Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Confusion with qos over vpn


In an effort to better understand cisco qos configuration, I am doing a test on my router. Right now, all I want to do is match some traffic and give it dedicated bandwidth over my vpn and actually see that it is working. It doesn't seem to be working so far. Maybe someone can spot a problem in my config. Traffic I want to match:

access-list 105 permit ip

Policy stuff:

class-map match-all test

description test class to see whats going on

match access-group 105



policy-map policy1

class test

priority 96

class class-default


My outbound internet if:

interface Serial1/0

ip address x.x.x.x

serial restart-delay 0

no cdp enable

service-policy output policy1

my vpn config:

interface Tunnel0

description VPN to Tempe

ip address

qos pre-classify

keepalive 300 3

tunnel source Serial1/0

tunnel destination x.x.x.x

tunnel mode ipsec ipv4

tunnel protection ipsec profile pro-meramont

Traffic is coming into the router on this if:

interface FastEthernet2/0

ip address

duplex auto

speed auto

no cdp enable

I understand I need that qos pre-classify command to perform the policy routing over the tunnel, but I don't see it happening:

Meramont#sh crypto eng qos

crypto engine name: Multi-VPN Using Virtual Private Network (VPN) Module3/8

crypto engine type: hardware

slot: 3

queuing: enabled

visible bandwidth: 2000 kbps

llq size: 0

default queue size/max: 0/64

interface table size: 32

Serial1/0 (5), iftype 1, ctable size 16, input filter: access-group 105

class test (1/9), match access-group 105

bandwidth 96 kbps, max token 19200

IN match pkt/byte 0/0, police drop 0

OUT match pkt/byte 0/0, police drop 0

class default, match pkt/byte 115051/80548845, qdrop 11

crypto engine bandwidth: total 2000 kbps, allocated 96 kbps

I don't know maybe I'm not supposed to see it happening in here. But I am definately getting hits on my access-list:

sh access-list 105

Extended IP access list 105

10 permit ip (424 matches)

I don't really know of any good debug commands to see if the qos is happening, and I am a little confused as to where the packet matching happens. Any help would be appreciated.



Re: Confusion with qos over vpn


The configuration looks fine.

You are doing LLQ. Any queueing, including LLQ, only works when there's congestion and that's the reason why you aren't seeing any packets being prioritized.

You might want to generate more traffic to cause congestion and check whether queueing kicks in.



New Member

Re: Confusion with qos over vpn

Thanks, that makes sense.