IPv6 IPsec Quality of Service

The IPv6 IPsec QoS feature allows the quality of service (QoS) policies to be applied to IPv6 IPsec.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to https://cfnng.cisco.com/. An account on Cisco.com is not required.

IPv6 IPsec QoS Overview

The IPv6 IPsec QoS feature applies the quality of service (QoS) policies to IPV6 IPsec. This feature supports the following functionalities:

  • Crypto LLQ QoS—Traffic that is classified by QoS and marked as priority level 1 or 2 by traditional Cisco Modular QoS CLI (MQC) QoS configuration, for example PAK priority, is enqueued to the priority queue before the crypto processor. The low latency queuing (LLQ) for IPsec encryption engines helps reduce packet latency for priority traffic.
  • IPsec QoS Pre-Classify—QoS pre-classify is configured under a crypto map to enable IPsec to save the original Layer 3 and Layer 4 header before the encryption so that QoS can do the classification using the saved header.
  • QoS group-based LLQ—The QoS group-based LLQ feature allows IPsec to check the LLQ QoS group setting to determine whether a packet is a high priority packet before it is enqueued to low latency queuing (LLQ).

Configuring Crypto LLQ QoS

When IPsec and QoS are configured on a physical interface and if the QoS policy has priority class, IPSec will classify the packet based on the policy attached to the interface. It will enqueue the packet matching priority class into Low Latency Queue. The high-priority packet will be enqueued to low latency queueing (LLQ).

Perform this task to attach a service policy to the output interface and enable LLQ for IPsec encryption engines.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. interface physical-interface-name
  4. ipv6 address {ipv6-address /prefix-length | prefix-name sub-bits/prefix-length}
  5. service-policy output policy-map
  6. ipv6 crypto map map-name
  7. end

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

interface physical-interface-name

Example:


Device(config)# interface GigabitEthernet0/0/1

Specifies the interface using the LLQ for IPsec encryption engines.

Step 4

ipv6 address {ipv6-address /prefix-length | prefix-name sub-bits/prefix-length}

Example:


Device(config-if)# ipv6 address 2001:DB8:FFFF::2/64

Configures an IPv6 address on an interface.

Step 5

service-policy output policy-map

Example:


Device(config-if)# service-policy output p1

Attaches the specified service policy map to the output interface and enables LLQ for IPsec encryption engines.

Step 6

ipv6 crypto map map-name

Example:


Device(config-if)# ipv6 crypto map CMAP_1

Enables an IPv6 crypto map on an interface.

Step 7

end

Example:


Device(config-if)# end

Exits interface configuration mode and returns to privileged EXEC mode.

Configuring Pre-classify on the Crypto Map

The qos pre-classify command is applied on the crypto map, allowing configuration on a per-tunnel basis. QoS policy is applied to Packets based on the L3 and L4 Header before encryption.

Perform this task to apply the QoS pre-classify on the crypto map.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. ipv6 crypto map map-name
  4. qos pre-classify
  5. end

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

ipv6 crypto map map-name

Example:


Device(config-if)# ipv6 crypto map CM_V6

Enters crypto map configuration mode and specifies the crypto map to be configured.

Step 4

qos pre-classify

Example:


Device(config-if)# qos pre-classify

Enables QoS pre-classify on the crypto map.

Step 5

end

Example:


Device(config-if)# end

Exits interface configuration mode and returns to privileged EXEC mode.

Configuring Pre-classify on the Tunnel Interface

The qos pre-classify command is applied on the IPv6 IPsec tunnel interface, making QoS a configuration option on a per-tunnel basis.

Perform this task to apply the QOS pre-classify on the tunnel interface.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. interface tunnel-interface-name
  4. ipv6 address {ipv6-address /prefix-length | prefix-name sub-bits/prefix-length}
  5. qos pre-classify
  6. end

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

interface tunnel-interface-name

Example:


Device(config)# interface Tunnel1

Enters interface configuration mode and specifies the tunnel or virtual interface to configure.

Step 4

ipv6 address {ipv6-address /prefix-length | prefix-name sub-bits/prefix-length}

Example:


Device(config-if)# ipv6 address 2001:DB8:FFFF::2/64

Configures an IPv6 address on an interface.

Step 5

qos pre-classify

Example:


Device(config-if)# qos pre-classify

Enables QoS pre-classify on the tunnel interface.

