Home > Technical > Cisco > Cisco – QoS pre-classify

Cisco – QoS pre-classify

Think about where the encryption is taking place. Once a packet is encrypted – the original IP/ethernet headers are no longer accessible – only the new header is.

When you encrypt traffic at the tunnel – the tunnel virtual interface will have the QoS policy applied. The classification will occur on the header when it reaches that interface. It should be accurate at that point when it moves forward. If you have a tunnel, but the QoS policy is configured on the physical interface – your original packet header was already processed at the tunnel interface and is now encapsulated in GRE/IPSec. Any QoS classifications at that point which are meant to be copied into the new packet header will not reflect the original packets’ markings.

If you enable qos-preclassify, then a copy of the QoS markings will be copied into a cache, as you’ve told it that it will be processed by a QoS policy later. These cached markings are then accessed by the QoS policy when that packet reaches the physical interface, and they can be used to mark the final packet that will leave the interface.


Asymmetric Satellite Link with 100kbps uplink

In the example below, there is a DMVPN tunnel between the two sites. We want to guarantee 90% of the traffic to the application using tcp port 5450. We’re also reserving 5% of the bandwidth for things like ISAKMP and Exterior routing protocols (Interior routing protocols are automatically give highest priorty).

We’re also adding “queue-limit 15” because of the VPN tunnel; by default, the VPN tunnel has anti-replay feature enabled so you don’t want packets to be delayed in the queue. You want the packets dropped instead. So, you reduce the queue limit to 15 packets.

conf t
ip access-list extended TCP_5450_ACL
permit tcp host host eq 5450

ip access-list extended IKE_QoS_ACL
permit udp any eq isakmp any eq isakmp

class-map match-all TCP_5450
match access-group name TCP_5450_ACL

class-map match-any Routing_and_ISAKMP
match ip dscp cs6
match access-group name IKE_QoS_ACL

policy-map QoS
class TCP_5450
bandwidth percent 90
queue-limit 15

class Routing_and_ISAKMP
bandwidth percent 5

class class-default
queue-limit 15

interface tunnel1
qos pre-classify

interface GigabitEthernet0
bandwidth 100
service-policy output QoS

Copyright © 2012-2017 Yared Consulting Inc. All Rights Reserved. | Privacy Policy | Terms & Conditions