- Read Me First
- IPsec Anti-Replay Window Expandingand Disabling
- Pre-Fragmentation for IPsec VPNs
- Invalid Security Parameter Index Recovery
- IPsec Dead Peer Detection PeriodicMessage Option
- IPsec NAT Transparency
- DF Bit Override Functionality with IPsec Tunnels
- IPsec Security Association Idle Timers
- IPv6 IPsec Quality of Service
- IPv6 Virtual Tunnel Interface
- Index
- Finding Feature Information
- Additional References for IPv6 IPsec QoS
- Feature Information for IPv6 IPsec QoS
IPv6 IPsec Quality of Service
The IPv6 IPsec QoS feature allows the quality of service (QoS) policies to be applied to IPv6 IPsec.
- Finding Feature Information
- Additional References for IPv6 IPsec QoS
- Feature Information for IPv6 IPsec QoS
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
IPv6 IPsec QoS Overview
The IPv6 IPsec QoS feature applies the quality of service (QoS) policies to IPV6 IPsec. This feature supports the following functionalities:
- Crypto LLQ QoS—Traffic that is classified by QoS and marked as priority level 1 or 2 by traditional Cisco Modular QoS CLI (MQC) QoS configuration, for example PAK priority, is enqueued to the priority queue before the crypto processor. The low latency queuing (LLQ) for IPsec encryption engines helps reduce packet latency for priority traffic.
- IPsec QoS Pre-Classify—QoS pre-classify is configured under a crypto map to enable IPsec to save the original Layer 3 and Layer 4 header before the encryption so that QoS can do the classification using the saved header.
- QoS group-based LLQ—The QoS group-based LLQ feature allows IPsec to check the LLQ QoS group setting to determine whether a packet is a high priority packet before it is enqueued to low latency queuing (LLQ).
Configuring Crypto LLQ QoS
When IPsec and QoS are configured on a physical interface and if the QoS policy has priority class, IPSec will classify the packet based on the policy attached to the interface. It will enqueue the packet matching priority class into Low Latency Queue. The high-priority packet will be enqueued to low latency queueing (LLQ).
Perform this task to attach a service policy to the output interface and enable LLQ for IPsec encryption engines.
1.
enable
2.
configure
terminal
3.
interface
physical-interface-name
4.
ipv6
address
{ipv6-address /prefix-length | prefix-name
sub-bits/prefix-length}
5.
service-policy output
policy-map
6.
ipv6
crypto map
map-name
7.
end
DETAILED STEPS
Configuring Pre-classify on the Crypto Map
The qos pre-classify command is applied on the crypto map, allowing configuration on a per-tunnel basis. QoS policy is applied to Packets based on the L3 and L4 Header before encryption.
Perform this task to apply the QoS pre-classify on the crypto map.
1.
enable
2.
configure
terminal
3.
ipv6
crypto
map
map-name
4.
qos
pre-classify
5.
end
DETAILED STEPS
Configuring Pre-classify on the Tunnel Interface
The qos pre-classify command is applied on the IPv6 IPsec tunnel interface, making QoS a configuration option on a per-tunnel basis.
Perform this task to apply the QOS pre-classify on the tunnel interface.
1.
enable
2.
configure
terminal
3.
interface
tunnel-interface-name
4.
ipv6
address
{ipv6-address /prefix-length | prefix-name
sub-bits/prefix-length}
5.
qos
pre-classify
6.
end
DETAILED STEPS
Configuring LLQ QoS Group
The platform ipsec llq qos-group command enables low latency queuing for traffic that matches the QoS groups configured with this command.
Perform this task to enable LLQ for QoS groups.
1.
enable
2.
configure
terminal
3.
platform
ipsec
llq
qos-group
group-number
4.
end
DETAILED STEPS
Example: Configuring Crypto LLQ QoS
The following example shows how to specify the service policy map to the output interface and enable an IPv6 crypto map on an interface.
!
class-map match-all c2
match precedence 5 6 7
class-map match-all c1
match precedence 0 1 2 3
policy-map p1
class c1
priority percent 10
class c2
bandwidth remaining percent 3
crypto map ipv6 CMAP_1 1 ipsec-isakmp
set peer address 2001:DB8:FFFF::1
set transform-set ESP-3DES-SHA
match address 102
interface GigabitEthernet0/0/1
ipv6 address 2001:DB8:FFFF::2/64
ipv6 crypto map CMAP_1
service-policy output p1
Example: Configuring Pre-classify on the Crypto Map
The following example shows how to enable QoS pre-classification using the qos pre-classify command on the crypto map CM_V6.
! crypto map ipv6 CM_V6 10 ipsec-isakmp match address ACL_IPV6_1 set transform-set set1 set peer 2001:DB8:FFFF::1 qos pre-classify ! interface GigabitEthernet0/0/1 ipv6 address 2001:DB8:FFFF::2/64 service-policy output policy1 ipv6 crypto map CM_V6
Example: Configuring Pre-classify on the Tunnel Interface
The following example shows how to enable QoS pre-classification using the qos pre-classify command on the tunnel interface tunnel1.
interface GigabitEthernet1/1/2 ipv6 address 2001:DB8:1::F/64 service-policy output policy1 ! interface Tunnel1 ipv6 address 2001:DB8:2::F/64 qos pre-classify ipv6 mtu 1400 tunnel protection ipsec profile greprof
Example: Configuring LLQ QoS Group
The following example shows how to configure low latency queuing on a QoS group.
!
platform ipsec llq qos-group 1
platform ipsec llq qos-group 49
!
!
crypto map ipv6 cmap 1 ipsec-isakmp
set peer 2001:DB8:FFFF:1::E/64
set security-association lifetime seconds 600
set transform-set aes-192
match address 102
!
!
class-map match-all c1
match precedence 5
class-map match-all c2
match precedence 2
class-map match-all c3
match precedence 4
class-map match-all c4
match precedence 3
!
policy-map p1
class c3
set qos-group 20
class c1
set qos-group 49
class c4
set qos-group 77
!
policy-map p2
class class-default
set qos-group 1
!
interface GigabitEthernet0/2/0
ipv6 address
negotiation auto
cdp enable
ipv6 crypto map cmap
service-policy input p2
!
!
interface GigabitEthernet0/2/7
ipv6 address 2001:DB8:FFFF:1::F/64
negotiation auto
cdp enable
service-policy input p1
!
Additional References for IPv6 IPsec QoS
Related Documents
| Related Topic | Document Title |
|---|---|
|
Cisco IOS commands |
|
|
Security commands |
|
|
IPv6 Commands |
|
|
QoS Commands |
Cisco IOS Quality of Service Solutions Command Reference |
|
IPv6 Addressing and Connectivity |
IPv6 Configuration Guide |
Technical Assistance
| Description | Link |
|---|---|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for IPv6 IPsec QoS
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
IPv6 IPsec QoS |
15.4(1)S |
The IPv6 IPsec QoS feature allows the QoS policies to be applied to IPv6 IPsec. This feature supports the following functionalities: The following command was modified: ipv6 crypto map |
Feedback