Enterasys Networks X-PeditionTM QoS over VPN Features, Configuring QoS on a Physical Interface

QoS on VPN

The XSR offers you two choices in applying QoS service policy:

•before encryption on the VPN tunnel (virtual VPN) interface or,

•after encryption on the underlying physical interface.

Copying of the ToS byte brings into play security concerns you must address. As described in RFCs 2475 and 2983, copying of ToS bits may not always be desirable. This is because packets with different ToS bits may reveal information about characteristics of the tunneled traffic and also may be susceptible to Denial of Service attacks when a hacker changes ToS bits and resends the packets. So, the decision to configure this feature is your choice. The XSR supports the following QoS on VPN scenarios:

•QoS on a physical interface - If you want to classify packets based solely on the outer header, apply your service policy to the physical interface (e.g., S1/1.1).

•QoS on the virtual tunnel interface - If you wants to classify packets based on the inner header - before encryption - apply your service policy to the virtual tunnel interface (e.g., VPN1).

QoS over VPN Features

The XSR supports the following QoS over VPN features:

•QoS on a physical interface

•QoS on a VPN virtual interface, configured with the service-policycommand

•Values set on a VPN interface apply to all supported protocols: GRE, IPSec, PPTP, L2TP, e.g.

•Packet classification, marking, policing and shaping

•ToS bit copy option during encapsulation/decapsulation with the copy-toscommand

•On multi-point virtual interfaces, the QoS policy map is configured on the virtual interface. When a connection is established with a particular user, the policy map is applied to that neighbor and all neighbors are configured with the same policy map.

•Control traffic traversing the virtual interface (RIP, OSPF, etc.) is internally marked and prioritized on the output physical interface.

•Classifying, marking and policing is not available for IPSec site-to-site tunnels not employing the VPN interface but ToS bit is supported. Copying ToS bit is configurable on a per-per peer with the crypto isamp peer command. In the case when an IPSec tunnel is copying ToS bits configured on a VPN interface and for a peer, peer configuration takes precedence.

Configuring QoS on a Physical Interface

QoS applied to physical interfaces with a crypto map is not significantly different than QoS applied to other interfaces. You should keep in mind that QoS set to an interface with a crypto map classifies flows using the outer header of previously encrypted packets. As mentioned earlier in this section, the inner header is encrypted and QoS can not classify packets based on the user (inner) header. The only exception to this rule are the ToS bits. If you configure copy-tos, then the inner header ToS byte is copied to the outer header and made accessible to QoS.

Configuring QoS on a Virtual Tunnel Interface

QoS on an virtual VPN tunnel requires classification to be applied before encryption (hardware or software). The VPN interface represents a point-to-point tunnel and as each tunnel represents a tunnel encapsulation mechanism, this process may also involve copying ToS bits from the inner to

12-18 Configuring Quality of Service