Sonicwall Global VPN Configuration

This post is Global VPN configuration on Sonicwall basic OS. If I have a time, I will post other firewall configuration with screenshot.

The mystery of "qos pre-classify" command

The command "qos pre-classify", which we apply on a tunnel interface, in a crypto map, or on a virtual template interface, has always been a mystery to me. At last, after doing some research and testing I got a clear idea about it. Below is a list of facts we should heep in mind when we use this feature:

• The 'qos pre-classify' command configures the IOS to make a temporary copy of the IP packet before it is encapsulated or encrypted so that the service policy on the (egress) interface can do its classification based on the original (inner) IP packet fields rather than the encapsulating (outer) IP packet header.
• The IOS by default copies the ToS byte from the inner IP packet to the ToS byte of the encapsulating IP packet when tunneling or encrypting (IPSec).
• If the classification is merely based on ToS byte (IP precedence or DSCP), qos pre-classify is not necessary.
• Applying a service policy to a physical interface causes that policy to affect all tunnel interfaces on that physical interface.
• Applying a service policy to a tunnel interface affects that particular tunnel only and does not affect other tunnel interfaces on the same physical interface.
• When we apply a QoS service policy to a physical interface where one or more tunnels emanate, the service policy classifies IP packets based on the post-tunnel IP header fields.
• When we apply a QoS service policy to a tunnel interface, the service policy performs classification on the pre-tunnel IP packet (inner packet).
• If we want to apply a QoS service policy to the physical interface, but we want classification to be performed based on the pre-tunnel IP packet, we must use the qos pre-classify command.

Cisco Router Configuration Template

GRE Tunnel with IPSec