Cisco Field Manual[c] Router Configuration

• IP packets are classified before they are encrypted and sent over a VPN tunnel.

• QoS classification is performed based on the original source and destination addresses and port numbers .

• If a packet is fragmented after encryption, only the first fragment can be preclassified.

• GRE, IP-in-IP, L2F, L2TP, and IPSec tunnels are all supported.

Configuration

1. (GRE tunnel) Specify a VPN tunnel interface:

   (global) interface tunnel-name

2. (L2F or L2TP tunnel) Specify a VPN virtual template interface:

   (global) interface virtual-template-name

   For a Layer 2 Forwarding (L2F) or Layer 2 Tunneling Protocol (L2TP), specify the virtual template interface.

3. (IPSec tunnel) Specify the IPSec crypto map:

   (global) crypto map map-name

   If an IPSec tunnel is used, specify the crypto map itself, rather than an interface.

4. Enable QoS preclassification on the tunnel:

   (interface or crypto-map) qos pre-classify

QoS for VPNs Example

A crypto map is configured for an IPSec tunnel to peer 4.3.50.234. QoS preclassification is performed on traffic that matches the crypto map, before the encryption is performed.

access-list 102 permit ip 192.3.3.0 0.0.0.255 192.168.200.0 0.0.0.255 crypto map Clients 10 ipsec-isakmp match address 102 set peer 4.3.50.234 set transform-set basic-3des qos pre-classify