The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The IPsec and Quality of Service feature allows Cisco IOS quality of service (QoS) policies to be applied to IP Security (IPsec) packet flows on the basis of a QoS group that can be added to the current Internet Security Association and Key Management Protocol (ISAKMP) profile.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp . You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
The IPsec and Quality of Service feature allows you to apply QoS policies, such as traffic policing and shaping, to IPsec-protected packets by adding a QoS group to ISAKMP profiles. After the QoS group has been added, this group value will be mapped to the same QoS group as defined in QoS class maps. Any current QoS method that makes use of this QoS group tag can be applied to IPsec packet flows. Common groupings of packet flows can have specific policy classes applied by having the IPsec QoS group made available to the QoS mechanism. Marking IPsec flows allows QoS mechanisms to be applied to classes of traffic that could provide support for such things as restricting the amount of bandwidth that is available to specific groups or devices or marking the type of service (ToS) bits on certain flows.
The application of the QoS group is applied at the ISAKMP profile level because it is the profile that can uniquely identify devices through its concept of match identity criteria. These criteria are on the basis of the Internet Key Exchange (IKE) identity that is presented by incoming IKE connections and includes such things as IP address, fully qualified domain name (FQDN), and group (that is, the virtual private network [VPN] remote client grouping). The granularity of the match identity criteria will impose the granularity of the specified QoS policy, for example, to mark all traffic belonging to the VPN client group named "Engineering" as "TOS 5". Another example of having the granularity of a specified QoS policy imposed would be to allocate 30 percent of the bandwidth on an outbound WAN link to a specific group of remote VPN devices.
To apply QoS policies to an ISAKMP profile, perform the following steps.
To verify your IPsec and QoS sessions, perform the following steps. The show commands can be used in any order or independent of each other.
If you have a problem with your IPsec and QoS sessions, ensure that you have done the following:
In the following example, a specific QoS policy is applied to two groups of remote users. Two ISAKMP profiles are configured so that upon initial connection via IKE, remote users are mapped to a specific profile. From that profile, all IPsec SAs that have been created for that remote will be marked with the specific QoS group. As traffic leaves the outbound interface, the QoS service will map the IPsec set QoS group with the QoS group that is specified in the class maps that comprise the service policy that is applied on that outbound interface.
version 12.3 ! aaa authentication login group group radius aaa authorization network autho local aaa accounting update periodic 1 aaa session-id common ip subnet-zero ! ! ip cef no ip domain lookup ! class-map match-all yellow match qos-group 3 class-map match-all blue match qos-group 2 ! ! policy-map clients class blue set precedence 5 class yellow set precedence 7 ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 lifetime 300 ! crypto isakmp keepalive 10 periodic crypto isakmp xauth timeout 20 ! crypto isakmp client configuration group blue key cisco dns 10.2.2.2 10.2.2.3 wins 10.6.6.6 pool blue save-password include-local-lan backup-gateway corky1.cisco.com ! crypto isakmp client configuration group yellow dns 10.2.2.2 10.2.2.3 wins 10.6.6.5 pool yellow ! crypto isakmp profile blue match identity group cisco client authentication list autho isakmp authorization list autho client configuration address respond qos-group 2 crypto isakmp profile yellow match identity group yellow match identity address 10.0.0.11 255.255.255.255 client authentication list autho isakmp authorization list autho client configuration address respond qos-group 3 ! ! crypto ipsec transform-set combo ah-sha-hmac esp-3des esp-sha-hmac crypto ipsec transform-set client esp-3des esp-sha-hmac comp-lzs ! crypto dynamic-map mode 1 set security-association lifetime seconds 180 set transform-set client set isakmp-profile blue reverse-route crypto dynamic-map mode 2 set transform-set combo set isakmp-profile yellow reverse-route ! crypto map mode 1 ipsec-isakmp dynamic mode ! interface FastEthernet0/0 ip address 10.0.0.110 255.255.255.0 no ip redirects no ip proxy-arp no ip mroute-cache duplex half no cdp enable crypto map mode service-policy out clients ! ip local pool yellow 192.168.2.1 192.168.2.10 ip local pool blue 192.168.6.1 192.168.6.6 no ip classless ! radius-server host 10.0.0.13 auth-port 1645 acct-port 1646 radius-server key XXXXXX radius-server vsa send accounting radius-server vsa send authentication
The following output shows that QoS group "2" has been applied to the ISAKMP profile "blue" and that QoS group "3" has been applied to the ISAKMP profile "yellow":
Router# show crypto isakmp profile
ISAKMP PROFILE blue
Identities matched are:
group blue
QoS Group 2 is applied
ISAKMP PROFILE yellow
Identities matched are:
ip-address 10.0.0.13 255.255.255.255
group yellow
QoS Group 3 is applied
The following output shows that the QoS group has been applied to a particular pair of IPsec SAs:
Router# show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: mode, local addr. 10.0.0.110
protected vrf:
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.12.12.0/255.255.255.0/0/0)
current_peer: 10.0.0.11:500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
qos group is set to 2
The following sections provide references related to the IPsec and Quality of Service feature.
Related Topic |
Document Title |
---|---|
IPsec |
Configuring Security for VPNs with IPsec |
QoS options |
Cisco IOS Quality of Service Solutions Configuration Guide on Cisco.com |
QoS commands |
Cisco IOS Quality of Service Solutions Command Reference |
Security commands |
Cisco IOS Security Command Reference |
Standards |
Title |
---|---|
No new or modified standards are supported by this feature. |
-- |
MIBs |
MIBs Link |
---|---|
No new or modified MIBs are supported by this feature. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs |
Title |
---|---|
No new or modified RFCs are supported by this feature. |
-- |
Description |
Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 | Feature Information for IPsec and Quality of Service |
Feature Name |
Releases |
Feature Information |
---|---|---|
IPsec and Quality of Service |
12.3(8)T |
The IPsec and Quality of Service feature allows Cisco IOS quality of service (QoS) policies to be applied to IP Security (IPsec) packet flows on the basis of a QoS group that can be added to the current Internet Security Association and Key Management Protocol (ISAKMP) profile. In Cisco IOS Release 12.3(8)T, this feature was introduced. The following commands were introduced or modified: qos-group. |
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.