When using qos pre-classify, the information on which QoS is based on (Src IP, Dst IP, Src Port, Dst Port, DSCP) is saved somewhere in the router and when the packet is encrypted that information is used to base the QoS decision on. It's the same principle as with the 'qos-group' command. I'm not really aware of any bandwidth issues between the 2 options. As still the entire encrypted packet is queued, only the decision on which queue is used, is made by the information that's been registered up front.
-- Regards, Rick Mur CCIE2 #21946 (R&S / Service Provider) Sr. Support Engineer – IPexpert, Inc. URL: http://www.IPexpert.com On Tue, Oct 20, 2009 at 6:36 AM, Kingsley Charles < [email protected]> wrote: > Hi Matt > > With IPSec, the ToS value is copied to the new IP header but the other > information is hidden. Let's say there is a QoS policy that says that telnet > traffic should get 40 Kbps BW. > > > With IPSec VPN, the payload is encrypted and hence the router will not be > able to identify which type of traffic is inside the VPN packet. > > Thereby the QoS policy of identifying telnet traffic won't work. > > With QoS pre-classify, the classification is done before encryption and > hence, QoS action can be taken. > > Without QoS-preclassify, you can just classify the VPN packet based on the > ToS or DSCP value. > > > > With regards > Kings > > On Tue, Oct 20, 2009 at 2:51 AM, Matt Blake <[email protected]>wrote: > >> All, >> >> >> >> Would the 2 statements below be 100% accurate >> >> >> >> With QoS pre-classify encryption happens last so that if it’s necessary to >> use TCP / UDP header information to apply QoS parameters it will be done >> prior to encryption. >> >> >> >> Without QoS pre-classify encryption is done first and the DSCP / ToS bits >> in the original IP header are preserved. No option to use layer 4 >> information for QoS. >> >> >> >> Also: >> >> >> >> I know that the actual reserved bandwidth differs between the two. Does >> anyone have a quick link (or explanation) on why this is the case? It has to >> do with the IPSec overhead but does it impact the actual bandwidth used if >> doing policing? Or will you be able to forward less “actual” traffic because >> of the overhead and the used bandwidth is the same regardless. >> >> >> >> - Matt >> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
