How to prioritize my vpn traffic passing through my router

Unanswered Question


I have got WAN router before PIX for WAN connectivity. My Branch routers sending critical applications through encrypted tunnel directly to PIX.

I have intermediate WAN Router before PIX where i want to priority my encrypted data. Please let me know can i prioritize the encrypted traffic in the WANrouter.

I unable to see source and destination traffic at WAN router to prioritize encrypted traffic in legacy method.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Lei Tian Tue, 09/28/2010 - 04:14


You can classify the traffic on the LAN interface before encryption and set the DSCP value. The DSCP will be copied to ESP or GRE header by default, then you can set your qos policy based on the DSCP.


Lei Tian

gatlin007 Tue, 09/28/2010 - 08:05

If I understand correctly you'd like to prioritize business critical traffic on the WAN router that's inside an IPSEC tunnel?  For example SAP traffic may be queued more favorably than Exchange traffic?

If this IPSEC tunnel is terminated on a downstream PIX such as the diagram then the router will have no awareness of the difference of packets within the tunnel.  Once the IPSEC traffic gets to the router the layer 4 infomation isn't visible and has the same source/destination IP addresses.

If the tunnel termination point is moved to the WAN router than the teqnique described by Lei Tian would be optimal.  Consider terminating WAN tunnels on a routers in order to have dynamic routing and powerful queuing options.


gatlin007 Tue, 09/28/2010 - 11:00

PIX/ASA Code 7.2 and latter supports the following QoS features:

Priority Queue

There are some caveats if this traffic belongs to an IPSEC tunnel.  This is the 7.2 QoS config guide:

You may be able to be creative with what's available to achieve your goals.  Keep in mind that the single priority queue was specifically designed for voice traffic.

In regard to queuing ESP traffic on the router this is possible.  Tunnel traffic can be queued based on tunnel endpoint addresses; queuing traffic within the tunnel would not be possible.  I know the following link is generally not exciting material for humans; but this guide will be very valuable to you.  You'll notice how much more powerful a router is in regard to QoS.

There are many folks in this community that are very knowledgeable on the specifics.



This Discussion