-
Cisco IOS Security Configuration Guide, Release 12.4
- Authentication, Authorization, and Accounting (AAA)
-
Security Server Protocols
-
RADIUS
-
Configuring RADIUS
-
AAA Dead-Server Detection
-
ACL Default Direction
-
Attribute Screening for Access Requests
-
Enable Multilink PPP via RADIUS for Preauthentication User
-
Enhanced Test Command
-
Framed-Route in RADIUS Accounting
-
Offload Server Accounting Enhancement
-
Per VRF AAA
-
RFC-2867 RADIUS Tunnel Accounting
-
RADIUS Attribute Screening
-
RADIUS Centralized Filter Management
-
RADIUS Debug Enhancements
-
RADIUS Logical Line ID
-
RADIUS NAS-IP-Address Attribute Configurability
-
RADIUS Route Download
-
RADIUS Support of 56-Bit Acct Session-Id
-
RADIUS Tunnel Preference for Load Balancing and Fail-Over
-
RADIUS Server Reorder on Failure
-
Tunnel Authentication via RADIUS on Tunnel Terminator
-
- TACACS+
-
Configuring Kerberos
-
RADIUS
-
Traffic Filtering, Firewalls, and Virus Detection
-
Access Control Lists: Overview and Guidelines
-
Cisco IOS Firewall Overview
-
Configuring Lock-and-Key Security (Dynamic Access Lists)
-
Configuring IP Session Filtering (Reflexive Access Lists)
-
Configuring TCP Intercept (Preventing Denial-of-Service Attacks)
-
Context-Based Access Control
-
Configuring Context-based Access Control
-
Cisco IOS Firewall Performance Improvements
-
Email Inspection Engine
-
ESMTP Support for Cisco IOS Firewall
-
Firewall ACL Bypass
-
Firewall N2H2 Support
-
Firewall Stateful Inspection of ICMP
-
Firewall Support for SIP
-
Firewall Websense URL Filtering
-
Firewall Support of Skinny Client Control Protocol (SCCP)
-
Granular Protocol Inspection
-
HTTP Inspection Engine
-
Inspection of Router-Generated Traffic
-
Transparent Cisco IOS Firewall
-
Virtual Fragmentation Reassembly
-
-
Configuring Cisco IOS Intrusion Prevention System (IPS)
-
Network Admission Control
- Authentication Proxy
-
Configuring Port to Application Mapping
-
-
IPSec and IKE
- Internet Key Exchange for IPSec VPNs
-
Security for VPNs with IPSec
-
Configuring Security for VPNs with IPSec
-
Cisco Easy VPN Remote
-
Crypto Access Check on Clear-Text Packets
-
DF Bit Override Functionality with IPsec Tunnels
-
Distinguished Name Based Crypto Maps
-
Dynamic Multipoint VPN (DMVPN)
-
Easy VPN Remote RSA Signature Support
-
Easy VPN Server
-
Invalid Security Parameter Index Recovery
-
IP Security VPN Monitoring
-
IPsec and Quality of Service
-
IPSec Anti-Replay Window: Expanding and Disabling
-
IPsec Dead Peer Detection Periodic Message Option
-
IPsec NAT Transparency
-
IPSec Preferred Peer
-
IPsec Security Association Idle Timers
-
IPsec--SNMP Support
-
IPSec Virtual Tunnel Interface
-
IPsec VPN Accounting
-
IPsec VPN High Availability Enhancements
-
Low Latency Queueing (LLQ) for IPsec Encryption Engines
-
L2TP—IPsec Support for NAT and PAT Windows Clients
-
Pre-Fragmentation for IPsec VPNs
-
Real-Time Resolution for IPsec Tunnel Peer
-
Reverse Route Injection
-
SafeNet IPSec VPN Client Support
-
Stateful Failover for IPsec
-
VRF-Aware Ipsec
-
-
Public Key Infrastructure (PKI)
-
Implementing and Managing PKI Features Roadmap
-
Cisco IOS PKI Overview: Understanding and Planning a PKI
-
Deploying RSA Keys Within a PKI
-
Configuring Authorization and Revocation of Certificates in a PKI
-
Configuring Certificate Enrollment for a PKI
-
Setting Up Secure Device Provisioning (SDP) for Enrollment in a PKI
-
Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment
-
Storing PKI Credentials
-
- Other Security Features
- Secure Infrastructure
-
Appendixes
-
RADIUS Attributes
-
RADIUS Attributes Overview and RADIUS IETF Attributes
