Enabling QoS pre-classify

CAUTION:

If you configure both IPsec and QoS on an interface, make sure the IPsec traffic classification rules match the QoS traffic classification rules. If the rules do not match, QoS might classify the packets of one IPsec SA to different queues, causing packets to be sent out of order. When IPsec anti-replay is enabled, IPsec will drop the incoming packets that are out of the anti-replay window, resulting in packet loss.

If you apply both an IPsec policy and a QoS policy to an interface, QoS classifies packets by using the new headers added by IPsec. If you want QoS to classify packets by using the headers of the original IP packets, enable the QoS pre-classify feature.

IPsec traffic classification rules are determined by the rules of the specified ACL. For more information about QoS policy and classification, see ACL and QoS Configuration Guide.

To enable the QoS pre-classify feature:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter IPsec policy view or IPsec policy template view.	To enter IPsec policy view:ipsec { policy \| ipv6-policy } policy-name seq-number [ isakmp \| manual ] To enter IPsec policy template view:ipsec { policy-template \| ipv6-policy-template } template-name seq-number	N/A
3. Enable QoS pre-classify.	qos pre-classify	By default, QoS pre-classify is disabled.

prev	up	next
Binding a source interface to an IPsec policy	home	Enabling logging of IPsec packets