- Enterasys Security Router User's Guide
QoS on VPN
XSR User’s Guide 12-23
This situation can cause unexpected results when QoS is applied to VPN interfaces. If the rate of
traffic traversing the VPN interface is higher than the physical interface bandwidth, packets are
dropped after they are sent from the VPN interface. Due to this, QoS statistics may show higher
available bandwidth on the VPN interface than the actual output rate on the physical line. For the
same reason, QoS bandwidth sharing on the VPN interface is not enforced, although you may
configure it.
When configuring QoS on the VPN interface you should keep the following in mind:
• If the physical interface that establishes the tunnel is congested, QoS on the VPN interface may
show higher send rates than the actual line speed. To avoid this behavior you should apply
the shaper per policy map on the VPN interface as described in the next section.
• QoS on VPN does not provide bandwidth sharing although you may configure it. To activate
bandwidth sharing, apply shaper per policy map as described in the next section.
• The priority traffic (class) should be allocated lower reserved bandwidth than the physical
interface or, if the shaper per policy is applied, reserved bandwidth should be lower than the
shaper rate. If you ignore this rule all non-priority traffic may be stopped when the line
becomes congested because priority queues are always serviced first.
• When QoS is applied on physical interfaces that implement crypto maps, reordering of the
packets by QoS may trigger anti-reply IPSec protection at the receiving tunnel end. To avoid
this problem, anti-reply should be disabled or QoS not used on the receive side.
Configuring the Shaper on the VPN Interface
If bandwidth sharing on the VPN interface is required you can communicate the expected or
required bandwidth to QoS by applying shaper per policy map on the VPN interface. The shaper
limits traffic that transits the VPN interface and collaborates with QoS to enforce bandwidth
sharing.
In the following example, classes c1 and class default share 1 Mbps bandwidth. Class c1 has 100
Kbps reserved bandwidth while class default will get the remainder of the 1 Mbps. The output
physical interface will receive at most 1 Mbps from this VPN interface.
XSR(config)#policy-map VPN
XSR(config-pmap<VPN>)#shape 1000000
XSR(config-pmap<VPN>)#class c1
XSR(config-pmap-c<class1>)#priority high 100
XSR(config-pmap-c<class1>)#exit
XSR(config-pmap<VPN>)#class class-default
XSR(config-pmap-c<class-defaul>)#set ip dscp 32
When you configure the shaper rate you must account for the expected overhead due to IPSec/
GRE encapsulation. Packets traversing the VPN interface are purely user payload packets that
later in the stack are encapsulated with tunnel headers. If the configured shaper rate does not
account for encapsulation overhead, packets will be dropped during congestion on the physical
interface, disturbing bandwidth sharing on the VPN interface. The table below outlines the
approximate overhead values for different tunnel/IPsec configurations.
Table 12-3 Overhead on IPSec Tunnels
Tunnel Type Mode
Tunnel
IP
Header
AH (HMAC) ESP+3DES
Total
Overhead
Tunnel AH Tunnel 20 bytes 24 bytes NA 44 bytes