05-26-2017 05:23 PM - edited 03-08-2019 10:45 AM
How can I do QOS for VPN traffic? I have already done qos pre-classify in the crypto map. Will the following work:
Assuming the remote network is 192.168.10.0/24 and the total available bandwidth is 4mbps. I want to give 1mbps to other traffic and reserve the remaining for the VPN.
What I am a little confused is the service-policy on the inside interface. Is that bad practice?
class-map vpn
match access-group 199
policy-map f0-in
class vpn
...
class class-default
police cir 1000000
conform-action transmit
exceed-action drop
violate-action drop
int fastethernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
service-policy input f0-in
int fastethernet1
ip address 12.34.56.78 255.255.255.0
ip nat outside
service-policy input f1-in
access-list 199 permit ip 192.168.10.0 0.0.0.255 10.10.10.0 0.0.0.255
05-26-2017 05:35 PM
You usually want it on the outbound interface.
Here is an example going onto a WAN interface with 4Mb/s of actual bandwidth, but that has a much higher physical link speed.
class-map match-any cm-qos-voice
match ip dscp ef
class-map match-any cm-qos-scavenger
match ip dscp cs1
class-map match-any cm-qos-critical-data
match ip dscp cs6
match ip dscp af21 af22
match ip dscp cs2
class-map match-any cm-qos-call-signalling
match ip dscp cs3
match ip dscp af31
policy-map pm-QoS
class cm-qos-voice
priority percent 33
class cm-qos-call-signalling
bandwidth percent 5
class cm-qos-critical-data
bandwidth percent 36
class cm-qos-scavenger
bandwidth percent 1
class class-default
bandwidth percent 25
fair-queue 512
queue-limit 1024 packets
policy-map pm-WAN
class class-default
shape average 4000000
service-policy pm-QoS
interface GigabitEthernet a/b/c
service-policy out pm-WAN
05-26-2017 05:36 PM
ps. If you use the above approach, mark the traffic coming into the router (if it is not already marked - and voice packets are usually already marked).
05-26-2017 06:28 PM
Thank you Philip.
I have already done it on the outbound interface. Voice packets are being marked and queued correctly. But the problem is when other traffic on the inbound increases, VPN traffic is affected and so is voice quality. I need to somehow reserve bandwidth on the inbound interface for VPN traffic.
05-26-2017 07:50 PM
Oh I see.
First lets get the basic thing out of the way; once we have already received the traffic it has already caused the congestion, so we can't not deal with it effectively.
Now pragmatically, yes, do what you are doing. I like to do that on the inside interface facing towards the users, police everything outbound that is not VoIP traffic down to a smaller value, like 3Mb/s. It will mean that non-VoIP traffic will never be able to use all the bandwidth you have available - but hey, people also like their phones to work.
Doing it on the inside interface (instead of the outside interface) means you wont accidentally hurt other important traffic - such as traffic needed to rebuild the VPN when the SA expires.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide