cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.

924
Views
0
Helpful
4
Replies
William F King
Beginner

Multisite Quality - IPSEC VPN and QOS

A customer with UC560's and a 4-site multisite configuration built by CCA 2.2(5) is having voice quality issues on multisite calls. I see that the "qos pre-classify" is applied to the WAN interfaces.There are no other quality issues, i.e., the PSTN SIP provider traffic, traffic shaping is enabled and configured on the WAN intfc.

My understanding is that the QOS is not "visible" to any devices AFTER leaving the UC560 because of the IPSEC VPN. Is there a OOB or other method that can be used so that QOS is visible to devices between the UC560's? Testing and the configuration seem to indicate that the problems occurs on the Internet or on the ISP equipment.  All sites in the multisite relationship have at least T1 circuits.

4 REPLIES 4
Nathan Compton
Enthusiast

Here is some information straight from the QOS SRND to answer some of your questions about preclassify:

QoS for Virtual Private Networks

The QoS for Virtual Private Networks (VPNs) feature is designed for tunnel interfaces. When the feature is enabled, the QoS features on the output interface classify packets before encryption, allowing traffic flows to be adjusted in congested environments. The result is more effective packet tunneling.

The QoS for VPNs feature provides a solution for making Cisco IOS QoS services operate in conjunction with tunneling and encryption on an interface. Cisco IOS software can classify packets and apply the appropriate QoS service before the data is encrypted and tunneled. The QoS for VPN feature allows users to look inside the packet so that packet classification can be done based on original port numbers and based on source and destination IP addresses. This allows the service provider to treat mission-critical or multiservice traffic with higher priority across its network.

To use this feature, the system must be able to configure QoS features.

Configuring QoS for VPNs

The QoS for VPNs feature, which is enabled by the qos pre-classify command, is restricted to tunnel and virtual template interfaces, and crypto map configuration submodes.

For generic routing encapsulation (GRE) and IP in IP (IPIP) tunnel protocols, the qos pre-classify command is applied on the tunnel interface, making QoS for VPNs a configuration option on a per-tunnel basis.

For Layer 2 Forwarding (L2F) and Layer 2 Tunneling Protocol (L2TP) protocols, the qos pre-classify command is applied on the virtual template interface. L2TP clients belonging to identical virtual private dial-up network (VPDN) groups inherit the preclassification setting. The qos pre-classify command can be configured on a per-VPDN tunnel basis.

For IPSec tunnels, the qos pre-classify command is applied on the crypto map, allowing configuration on a per-tunnel basis. QoS features on the physical interface carrying the crypto map are able to classify packets before encryption.

To configure the QoS for VPNs feature on a tunnel or virtual interface basis, use the following commands beginning in global interface mode:

Command
Purpose

Step 1

Router(config)# interface [tunnel-name | virtual-template-name]

Enters interface configuration mode and specifies the tunnel or virtual interface to configure.

Step 2

Router(config-if)# qos pre-classify

Enables the QoS for VPNs feature.

To configure the QoS for VPNs feature on the crypto map configuration basis, use the following commands beginning in global configuration mode:

Command
Purpose

Step 1

Router(config)# crypto map [map-name]

Enters crypto map configuration mode and specifies the previously defined crypto map to configure.

Step 2

Router(config-if)# qos pre-classify

Enables the QoS for VPNs feature.


Nathan - Thank you for your reponse, the document has been helpful.

Using your document, I have verified that the QoS for VPNs feature is enabled on all of the multisite crypto maps and virtual interfaces.  So QoS is being applied to the traffic prior to encryption. After encryption, and after the encrypted traffic leaves the router's WAN interface on its way to its destination over the Internet, is the QoS information on the VPN packets visible to devices on the way to the other sites?

This is where the voice quality problem may be. The ISP has said that QoS is setup in their equipment at each of my locations, but can these ISP devices perform QoS on the traffic while the traffic is VPN traffic? Are the QoS markings on the VPN traffic encrypted with the payload, or are they visible to QoS enabled devices so that it can be prioritized?

It QOS preclassify is applied, it re-marks the packet to whatever the packet was marked as before encryption.  Some carriers can tell you if they are seeing the traffic marked properly.

We are setting up time with the ISP to move forward on this. Thank you.