Showing results for 
Search instead for 
Did you mean: 

QoS applied on a tunnel and physical interface

I'm currently stuck with figuring out applying QoS against a tunnel interface, and the physical interface the tunnel will be going over. Due to routing that can't be changed only 1 network is being advertised over the physical interface (e.g. but another network is being sent over the tunnel ( VoIP data is going over the tunnel while everything else is going over the physical interface. I want to limit the total bandwidth to 100 Mbps due to the MPLS circuit only being 100 Mbps (the physical interface is a gig). From my understanding I will need to implement a hierarchical QoS policy to limit everything to 100 Mbps. Then will I apply shaping, policing, and LLQ to the policies for the data I want to apply QoS to? I'm just struggling how the IOS will understand the difference between the QoS for the tunnel and physical interface and when to applying the QoS rules. 


All of this will be done on a Cisco 2960x switch. 


Any help will be greatly appreciated. 

Georg Pauwen
VIP Expert



as far as I recall, you can apply the QoS directly to the tunnel interface (100Mbps in your case):


interface Tunnel0
ip address
traffic-shape rate 100000000 25000000 25000000 200000
tunnel source
tunnel destination




policy-map TUNNEL_PM
class class-default
shape average 100000000 25000000 25000000
interface Tunnel0
ip address
service-policy output TUNNEL_PM
tunnel source
tunnel destination

Hi Georg,


Thank you for the reply and config. This tunnel config will only impact the traffic going over the tunnel correct? So traffic going over the physical interface (not the same logical interface, but the same physical interface as the tunnel) won't be impacted and won't have any QoS applied against it. As I'm just hoping to shape and police traffic for both logical interfaces when the physical interface hits 100 Mbps consumption. 

Joseph W. Doherty
Hall of Fame Expert

Not 100% positive, but recall 2960x QoS is much like 3560/3750 QoS.  If so, it's much "weaker" than on many platforms that support MQC QoS, like ISRs.  I.e. unsure "hierarchical" policies, or even egress policies are supported.  Shaping may be supported per hardware egress queue and/or or the physical interface as a whole, neither though, I believe, defined in a policy, but rather in MLS commands.

Also, don't recall a 2960x can host a tunnel, although it can carry tunnel traffic.

Also, when working with both tunnel traffic (but not at the tunnel interface) the pre-classify command might be needed, but that too, I recall, isn't supported on a 2960x (in would also need to be on the device hosting the tunnel interface).

For QoS purposes, yes when downstream bandwidth is less then the interface you're configuring QoS for, intending to QoS "manage" the downstream bottleneck, generally you'll want to shape for the bottleneck's bandwidth and use a child policy to manage the bottleneck's bandwidth as desired.

Normally, QoS cannot "see" into tunnel encapsulated packets, so in such a situation you cannot "treat" those packet's differently based on their contents.  In your case, if the tunnel's packet's are strictly VoIP packets, then you can treat them as as VoIP vs. all the other traffic.  However you won't be able to "see" the difference VoIP bearer packets and VoIP control packets.  BTW, by default, Cisco platforms do copy a packet's original IP ToS to the encapsulated packet's ToS. This might be used, if available.

BTW, I'm unsure how to interpret your diagram's bandwidth usage.  What I think you want to do, likely either isn't optimal and/or not possible on a 2960x.


Hi Joseph,


Thank you for the reply, I can confirm that the 2960x switch supports tunnels and QoS with class and policy maps. Looking at my diagram it doesn't make much sense, but what I'm just hoping to do is limit the bandwidth of the tunnel down to 30 Mbps, and data going over the physical interface (same interface the tunnel will be using as source and dest) will be limited to 70 Mbps. I don't actually mind about LLQ anymore, just want a straight up 100 Mbps on the physical interface, and divide that between the tunnel data and normal physical interface tunnel.

What IOS is running on your 2960x?  (Earlier 2960s also supported, I recall, class and policy maps, but for ingress, but not for egress.  Of course, the 2960X is a later model in the 2960 series and/or a newer IOS version might support MQC for egress too.

Is you physical interface running at 100 Mbps?

Hi Joseph,


The switch is running 12.2(55r)SE. I can confirm it supports both ingress and egress policy maps. The physical interface is running at 1 Gb. I could reduce this to 100 Mbps but I still need to put some QoS in place to support allocation of bandwidth for VoIP and normal data.