Internet vs. VPN traffic QoS

Unanswered Question
Jun 8th, 2010

I'm currently experiencing a lot of traffic congenstion on my link to the internet that causes congestion, resulting in pack loss for latency for the VPN traffic.  It's a fiber link, 10MB syncrhonous with a media converter that goes from fiber to enternet.  Currently there is an unmanaged switch and I would like to replace it with a managed switch.  The VPN is site to site, and I would prefer to be able to apply priority based on IP address as many sites link into our VPN, some requiring more bandwidth than others.  All static IPs.

WAN IP address of firewall -
WAN IP address of VPN device -

What I would like to do is force all traffic coming in and going out for the VPN to have priority over the firewall which is used for regular internet connectivity.  I'd like to buffer as much as I can on ingress and egress to avoid packet loss.  I've been reading about the bandwidth and prioroty commands, as well as MQC, but am not sure which direction I should take.  I do not currently have a switch purchased for this purpose as I realize there are different QoS applications for different devices.  Could someone advise the best path for me to take as I'm fairly new to QoS?  Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
gatlin007 Tue, 06/08/2010 - 08:59

In order to have powerful Queuing capabilities facing your 10Mbps internet circuit it should be faced with a router vs. a switch.  Routers have much more granular queuing strategies for low bandwidth links and especially links with a purchased rate lower than the framed rate. 

If the circuit is faced with a router you could us something like the following.

Class-map match-any IPSEC
Match protocol ipsec (may need an acl that matches ESP traffic if ipsec isn’t available as a protocol in a class map)

Policy-map Inet-Egress
Bandwidth percent 65
Class class-default
Bandwidth percent 10

Inter fax/x
Service-policy output Inet-Egress

The percentages are not hard limits in CBWFQ.  They are more of a ratio and only enforced during periods of congestion.  By default the sum of the percentages should not exceed 75%.

This document is useful

Christopher Gatlin

megangrubb Tue, 06/08/2010 - 09:05

Hi Christopher

Thank you for the response.  I completely forgot about the VPN traffic being encrypted...  With that being said, does this mean I would not be able to apply priority based on IP?  We have several SSL tunnels to remote sites, and there are some whose bandwidth I don't want to guarantee.

Do you have a recommendation as to which router I should look at?



gatlin007 Tue, 06/08/2010 - 09:34


A couple routers to consider may be the 1941 or a 2900 series.  Find the data sheets on Cisco’s website and ensure the platform will meet your expectations.

If you want to queue encrypted traffic based on destination IP addresses you could fashion an ACL matching SSL or ESP traffic to that specific remote tunnel endpoint. 

The problem comes if you want to queue certain traffic differently within that tunnel.  Unfortunately once a packet is encrypted a downstream network device can’t look into the original TCP/IP header.  If the tunnel is terminated on your Internet router you may use the ‘qos pre-classify’ command that enables a queuing decision before the packet gets encrypted.

If you do choose to move the tunnel(s) to your internet router make sure you purchase the ‘advanced security feature set’.

Christopher Gatlin

megangrubb Tue, 06/08/2010 - 09:57

I'm not looking to queue traffic within the tunnels, so that should be OK.

I'll take a look at the 1941 and 2900 series and see if they will meet my expectations.  This is a very basic question, but I'm not going to actually have to do routing with the device, will I?  Should be OK to merely use the switching mechanism of the router, correct?  I have no experience with the routers, just switches.

gatlin007 Tue, 06/08/2010 - 10:43


The forwarding decision from the router would be based on routing vs. a switching.

There are options.  I’m sure there’s a non-intrusive solution that would require just a couple static routes and still enable you to use the powerful queuing mechanisms available.

This router would be a capital investment and brings lots of functionality.  It may be that you could realize a lot of efficiencies by redesigning your network at layer three to compliment the capabilities of an internet/WAN router.

Christopher Gatlin

megangrubb Tue, 06/08/2010 - 11:07

Thanks for the help, I greatly appreciate it

If I can tie this into my existing core infrastructure and do an upgrade, I *may* be able to see the solution as we currently have a layer 3 switch doing out routing, yuck.

If I can't sell the router concept, is there any way I could do this with a 2960?

gatlin007 Tue, 06/08/2010 - 15:56


QoS features on the Catalyst 2960 switch are geared toward LAN functionality.   It does well for queuing traffic based on the framed rate.   You may be able to find a solution with the 2960 were you set an interface speed to 10Mbps and utilize the shaped round robin queues

On the 2960 DSCP transparency is enabled that will map an IP DSCP value (IP Header TOS Byte) to a COS value (802.1p bits in a dot1q header).   Based on this the COS value can be mapped to a specific interface egress hardware queue that will guarantee an amount of bandwidth; unused bandwidth is wasted.  This approach is not as flexible as the router CBWFQ schemes that dynamically allocate bandwidth based on current utilization; unused bandwidth can be consumed during idle times.

The LAN switch approach only works for the framed rate.  If you upgrade to a 20Mbps internet circuit and must bump the framed rate up to 100Mbps to support it, you won’t be able to shape to the purchased rate of 20Mbps and queue within the purchased rate on a LAN switch.

Christopher Gatlin

argnetworking Wed, 06/09/2010 - 20:10

What about a packet shaper for your internet connection?.

In my case I have a Packeteer sitting at the entrance of my link and I can control how much bandwidth each IP can use. In your case you can control your total bandwidth and free some for the VPN, even make rservations for your VPNs.

Of course a combination of multiple devices would be better (QoS inside and shapping outside)


This Discussion

Related Content