Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

site to site GRE/VPN QoS

i have two 2800's that are running GRE/IPSec site to site VPNs...from the spoke site i would like to markdown/ratelimit down a particular traffic flow destined for the headend....whats the best way to do this?? Can someone show me a template?

basically traffic from destined to at the headend site needs marked down/rate limited....the WAN connections to these 2800s are DSL links...the issue we are having is that with NO QoS when the machines at the spoke site send out images to the hub site, it dramatically slows all other traffic down...we need to stop that...

Thanks in advance


Re: site to site GRE/VPN QoS


looks like qos pre-classify could help you:

ip cef

class match-all RateDown

match ip address 100

access-list 100 permit ip

policy-map Limit

class RateDown

shape average 128000

class class-default



interface Tunnel0

ip address unnumbered Loopback0

qos pre-classify

tunnel ...

interface Serial0

ip address ...

service-policy output Limit

This will limit the traffic described by access-list 100 to 128 kbps. You would need to adjust bandwidth, interface names etc.

qos pre-classify allows the router to match on the original IP header instead of the tunnel header.

Hope this helps! Please rate all posts.

Regards, Martin

New Member

Re: site to site GRE/VPN QoS


Should i do that on both router ends? Obviously inverting the access-list at the headend?

Also im using ethernet interfaces to connect to the cable modems, should i do a bandwidth command on that interface??


Re: site to site GRE/VPN QoS


yes you should do that on both routers.

"bandwidth" is not needed because shaping is done independently of interface bandwidth.

Hope this helps! Please rate all posts.

Regards, Martin

CreatePlease to create content