Provifing QOS within a VPN tunnel

vincent-n · ‎03-16-2003

I was wondering whether it's possible to provide QOS such as CBWFQ inside a VPN tunnel? To explain things a bit, I currently running QOS on a private FR WAN and management is looking at the possibility of migrating to a broadband DSL WAN running over VPN. I'm concerned about all the CBWFQ QOS that I've setup and wanted to know whether it's posible to provide QOS on a VPN tunnel? Thanks in advance for your answer.

travis-dennis_2 · ‎03-16-2003

Very doable. If memoroy serves as long as you do your priortizing before the packet is encrypted you should be fine. You will also need a device on the other end doing QoS after the packet is de-crypted. Some devices can see the precedence even on an encrypted packet. If you can give a little more info on the proposed hardware and what you already have in place you will probably get more specific information.

vincent-n · ‎03-25-2003

Sorry it took a while to get back to you. It has been a few extremely busy days. Thanks for your reply. I currently have a 3662 at the Central office running ATM and several branches on 1700 and 2620 running FR. To provide QOS, I've configured CBWFQ at both the Central and branch offices. Using a Cisco on-line document outlining a sample config, I've applied application/traffic marking at the Ethernet interface and then apply application/traffic prioritization as outbound. Here is an example of what I did:

class-map match-any Transactional-mark

description **Transactional Application**

match protocol sqlnet

match protocol sqlserver

!

policy-map QOS-Policy

class Interactive

bandwidth percent 20

class Transactional

bandwidth percent 20

class Batch

bandwidth percent 8

class Bulk

bandwidth percent 8

class OS

bandwidth percent 8

policy-map QOS-Policy-Mark

description **Marking and Identifying Applications**

class OS-mark

set ip dscp 20

class Interactive-mark

set ip dscp 26

class Transactional-mark

set ip dscp 18

class Batch-Mark

set ip dscp 20

class Bulk-mark

set ip dscp 10

!

interface FastEthernet0/0.3

description ** Common Server Subnet 10.95.3.0/24 **

encapsulation dot1Q 3

ip address 192.168.155.125 255.255.255.248 secondary

ip address 10.95.3.13 255.255.255.0

no ip redirects

no ip proxy-arp

no ip mroute-cache

ntp broadcast

service-policy input QOS-Policy-Mark

!

interface ATM1/0.33 point-to-point

description *** ATM PVC to Melbourne - 768K CIR/1024 (MFPVC11677003) ***

mtu 1500

bandwidth 768

ip address 192.168.155.13 255.255.255.252

ip nbar protocol-discovery

ip summary-address eigrp 112 0.0.0.0 0.0.0.0 5

pvc 3/33

vbr-nrt 1024 768 32

service-policy output QOS-Policy

!

***********************

What management asking me to do at the moment is to look into the possibility of providing a WAN based on broadband technology since it's pretty cheap comparing to FR/ATM. Obviously I'll have to protect my traffic now that they've exposed to the Internet. One way of protecting the traffic is to run IPSec and hence other stuff came along such as VP. I've just been back from a Cisco VPN course and was wondering:

1. Wanted to find out HOW to configure CBWFQ QOS that works with VPN

2. Are the Cisco concentrator 3000 able to provide QOS

Thanks in advance fro your answer.