Hi Matt The policy can still be there in the configuration but as the IOS can't indentity the telnet traffic using NBAR i.e., you can can't identify/classify the traffic based on L4 as it is encrypted and the traffic moves to default class.
Without qos-preclassify, one way is that you can classify the taffic on the inbound interface and set to a DSCP value. Else you can mark the traffic else where before in a switch or earlier router to a specific DSCP value. You can use this DSCP value and identify the telnet traffic for the outbound policy and get the 40 Kbps BW. With regards Kings On Tue, Oct 20, 2009 at 6:49 PM, Matt Blake <[email protected]>wrote: > Kings – So that is pretty much my understanding, which is a good thing. > Now on to bandwidth policing…. > > > > If I had a policy that restricted telnet to 40Kbps. > > > > With QoS pre-classify – encryption is completed last so that my actual > telnet bandwidth is 40Kbps. Sent to the output queue where it’s encrypted > and sent on its way? > > > > Without QoS pre-classify – encryption is done first, so I would need to > mark the telnet traffic (DSCP or ToS). It’s then encrypted with IP header > info preserved and given 40Kbps (including crypto overhead). Which means > that I really don’t have 40Kbps reserved for telnet – correct? > > > > Just trying to make sure my understanding is correct. > > > > Regards, > > > > Matt Blake > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Tuesday, October 20, 2009 12:36 AM > *To:* Matt Blake > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] QoS pre-classify > > > > Hi Matt > > > > With IPSec, the ToS value is copied to the new IP header but the other > information is hidden. Let's say there is a QoS policy that says that telnet > traffic should get 40 Kbps BW. > > > > > > With IPSec VPN, the payload is encrypted and hence the router will not be > able to identify which type of traffic is inside the VPN packet. > > > > Thereby the QoS policy of identifying telnet traffic won't work. > > > > With QoS pre-classify, the classification is done before encryption and > hence, QoS action can be taken. > > > > Without QoS-preclassify, you can just classify the VPN packet based on the > ToS or DSCP value. > > > > > > > > With regards > > Kings > > On Tue, Oct 20, 2009 at 2:51 AM, Matt Blake <[email protected]> > wrote: > > All, > > > > Would the 2 statements below be 100% accurate > > > > With QoS pre-classify encryption happens last so that if it’s necessary to > use TCP / UDP header information to apply QoS parameters it will be done > prior to encryption. > > > > Without QoS pre-classify encryption is done first and the DSCP / ToS bits > in the original IP header are preserved. No option to use layer 4 > information for QoS. > > > > Also: > > > > I know that the actual reserved bandwidth differs between the two. Does > anyone have a quick link (or explanation) on why this is the case? It has to > do with the IPSec overhead but does it impact the actual bandwidth used if > doing policing? Or will you be able to forward less “actual” traffic because > of the overhead and the used bandwidth is the same regardless. > > > > - Matt > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
