Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1233
Views
4
Helpful
4
Replies

VPN Traffic QOS

Tyara MM
Level 1
Level 1

‎05-26-2017 05:23 PM - edited ‎03-08-2019 10:45 AM

How can I do QOS for VPN traffic? I have already done qos pre-classify in the crypto map. Will the following work:

Assuming the remote network is 192.168.10.0/24 and the total available bandwidth is 4mbps. I want to give 1mbps to other traffic and reserve the remaining for the VPN.

What I am a little confused is the service-policy on the inside interface. Is that bad practice?

class-map vpn

   match access-group 199

policy-map f0-in

  class vpn

     ...

  class class-default

     police cir 1000000

        conform-action transmit

        exceed-action drop

        violate-action drop

int fastethernet0

   ip address 10.10.10.1 255.255.255.0

   ip nat inside

   service-policy input f0-in

int fastethernet1

  ip address 12.34.56.78 255.255.255.0

  ip nat outside

  service-policy input f1-in

access-list 199 permit ip 192.168.10.0 0.0.0.255 10.10.10.0 0.0.0.255

Labels:
0 Helpful
4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

‎05-26-2017 05:35 PM

You usually want it on the outbound interface.

Here is an example going onto a WAN interface with 4Mb/s of actual bandwidth, but that has a much higher physical link speed.

class-map match-any cm-qos-voice
 match ip dscp ef 
class-map match-any cm-qos-scavenger
 match ip dscp cs1 
class-map match-any cm-qos-critical-data
 match ip dscp cs6
 match ip dscp af21 af22
 match ip dscp cs2
class-map match-any cm-qos-call-signalling
 match ip dscp cs3
 match ip dscp af31

policy-map pm-QoS
 class cm-qos-voice
  priority percent 33
 class cm-qos-call-signalling
  bandwidth percent 5 
 class cm-qos-critical-data
  bandwidth percent 36 
 class cm-qos-scavenger
  bandwidth percent 1
 class class-default
  bandwidth percent 25
  fair-queue 512
  queue-limit 1024 packets


policy-map pm-WAN
 class class-default
  shape average 4000000
  service-policy pm-QoS

interface GigabitEthernet a/b/c
 service-policy out pm-WAN

Philip D'Ath
VIP Alumni
VIP Alumni
In response to Philip D'Ath

‎05-26-2017 05:36 PM

ps. If you use the above approach, mark the traffic coming into the router (if it is not already marked - and voice packets are usually already marked).

0 Helpful

Tyara MM
Level 1
Level 1
In response to Philip D'Ath

‎05-26-2017 06:28 PM

Thank you Philip.

I have already done it on the outbound interface. Voice packets are being marked and queued correctly. But the problem is when other traffic on the inbound increases, VPN traffic is affected and so is voice quality. I need to somehow reserve bandwidth on the inbound interface for VPN traffic.

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to Tyara MM

‎05-26-2017 07:50 PM

Oh I see.

First lets get the basic thing out of the way; once we have already received the traffic it has already caused the congestion, so we can't not deal with it effectively.

Now pragmatically, yes, do what you are doing.  I like to do that on the inside interface facing towards the users, police everything outbound that is not VoIP traffic down to a smaller value, like 3Mb/s.  It will mean that non-VoIP traffic will never be able to use all the bandwidth you have available - but hey, people also like their phones to work.

Doing it on the inside interface (instead of the outside interface) means you wont accidentally hurt other important traffic - such as traffic needed to rebuild the VPN when the SA expires.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card