Showing results for 
Search instead for 
Did you mean: 

Design guidance: DMVPN over Internet + QoS


For a large customer we've rolled out a pretty large DMVPN network using Internet connections. All is working fine.

We would now like to add some QoS in order to give a certain group of people at the branch a "gauaranteed" bandwidth (inbound, seen from the branch).

The branches use local internet breakout.

In deploying QoS we already configured QoS for data from HQ to the Spokes using the servicepolicies attached to the NHRP groups. This works as well.

Where we are having problems is at the branch internet interface. At this interface common local internet traffic joins the DMVPN traffic. Service-Policies at the HQ do not have any influence or knowledge of the local traffic that enters the router.

How should we apply QoS to traffic inbound at the branch router?

Two things that make it more complicated:

- the branch routers use NME-WAE's and WCCP to "explode" traffic leaving the router; there is no relation between the amount of traffic entering the router from the internet and traffic leaving the router to the LAN.

- the inbound links vary in bandwidth (Sattelites or UMTS, link type depends on wireless-coverage, the branches are mobile (ships)).



Everyone's tags (6)

Design guidance: DMVPN over Internet + QoS

Hi Erik,

What about if you use bandwidth control on the internet interface at your branch.
Say like if you limit for 2 MB the packet will drop once the bandwidth usage reached 2 MB.

Is that what you are looking for?

Please rate the helpfull posts.

VIP Expert

Design guidance: DMVPN over Internet + QoS


The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.


You've already identified the root problem, sharing direct Internet connectivity on the same link used by VPN means you can not effectively manage VPN quality since available link bandwidth is unknown.

What I normally recommend is two Internet connections, one for VPN and one for direct Internet access.  An alternative is you can provide the branch's Internet access via VPN.  This can add considerable latency for Internet traffic, but does allow you to manage bandwidth.


A third alternative is ISP supporting you QoS policy on their side of the link to your branch.