Step 6

end

Example:


Device(config-if)# end

Exits interface configuration mode and returns to privileged EXEC mode.

Configuring LLQ QoS Group

The platform ipsec llq qos-group command enables low latency queuing for traffic that matches the QoS groups configured with this command.

Perform this task to enable LLQ for QoS groups.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. platform ipsec llq qos-group group-number
  4. end

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

platform ipsec llq qos-group group-number

Example:


Device(config)# platform ipsec llq qos-group 1

Specifies the QoS group to enable LLQ. Valid values are from 1 to 99.

Step 4

end

Example:


Device(config-if)# end

Exits interface configuration mode and returns to privileged EXEC mode.

Example: Configuring Crypto LLQ QoS

The following example shows how to specify the service policy map to the output interface and enable an IPv6 crypto map on an interface.


!
class-map match-all c2
  match precedence 5  6  7
class-map match-all c1
  match precedence 0  1  2  3

policy-map p1
  class c1
    priority percent 10
  class c2
    bandwidth remaining percent 3

crypto map ipv6 CMAP_1 1 ipsec-isakmp
  set peer address 2001:DB8:FFFF::1
  set transform-set ESP-3DES-SHA
  match address 102

interface GigabitEthernet0/0/1
  ipv6 address 2001:DB8:FFFF::2/64
  ipv6 crypto map CMAP_1
  service-policy output p1

Example: Configuring Pre-classify on the Crypto Map

The following example shows how to enable QoS pre-classification using the qos pre-classify command on the crypto map CM_V6.


!
crypto map ipv6 CM_V6 10 ipsec-isakmp 
  match address ACL_IPV6_1 
  set transform-set set1
  set peer 2001:DB8:FFFF::1 
  qos pre-classify
! 
interface GigabitEthernet0/0/1
  ipv6 address 2001:DB8:FFFF::2/64
  service-policy output policy1
  ipv6 crypto map CM_V6

Example: Configuring Pre-classify on the Tunnel Interface

The following example shows how to enable QoS pre-classification using the qos pre-classify command on the tunnel interface tunnel1.


interface GigabitEthernet1/1/2
  ipv6 address 2001:DB8:1::F/64
  service-policy output policy1
!
interface Tunnel1
  ipv6 address 2001:DB8:2::F/64
  qos pre-classify
  ipv6 mtu 1400
  tunnel protection ipsec profile greprof

Example: Configuring LLQ QoS Group

The following example shows how to configure low latency queuing on a QoS group.


! 
platform ipsec llq qos-group 1 
platform ipsec llq qos-group 49 
! 
! 
crypto map ipv6 cmap 1 ipsec-isakmp 
  set peer 2001:DB8:FFFF:1::E/64
  set security-association lifetime seconds 600 
  set transform-set aes-192 
  match address 102 
! 
! 
class-map match-all c1 
  match precedence 5 
class-map match-all c2 
  match precedence 2 
class-map match-all c3 
  match precedence 4 
class-map match-all c4 
  match precedence 3 
! 
policy-map p1 
  class c3 
    set qos-group 20 
  class c1 
    set qos-group 49 
  class c4 
    set qos-group 77 
! 
policy-map p2 
  class class-default 
    set qos-group 1 
! 
interface GigabitEthernet0/2/0 
  ipv6 address 
  negotiation auto 
  cdp enable 
  ipv6 crypto map cmap 
  service-policy input p2 
! 
! 
interface GigabitEthernet0/2/7 
  ipv6 address 2001:DB8:FFFF:1::F/64
  negotiation auto 
  cdp enable 
  service-policy input p1 
!

Additional References for IPv6 IPsec QoS

Related Documents

Related Topic Document Title

Security commands

IPv6 Commands

IPv6 Command Reference

QoS Commands

Cisco IOS Quality of Service Solutions Command Reference

IPv6 Addressing and Connectivity

IPv6 Configuration Guide

Technical Assistance

Description Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for IPv6 IPsec QoS

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1. Feature Information for IPv6 IPsec QoS

Feature Name

Releases

Feature Information

IPv6 IPsec QoS

15.4(1)S

The IPv6 IPsec QoS feature allows the QoS policies to be applied to IPv6 IPsec. This feature supports the following functionalities:

  • Crypto LLQ QoS
  • IPsec QoS Pre-Classify
  • QoS group-based LLQ

The following command was modified: ipv6 crypto map