QoS - on VPN

Unanswered Question
Aug 19th, 2009
User Badges:


Site to site VPN is configured with GRE tunnel with and without IPSEC. Traffic undergoing the tunnel is by simple access-list with source subnet and destination subnet. QoS needs to be applied so that ssh access between these two subnet traffic gets definite 1000 kbps bandwidth.

Serial interface is E1 as source of tunnel and other end of the router is also E1 of other end of tunnel.

Where and how to apply qos prequalify and policy output command and why?

ToS marking is default on all interested packets.

Conf can be :

class map ssh

match protocol ssh

policy-map secure-shell

class ssh

bandwidth 1000 ( kbps )

int tunn 0

tunn source s0

ip add / 24

tunn dest ( other end of tunnel )

/* shall we apply qos pre-classify here */

int s0

ip add ....

service out secure-shell

Please share the experience.

Thanks in advance


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sunsrini Fri, 08/21/2009 - 11:10
User Badges:
  • Cisco Employee,

You are trying to use NBAR for Qos classification and thats not supported with ipsec or gre.


You can either mark this traffic in the LAN interface using a specific ToS and to use that for qos classification or use an ACL for specific source/destination hosts for the qos classification.


This Discussion