-
RADIUS Vendor-Proprietary Attributes
-
Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values
-
Connect-Info RADIUS Attribute 77
-
Encrypted Vendor Specific Attributes
-
Local AAA Server
-
Per-User QoS via AAA Policy Name
-
RADIUS Attribute 5 (NAS-Port) Format Specified on a Per-Server Group Level
-
RADIUS Attribute 8 (Framed-IP-Address) in Access Requests
-
RADIUS Attribute 82: Tunnel Assignment ID
-
RADIUS Attribute 104
-
RADIUS Progress Codes
-
RADIUS Timeout Set During Pre-Authentication
-
RADIUS Tunnel Attribute Extensions
-
V.92 Reporting Using RADIUS Attribute v.92-info
-
TACACS+ Attribute-Value Pairs
-
-
TACACS+ Attribute-Value Pairs
-
RADIUS Attributes
Table Of Contents
Prerequisites for IPsec and Quality of Service
Restrictions for IPsec and Quality of Service
Information About IPsec and Quality of Service
IPsec and Quality of Service Overview
How to Configure IPsec and Quality of Service
Configuring IPsec and Quality of Service
Verifying IPsec and Quality of Service Sessions
Configuration Examples for IPsec and Quality of Service
QoS Policy Applied to Two Groups of Remote Users: Example
show crypto isakmp profile Command: Example
show crypto ipsec sa Command: Example
IPsec and Quality of Service
The IPsec and Quality of Service feature allows Cisco IOS quality of service (QoS) policies to be applied to IP Security (IPsec) packet flows on the basis of a QoS group that can be added to the current Internet Security Association and Key Management Protocol (ISAKMP) profile.
Feature History for IPsec and Quality of Service
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for IPsec and Quality of Service
•
•
•
•
Prerequisites for IPsec and Quality of Service
•
•
Restrictions for IPsec and Quality of Service
•
•
•
Information About IPsec and Quality of Service
To configure the IPsec and Quality of Service feature, you should understand the following concept:
•
IPsec and Quality of Service Overview
The IPsec and Quality of Service feature allows you to apply QoS policies, such as traffic policing and shaping, to IPsec-protected packets by adding a QoS group to ISAKMP profiles. After the QoS group has been added, this group value will be mapped to the same QoS group as defined in QoS class maps. Any current QoS method that makes use of this QoS group tag can be applied to IPsec packet flows. Common groupings of packet flows can have specific policy classes applied by having the IPsec QoS group made available to the QoS mechanism. Marking IPsec flows allows QoS mechanisms to be applied to classes of traffic that could provide support for such things as restricting the amount of bandwidth that is available to specific groups or devices or marking the type of service (ToS) bits on certain flows.
The application of the QoS group is applied at the ISAKMP profile level because it is the profile that can uniquely identify devices through its concept of match identity criteria. These criteria are on the basis of the Internet Key Exchange (IKE) identity that is presented by incoming IKE connections and includes such things as IP address, fully qualified domain name (FQDN), and group (that is, the virtual private network [VPN] remote client grouping). The granularity of the match identity criteria will impose the granularity of the specified QoS policy, for example, to mark all traffic belonging to the VPN client group named "Engineering" as "TOS 5". Another example of having the granularity of a specified QoS policy imposed would be to allocate 30 percent of the bandwidth on an outbound WAN link to a specific group of remote VPN devices.
