Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

QoS for VPN links


I have branches connected with VPN and I wanna guarantee bandwidth for that traffic using the following configuration:

!Access list to mark internal traffic

ip access-list extended QOS

permit ip any


!Class-map to mark internal traffic

class-map match-all QOS-IN

match access-group name QOS


!Class-map to match the marked traffic

class-map match-all QOS-OUT

match qos-group 1


!Apply to markage

policy-map QOS-IN

class QOS-IN

set qos-group 1



!Apply the bandwidth reservation

policy-map QOS-OUT

class QOS-OUT

bandwidth percent 50



interface FastEthernet0/0

service-policy output QOS-OUT

bandwidth 512



interface FastEthernet0/1

service-policy input QOS-IN

Any comments about this configuration ? because I found that there is no match for the second class-map ?

Best regards,


Re: QoS for VPN links

You QoS config is 100% incorrect.

QoS Steps:-

1) Classify

2) Mark

3) Policing

What is the platform you are trying to perform QoS on?

Community Member

Re: QoS for VPN links

I'm using a C2800

Super Bronze

Re: QoS for VPN links

I had problems using qos-groups, although from its documentation what you've done, I believe, should be correct. You might also consider using the ToS instead.

Since you show the outbound policy on an Ethernet interface with a bandwidth statement of 512, your policy won't control bandwidth until there's interface congestion. You should probably shape to the actual outbound bandwidth. (Shaping appears to provide implicit FQ. Shaping alone might provide a noticable improvement.)


You're still going to have an issue for VPN bandwidth, inbound. That's very difficult to do well downstream.

Community Member

Re: QoS for VPN links

Not that but.. I'm not seeing matches on the outside policy-map

Re: QoS for VPN links

Read the urls I sent.

Super Bronze

Re: QoS for VPN links

Unclear what you're saying. If you're saying you not seeing any matches against the packets the first policy is marking, that I recall is the issue I've too seen with qos-groups, which is why I suggested using a ToS setting instead. I.e. use your inbound policy to tag with something like IP Predence 1 or DSCP CS1 and then match against that value.

Community Member

Re: QoS for VPN links

OK, I see.

I'll will try what you suggest and I'll give a feedback.



CreatePlease to create content