When you have a requirement for QoS in an environment that utilizes VPN tunnels, you can run into problems, because when high priority packets enter a tunnel, they are treated the same as low priority packets by all device that the tunnel traverses, simply because these devices cannot see through the encryption to discern the priority of the concealed packets, which will have a bad impact on QoS.
If you're using the ToS (type of service) byte to differentiate your traffic, and Cisco routers and switches as your networking infrastructure, you may not have as much of a problem, because the ToS byte is automatically copied from the original packet's header to the encrypted packet's header. However, if your scheme is more granular and flow-based, you may want to use the "qos pre-classify" feature.
This feature allows the encrypting device to run its QoS classification before a packet is encrypted. You can use the pre-classify feature on the tunnel interface or a physical interphase, depending on where your policy is applied or what your anticipated congestion points are.
You can find more information about this on
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.
This was first published in December 2002