QoS for VOIP over VPN

qasimkhans8 · ‎02-20-2016

I have setup QoS for VOIP over VPN crypto map on both HQ router and branch office router, will HQ-Router be prioritize RTP traffic coming in and going out the network? or it will be only prioritize RTP traffic going out the network? same question for Branch office Router.
if it will be only prioritize RTP traffic going out the network, then i have to create another class-map and policy-map for prioritize RTP traffic coming in the network? like Branch office Router sends prioritize RTP traffic and HQ-Router receives it and handle it on priority.please help. thanks.

following is my config

HQ-Router

class-map match-all VPN-Voice
match protocol rtp

policy-map VPN-VOIP
class VPN-Voice
set dscp ef
priority 5000
class class-default
fair-queue

crypto map vpn 1 ipsec-isakmp
set peer 116.x.x.x
set transform-set VPNSET
match address acl_vpn
qos pre-classify

interface FastEthernet0/0/1
ip address 50.x.x.x 255.255.255.248
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly in

duplex auto
speed 100
crypto map vpn
service-policy output VPN-VOIP

Branch-Office-Router

class-map match-all ITC-Voice
match protocol rtp

policy-map ITC-VOIP
class ITC-Voice
set dscp ef
priority 1500

class class-default
fair-queue

crypto map vpn 1 ipsec-isakmp
set peer 50.x.x.x
set transform-set VPNSET
match address acl_vpn
qos pre-classify

interface FastEthernet0/0/0
ip address 116.x.x.x 255.255.255.248
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map vpn
service-policy output ITC-VOIP

Joseph W. Doherty · ‎02-21-2016

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

You can only "prioritize" traffic on a congested egress interface.

If you configuration, I'm unsure match protocol RTP will work on tunnel traffic. It should if it only matches protocol and ports, which your QoS pre-classify will "shadow". If it doesn't, you can match protocol upon ingress, tag the packet, and match the tag on egress.

PS:

BTW, egress QoS prioritization requires "congestion", and often with VPN, end-to-end bandwidth is often less than VPN routers' port bandwidths. If so, you'll need to shape. (Oh, I haven't used it, but one of the later DMVPN versions supports adaptive shaping.)

PPS:

If you equipment supports it, you might also consider using VTI tunnels rather than the other crypto maps.

qasimkhans8 · ‎02-22-2016

Do i need to create another class-map and policy-map for incoming RTP over VPN traffic?

Joseph W. Doherty · ‎02-22-2016

The ingress I had in mind would be as the traffic enters the VPN router.

You would likely need a different policy, but should be able to use the existing class-map for matching RTP.

qasimkhans8 · ‎02-22-2016

i tried but i get following message,

Low Latency Queueing feature not supported in input policy.

Joseph W. Doherty · ‎02-22-2016

LLQ is a queuing feature, and queuing features only work in output polices.

What I was suggesting, was an ingress policy that identifies and marks your RTP traffic. Then your egress policy can treat traffic based on its ToS marking (generally, Cisco encryption copies original packet's ToS to encapsulated header).