Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Provifing QOS within a VPN tunnel

I was wondering whether it's possible to provide QOS such as CBWFQ inside a VPN tunnel? To explain things a bit, I currently running QOS on a private FR WAN and management is looking at the possibility of migrating to a broadband DSL WAN running over VPN. I'm concerned about all the CBWFQ QOS that I've setup and wanted to know whether it's posible to provide QOS on a VPN tunnel? Thanks in advance for your answer.


Re: Provifing QOS within a VPN tunnel

Very doable. If memoroy serves as long as you do your priortizing before the packet is encrypted you should be fine. You will also need a device on the other end doing QoS after the packet is de-crypted. Some devices can see the precedence even on an encrypted packet. If you can give a little more info on the proposed hardware and what you already have in place you will probably get more specific information.

New Member

Re: Provifing QOS within a VPN tunnel

Sorry it took a while to get back to you. It has been a few extremely busy days. Thanks for your reply. I currently have a 3662 at the Central office running ATM and several branches on 1700 and 2620 running FR. To provide QOS, I've configured CBWFQ at both the Central and branch offices. Using a Cisco on-line document outlining a sample config, I've applied application/traffic marking at the Ethernet interface and then apply application/traffic prioritization as outbound. Here is an example of what I did:

class-map match-any Transactional-mark

description **Transactional Application**

match protocol sqlnet

match protocol sqlserver



policy-map QOS-Policy

class Interactive

bandwidth percent 20

class Transactional

bandwidth percent 20

class Batch

bandwidth percent 8

class Bulk

bandwidth percent 8

class OS

bandwidth percent 8

policy-map QOS-Policy-Mark

description **Marking and Identifying Applications**

class OS-mark

set ip dscp 20

class Interactive-mark

set ip dscp 26

class Transactional-mark

set ip dscp 18

class Batch-Mark

set ip dscp 20

class Bulk-mark

set ip dscp 10


interface FastEthernet0/0.3

description ** Common Server Subnet **

encapsulation dot1Q 3

ip address secondary

ip address

no ip redirects

no ip proxy-arp

no ip mroute-cache

ntp broadcast

service-policy input QOS-Policy-Mark


interface ATM1/0.33 point-to-point

description *** ATM PVC to Melbourne - 768K CIR/1024 (MFPVC11677003) ***

mtu 1500

bandwidth 768

ip address

ip nbar protocol-discovery

ip summary-address eigrp 112 5

pvc 3/33

vbr-nrt 1024 768 32

service-policy output QOS-Policy



What management asking me to do at the moment is to look into the possibility of providing a WAN based on broadband technology since it's pretty cheap comparing to FR/ATM. Obviously I'll have to protect my traffic now that they've exposed to the Internet. One way of protecting the traffic is to run IPSec and hence other stuff came along such as VP. I've just been back from a Cisco VPN course and was wondering:

1. Wanted to find out HOW to configure CBWFQ QOS that works with VPN

2. Are the Cisco concentrator 3000 able to provide QOS

Thanks in advance fro your answer.

CreatePlease to create content