I have not delved too deeply into QoS in general in my network studies (shame on me), however I will try to make this as intelligible as possible for my first time really looking at the basic concept of getting QoS to work on packets being encapsulated and encrypted!
Quick review of IPSec built-in QoS feature – ToS Preservation Byte
This is a default mechanism of an IPSec configured VPN Tunnel (not just DMVPN), that the tunnel interface will copy the ToS Byte field information from the original IP Packet to the outer packet, to provide some kind of QoS preservation across the tunnel.
However being that this mechanism only preserves the ToS Byte from the original IP Packet, more efficient types of QoS will want to know further information from the inner packet for QoS prioritization, such as protocol in use / Src and Dst IP Address / ETC.
For this reason “QoS Pre-Classify” is used to get this QoS information!
Its a bit tricky how this mechanism is worded, as the ToS Byte copies the Inner ToS to the outer packet for visibility to the router, however “QoS Pre-Classify” is described as “cloning the packet to extract the classification information for QoS, and making it available to the router” – So it does not sound like these settings are copied to the outer packet like is done with the ToS byte.
I will configure an extremely simple QoS Policy to demonstrate this feature
First to configure our “class-map …” to match some traffic, then define that traffic:
PHX1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
PHX1(config)#class-map MAP_TEST
PHX1(config-cmap)#match access-group name ACL_TEST
PHX1(config-cmap)#exit
PHX1(config)#ip access-list extended ACL_TEST
PHX1(config-ext-nacl)#permit icmp any any
PHX1(config-ext-nacl)#^Z
PHX1#
*Dec 5 22:20:07.933: %SYS-5-CONFIG_I: Configured from console by console
PHX1#
Here I created a class-map matching on an ACL, that will match “any” ICMP traffic.
Next to configure the “policy-map …” of the configuration:
PHX1(config)#policy-map POLICY_TEST
PHX1(config-pmap)#class MAP_TEST
PHX1(config-pmap-c)#exit
PHX1(config-pmap)#exit
As seen its pretty straight forward, define the class-map in the policy map.
Finally I apply the Policy-Map to the WAN interface for outbound traffic:
PHX1(config)#int fa0/0
PHX1(config-if)#service-policy ?
input Assign policy-map to the input of an interface
output Assign policy-map to the output of an interface
type Configure CPL Service Policy
PHX1(config-if)#service-policy output POLICY_TEST
PHX1(config-if)#
We are now doing QoS on “any” outbound ICMP Traffic from the PHX1 Router!
A good command to verify Policy-Maps applied to router interfaces:
PHX1#sh policy-map int fa0/0
FastEthernet0/0
Service-policy output: POLICY_TEST
Class-map: MAP_TEST (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps
Match: access-group name ACL_TEST
Class-map: class-default (match-any)
109 packets, 14888 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any
PHX1#
This shows that there is a “match any” / catch-all clause on the end of the Policy-Map forwarding all other traffic that is getting hits, but we’ll need to generate some ICMP:
MPLS1#ping 10.10.10.253
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.253, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/81/88 ms
MPLS1#
Done, and now to check the policy-map once more:
PHX1#sh policy-map int fa0/0
FastEthernet0/0
Service-policy output: POLICY_TEST
Class-map: MAP_TEST (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps
Match: access-group name ACL_TEST
Class-map: class-default (match-any)
230 packets, 31854 bytes
5 minute offered rate 1000 bps, drop rate 0000 bps
Match: any
PHX1#
Not what I was expecting to see initially, however the ICMP traffic is being lumped in with the “Any” traffic, because “Pre-Classification” has not yet been configured on the Tunnel Interface, so it is unaware the class of traffic inside the encrypted traffic!
Configuring this is just ridiculous easy:
PHX1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
PHX1(config)#int tu0
PHX1(config-if)#qos pre-classify
PHX1(config-if)#
That is quite literally it!
To test once more from PHX2 to a couple different IPs:
PHX2#ping 10.10.1.253
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.253, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/72/76 ms
PHX2#ping 10.10.2.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.2.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/59/76 ms
PHX2#
Verification on PHX1:
PHX1(config-if)#do sh policy-map int fa0/0
FastEthernet0/0
Service-policy output: POLICY_TEST
Class-map: MAP_TEST (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps
Match: access-group name ACL_TEST
Class-map: class-default (match-any)
70 packets, 10018 bytes
5 minute offered rate 1000 bps, drop rate 0000 bps
Match: any
PHX1(config-if)#
It took me awhile to figure this out as it appeared the Policy-Map had to be applied to the WAN interface, so I was troubleshooting with it there for about 45 minutes or so 🙂
After pinging from all different routers, bouncing tunnels, re-configuring the entire thing a few times – I realized maybe I should try to apply it to the inside interface!
This was way not making me happy, until I saw this:
PHX1(config-if)#do sh policy-map int fa1/0
FastEthernet1/0
Service-policy output: POLICY_TEST
Class-map: MAP_TEST (match-all)
5 packets, 570 bytes
5 minute offered rate 0000 bps
Match: access-group name ACL_TEST
Class-map: class-default (match-any)
7 packets, 476 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any
PHX1(config-if)#
Not figuring out how to fix a network issue eats away at my sanity after so long when the configuration appears completely correct, so I was relieved to see that policy kicking in and QoS hard at work for PHX1 ping traffic!
That will do it for this mini-QoS lesson that dragged me through the mud!
Having something break or not work, and troubleshooting until you fix it is the best way to really understand a technology I believe, so I am glad to have hammered away at that until we had success.
That is all the glory of “QoS Pre-Classify” for IPSec and NOT just for DMVPN, but for any IPSec protected tunnels, so Pre-Classify all of that VPN QoS traffic!
The DEVNET GRIND! 