End-to-End QoS - Pre-classify

Pre-classify was designed to classify packets on the output of an interface before data is encrypted and tunnelled. In modern times service providers and customers want to classify traffic within VPN tunnels, providing SLA's to voice/video etc.

VPN aims to provide confidentiality, Authentication and data integrity.

When a packet enters a VPN it's original headers are encapsulated, this means that any QoS on the original headers will not be visible to the QoS mechanisms on the egress interface.

Good news is the old ToS field value is copied to the new headers, however if there is a requirement to classify based on source/destination address, for example, then the 'pre-classify' command need to be used. Pre-classify should be configured on the endpoint prior to the traffic entering the VPN tunnel.

Two common tunneling protocols are IPSEC and GRE, GRE has the advantage of being able to tunnel multicast/broadcast and routing protocol traffic, GRE is not able to provide confidentialilty using encryption.

IPSEC is a more secure protocol, which is able to encrpt only unicast traffic. IPSEC uses two mechanisms to protect data:

Authentication Header (AH) protocol 51: Operates in tunnel mode (adds headers) or transport mode (encapsulates entire packet). Ensures integrity and euthentication of packets.
Encapsulating Security Payload (ESP) protocol 50: Operates in tunnel mode (encrypts only the IP payload), transport mode encrypts the entire original packet.

The pre-classify command takes a duplicate of the original packet to that the service policy is able to examine the packet. This is only required where fields other than TpS need to be inspected (ToS fields are automatically copied from the original packet to the encrypted packet).

Pre-classify can only be configured on tunnel interfaces/virtual templates/crypto-maps.

"Where Do I Apply the Service Policy?

You can apply a service policy to either the tunnel interface or to the underlying physical interface. The decision of where to apply the policy depends on the QoS objectives. It also depends on which header you need to use for classification.

• Apply the policy to the tunnel interface without qos-preclassify when you want to classify packets based on the pre-tunnel header.

• Apply the policy to the physical interface without qos-preclassify when you want to classify packets based on the post-tunnel header. In addition, apply the policy to the physical interface when you want to shape or police all traffic belonging to a tunnel, and the physical interface supports several tunnels.

• Apply the policy to a physical interface and enable qos-preclassify when you want to classify packets based on the pre-tunnel header."