.ONT v QoS Preclassify Applications When packets are encapsulated by tunnel or encryption headers, QoS features are unable to examine the original packet headers and correctly classify packets. Packets traveling across the same tunnel have the same tunnel headers, so the packets are treated identically if the physical interface is congested.
© 2006 Cisco Systems, Inc. All rights reserved.ONT v QoS Preclassify Applications When packets are encapsulated by tunnel or encryption headers, QoS features are unable to examine the original packet headers and correctly classify packets. Packets traveling across the same tunnel have the same tunnel headers, so the packets are treated identically if the physical interface is congested.
© 2006 Cisco Systems, Inc. All rights reserved.ONT v GRE Tunneling ToS classification of encapsulated packets is based on the tunnel header. By default, the ToS field of the original packet header is copied to the ToS field of the GRE tunnel header. GRE tunnels commonly are used to provide dynamic routing resilience over IPsec, adding a second layer of encapsulation.
© 2006 Cisco Systems, Inc. All rights reserved.ONT v IPsec AH IPsec AH is for authentication only and does not perform encryption. With tunnel mode, the ToS byte value is copied automatically from the original IP header to the tunnel header. With transport mode, the original header is used, and therefore the ToS byte is accessible.
© 2006 Cisco Systems, Inc. All rights reserved.ONT v IPsec ESP IPsec ESP supports both authentication and encryption. IPsec ESP consists of an unencrypted header followed by encrypted data and an encrypted trailer. With tunnel mode, the ToS byte value is copied automatically from the original IP header to the tunnel header.
© 2006 Cisco Systems, Inc. All rights reserved.ONT v QoS Preclassification Deployment Options
© 2006 Cisco Systems, Inc. All rights reserved.ONT v QoS Preclassification Deployment Options Tunnel interfaces support many of the same QoS features as physical interfaces. In VPN environments, a QoS service policy can be applied to the tunnel interface or to the underlying physical interface. The decision about whether to configure the qos preclassify command depends on which header is used for classification.
© 2006 Cisco Systems, Inc. All rights reserved.ONT v QoS Preclassification Deployment Options (Cont.) Note: ToS byte copying is done by the tunneling mechanism and not by the qos pre-classify command. IPsec and GRE configuration: ! crypto map static-crypt 1 ipsec- isakmp qos pre-classify set peer ….etc ! interface Tunnel 0 etc.. qos pre-classify crypto map static-crypt ! interface Ethernet 0/1 service-policy output minbwtos crypto map static-crypt ! QoS preclassify allows access to the original IP header values. QoS preclassify is not required if classification based on original ToS values as this is copied by default to new header.
© 2006 Cisco Systems, Inc. All rights reserved.ONT v Configuring QoS Preclassify qos pre-classify router(config-if)# Enables the QoS preclassification feature. This command is restricted to tunnel interfaces, virtual templates, and crypto maps. GRE Tunnels router(config)# interface tunnel0 router(config-if)# qos pre-classify IPSec Tunnels router(config)# crypto map secured-partner router(config-crypto-map)# qos pre-classify
© 2006 Cisco Systems, Inc. All rights reserved.ONT v QoS Preclassify: Example
© 2006 Cisco Systems, Inc. All rights reserved.ONT v Summary A VPN is defined as network connectivity deployed on a shared infrastructure with the same policies and security as a private network, and it offers encryption, data integrity and origin authentication. The QoS preclassify feature is designed for tunnel interfaces. IPsec and GRE support QoS preclassification. When packets are encapsulated by tunnel or encryption headers, QoS features are unable to examine the original packet headers and correctly classify the packets. QoS preclassify is enabled by the qos pre-classify Cisco IOS software command.
© 2006 Cisco Systems, Inc. All rights reserved.ONT v