How to Configure IPsec and Quality of Service
This section includes the following procedures:
•
•
•
Configuring IPsec and Quality of Service
To apply QoS policies to an ISAKMP profile, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Verifying IPsec and Quality of Service Sessions
To verify your IPsec and QoS sessions, perform the following steps. The show commands can be used in any order or independent of each other.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Troubleshooting Tips
If you have a problem with your IPsec and QoS sessions, ensure that you have done the following:
•
•
•
Configuration Examples for IPsec and Quality of Service
This section provides the following output examples:
•
•
•
QoS Policy Applied to Two Groups of Remote Users: Example
In the following example, a specific QoS policy is applied to two groups of remote users. Two ISAKMP profiles are configured so that upon initial connection via IKE, remote users are mapped to a specific profile. From that profile, all IPsec SAs that have been created for that remote will be marked with the specific QoS group. As traffic leaves the outbound interface, the QoS service will map the IPsec set QoS group with the QoS group that is specified in the class maps that comprise the service policy that is applied on that outbound interface.
version 12.3!aaa authentication login group group radiusaaa authorization network autho localaaa accounting update periodic 1aaa session-id commonip subnet-zero!!ip cefno ip domain lookup!class-map match-all yellowmatch qos-group 3class-map match-all bluematch qos-group 2!!policy-map clientsclass blueset precedence 5class yellowset precedence 7!!crypto isakmp policy 1encr 3deshash md5authentication pre-sharegroup 2lifetime 300!crypto isakmp keepalive 10 periodiccrypto isakmp xauth timeout 20!crypto isakmp client configuration group bluekey ciscodns 10.2.2.2 10.2.2.3wins 10.6.6.6pool bluesave-passwordinclude-local-lanbackup-gateway corky1.cisco.com!crypto isakmp client configuration group yellowdns 10.2.2.2 10.2.2.3wins 10.6.6.5pool yellow!crypto isakmp profile bluematch identity group ciscoclient authentication list authoisakmp authorization list authoclient configuration address respondqos-group 2crypto isakmp profile yellowmatch identity group yellowmatch identity address 10.0.0.11 255.255.255.255client authentication list authoisakmp authorization list authoclient configuration address respondqos-group 3!!crypto ipsec transform-set combo ah-sha-hmac esp-3des esp-sha-hmaccrypto ipsec transform-set client esp-3des esp-sha-hmac comp-lzs!crypto dynamic-map mode 1set security-association lifetime seconds 180set transform-set clientset isakmp-profile bluereverse-routecrypto dynamic-map mode 2set transform-set comboset isakmp-profile yellowreverse-route!crypto map mode 1 ipsec-isakmp dynamic mode!interface FastEthernet0/0ip address 10.0.0.110 255.255.255.0no ip redirectsno ip proxy-arpno ip mroute-cacheduplex halfno cdp enablecrypto map modeservice-policy out clients!ip local pool yellow 192.168.2.1 192.168.2.10ip local pool blue 192.168.6.1 192.168.6.6no ip classless!radius-server host 10.0.0.13 auth-port 1645 acct-port 1646radius-server key XXXXXXradius-server vsa send accountingradius-server vsa send authenticationshow crypto isakmp profile Command: Example
The following output shows that QoS group "2" has been applied to the ISAKMP profile "blue" and that QoS group "3" has been applied to the ISAKMP profile "yellow":
Router# show crypto isakmp profileISAKMP PROFILE blueIdentities matched are:group blueQoS Group 2 is appliedISAKMP PROFILE yellowIdentities matched are:ip-address 10.0.0.13 255.255.255.255group yellowQoS Group 3 is appliedshow crypto ipsec sa Command: Example
The following output shows that the QoS group has been applied to a particular pair of IPsec SAs:
Router# show crypto ipsec sainterface: FastEthernet0/0Crypto map tag: mode, local addr. 10.0.0.110protected vrf:local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)remote ident (addr/mask/prot/port): (10.12.12.0/255.255.255.0/0/0)current_peer: 10.0.0.11:500PERMIT, flags={}#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0#pkts not decompressed: 0, #pkts decompress failed: 0#send errors 0, #recv errors 0qos group is set to 2Additional References
The following sections provide references related to the IPsec and Quality of Service feature.
Related Documents
IPsec
"IP Security and Encryption" chapter of the Cisco IOS Security Configuration Guide, Release 12.3
QoS options
Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.3
QoS commands
Cisco IOS Quality of Service Solutions Command Reference, Release 12.3 T
Security commands
Standards
MIBs
RFCs
Technical Assistance
Command Reference
The following commands are introduced or modified in the feature or features
•
For information about these commands, see the Cisco IOS Security Command Reference at
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html.
For information about all Cisco IOS commands, see the Command Lookup Tool at
http://tools.cisco.com/Support/CLILookup or the Master Command List.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.
