Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

QoS on IPSEC Tunnel

I am piloting a site with IP Phones over an IPSEC tunnel. Because of the Internet, I know my tagging is lost once it leaves the LAN, but want the QOS to be optimized at the very least.

Should the policy map be applied to the gig interface or the tunnel interface?


Re: QoS on IPSEC Tunnel

Check out I think this is what you're looking for (with config examples).

Good luck!


-- -Mark Turpin
Hall of Fame Super Gold

Re: QoS on IPSEC Tunnel

The matter with the approach explained in the WP, is that essentially you are limiting bandwidth to tunnels, to whatever you believe the internet performance to be. Traffic in excess is dropped, (TCP senders will benefit however) and a quasi-LLQ is given to voice traffic. If you have no issue with that, then works fine. But will never get full circuit capacity or at least need a fine tuning.

New Member

Re: QoS on IPSEC Tunnel

We are running 10 ipphone on an Ipsec tunnel with Qos with a centralied ccm deployement for over a year.We do see occasional Voice quality issues primarily when we see a increase in round trip times.Some of the things which you should consider in this deployement is

1. Use LLQ in your Qos policy to priortize voice traffic

2. Provide guarnteed bandwitdh for signalling trafic to aviod unregistrations of ipphones.

3.Use an ISP which can provide a SLA on Latency,packet drops.

4.Use hardware encryption and decryption as much as possible.

Hope this helps




Re: QoS on IPSEC Tunnel

hi Chris

i think the url provided by Mark is good link

but the topic discussed in there will work only for static address, a criterion that you know in advance, so what if ,if you dont know the address or you want to classify your traffic based on other caracteristics of the packets such ports number whitch in this situation will be encrypted whicth mean you cannot access them!!!!

the solution for such case is the use of (QOS pre-classify) command under the tunnel or the crypto map, that command will keep a copy of the packet before it hits the tunnel.

but if you want to classify your traffic by the marking done before by the ipphone or others , here the IOS will copy automaticaly the TOS field of the original packet the TOS field of the encapsulating packet IPSEC, so it works without difficulties!


please do rate if it does clarify

Hall of Fame Super Gold

Re: QoS on IPSEC Tunnel

Indeed the clean approach is like kamal said, if you directly map between DSCP for packets inside and outside, even if these arrive out of sequence because queuing in the ISP cloud, IPSEC is smart enough to deal with the cypherstream details and no problem should occur.

CreatePlease login to create content