Re: Applying QoS to VPN Traffic

Hassan Mwangi · ‎10-05-2009

Hi,

Am planning to deploy VPN from a clients HQ where i have proposed either ASA 5520 firewall and 2800 series routers for three others branches. This will be site-to-site VPN with the HQ as the hub.

The client want us to reserve a specific bandwidth e.g like 128kbps for the IPSec tunnel.

How possible is this? Can this be done on a router? Can this be done in an ASA?

If its possible, how is it done?

tprendergast · ‎10-05-2009

If you want to reserve 128kbps for the tunnel, then you must do it on your edge routers or any upstream device between your two ASAs.

See this document for configuring QoS on 12.4 routers (or browse to your IOS version):

http://www.cisco.com/en/US/customer/docs/ios/qos/configuration/guide/12_4/qos_12_4_book.html

On a side note, you can do QoS both in/out of your ASA as well as across your VPN tunnel:

In/Out of ASA: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml

Across tunnel: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml

Hope that helps. Please rate if this sent you on the right path.

Cheers,

Tim

Hassan Mwangi · ‎10-05-2009

Hi Tim,

Thanks. It was a nice insight but seems to incline more to voice. I want to apply this to any traffic going through the VPN tunnel.

One more question. Whats the best option for this scenario. Do i got ahead the ASA or go with the ISR routers for the proposed WAN solution.

There is no voice going over this tunnel. Just normal data as they want to run their applications across this WAN. So the design should be in such a way that, this reserved bandwidth should be used for any tunneled traffic.