VoIP over VPN using QOS Tunnel

Unanswered Question

All I have set up a VPN tunnel on a Cisco 871 from a remote site to our VPN hub.

The remote site has 1 Vlan with both Phone and PC on that VLAN I have attached the remote end config. Voice calls work however I cant guarantee that my QOS is working for voice traffic. I have 512kbps link to internet.

my questions are:

1) is voice traffic being distinguished from data traffic?

2) Should I create separate vlans for voice and data.

ip cef


ip dhcp pool mypool




netbios-node-type h-node


domain-name xxxx.com

lease 14


multilink bundle-name authenticated


crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key Telecom address xxx.xxx.xxx.xxx



crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac


crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to VPN-HUB

set peer xxx.xxx.xxx.xxx

set transform-set ESP-3DES-SHA

match address 100



class-map match-any Call-Setup

match ip dscp cs3

match ip dscp af31

class-map match-all Voice

match ip dscp ef



policy-map LLQ

class Voice

priority 128

class Call-Setup

bandwidth percent 2

class class-default


policy-map Traffic-Shaper

class class-default

shape average 512000

service-policy LLQ



interface Tunnel0

ip address

ip mtu 1420

qos pre-classify

tunnel source FastEthernet4

tunnel destination xxx.xxx.xxx.xxx

tunnel path-mtu-discovery

crypto map SDM_CMAP_1


interface FastEthernet0


interface FastEthernet1


interface FastEthernet2


interface FastEthernet3


interface FastEthernet4

description Connection to Internet$ETH-WAN$

!Registered IP address

ip address xxx.xxx.xxx.xxx

ip tcp adjust-mss 542

speed 10


crypto map SDM_CMAP_1

service-policy output Traffic-Shaper


interface Vlan1

description Connection to LAN$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address

ip tcp adjust-mss 1452


router rip

version 2



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Paolo Bevilacqua Wed, 06/25/2008 - 05:45


you don't need and can't even use separate VLANs on the VPN. Your QoS config appears correct and should do the best possible.

Only, you don't need ip tcp adjust-mss 542 under FA4. You could use something like 1380, but on VLAN1 instead.

The only other improvement I may think, if this is an ADSL circuit, use an 877 instead so you can see the real circuit and avoiding the need for a QoS childed service-policy.

Please rate if it helps!


This Discussion