What happens when you have encrypted traffic that requires priority across a network before its encapsulated. The ToS byte of the original packet is automatically copied to the tunnel header (IPSEC tansport, tunnel mode, and GRE tunnels) but this does not work for features like NBAR.
The problem derives from the fact that tunnel encapsulation prevents a router to take egress QoS actions based on encrypted traffic. To resolve this, Cisco IOS includes QoS pre-classification. This allows routers to make egress QoS decisions based on the original traffic, before encapsulation rather than encapsulating the tunnel header. It works by keeping the original unencrypted traffic in memory until the egress QoS actions are taken.