Enterasys Networks X-PeditionTM Configuring the Shaper on the VPN Interface, AH Hmac ESP+3DES

QoS on VPN

This situation can cause unexpected results when QoS is applied to VPN interfaces. If the rate of traffic traversing the VPN interface is higher than the physical interface bandwidth, packets are dropped after they are sent from the VPN interface. Due to this, QoS statistics may show higher available bandwidth on the VPN interface than the actual output rate on the physical line. For the same reason, QoS bandwidth sharing on the VPN interface is not enforced, although you may configure it.

When configuring QoS on the VPN interface you should keep the following in mind:

•If the physical interface that establishes the tunnel is congested, QoS on the VPN interface may show higher send rates than the actual line speed. To avoid this behavior you should apply the shaper per policy map on the VPN interface as described in the next section.

•QoS on VPN does not provide bandwidth sharing although you may configure it. To activate bandwidth sharing, apply shaper per policy map as described in the next section.

•The priority traffic (class) should be allocated lower reserved bandwidth than the physical interface or, if the shaper per policy is applied, reserved bandwidth should be lower than the shaper rate. If you ignore this rule all non-priority traffic may be stopped when the line becomes congested because priority queues are always serviced first.

•When QoS is applied on physical interfaces that implement crypto maps, reordering of the packets by QoS may trigger anti-reply IPSec protection at the receiving tunnel end. To avoid this problem, anti-reply should be disabled or QoS not used on the receive side.

Configuring the Shaper on the VPN Interface

If bandwidth sharing on the VPN interface is required you can communicate the expected or required bandwidth to QoS by applying shaper per policy map on the VPN interface. The shaper limits traffic that transits the VPN interface and collaborates with QoS to enforce bandwidth sharing.

In the following example, classes c1 and class default share 1 Mbps bandwidth. Class c1 has 100 Kbps reserved bandwidth while class default will get the remainder of the 1 Mbps. The output physical interface will receive at most 1 Mbps from this VPN interface.

XSR(config)#policy-map VPN

XSR(config-pmap<VPN>)#shape 1000000

XSR(config-pmap<VPN>)#class c1

XSR(config-pmap-c<class1>)#priority high 100

XSR(config-pmap-c<class1>)#exit

XSR(config-pmap<VPN>)#class class-default

XSR(config-pmap-c<class-defaul>)#set ip dscp 32

When you configure the shaper rate you must account for the expected overhead due to IPSec/ GRE encapsulation. Packets traversing the VPN interface are purely user payload packets that later in the stack are encapsulated with tunnel headers. If the configured shaper rate does not account for encapsulation overhead, packets will be dropped during congestion on the physical interface, disturbing bandwidth sharing on the VPN interface. The table below outlines the approximate overhead values for different tunnel/IPsec configurations.

Table 12-3 Overhead on IPSec Tunnels

XSR User’s Guide 12-23