Cisco Support Community
Community Member

QoS on 5505 sub-class Ethernet Shaping VPN priority

Good afternoon gents,  I have a 5505 that has 2 x Ten Megabit connections to two different service providers.

We currently use this in an active standby configuration, and route everything out one of the connections. 

Both connections are physically connected at 100 meg, and I believe the provider(s) are policing this upstream to 10MBit.

I would like to apply shaping outbound on both connections, with a priority queue for the VPN traffic back to the head office.

The ISPs are connected to a downstream layer 2 switch, the layer3 interfaces are Vlan interfaces on the Firewall.

Further to this I would like to go to an Active-active configuration, using one of the ISP's only for VPN traffic, using tracking for resiliency, and the other for all other internet traffic.

I understand there is this limitation when using hierarchical queuing:

"For hierarchical priority queuing, for encrypted VPN traffic, you can only match traffic based on the DSCP or precedence setting; you cannot match a tunnel group"

Can I not just use the same access list that is used for “interesting traffic” or is this tunnelled before the Qos is applied?

I was hoping I could use this config, on both outside interfaces to each ISP:

sla monitor 123

type echo protocol ipIcmpEcho 100.xx.xx.xx interface outside

num-packets 3

frequency 10

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

sla monitor 456

type echo protocol ipIcmpEcho 200.xx.xx.xx interface outside

num-packets 3

frequency 10

sla monitor schedule 456 life forever start-time now

track 2 rtr 456 reachability

route outside 100.xx.xx.xx track 1

route outside2 200.x.x.x 100

route outside2 VPN-Peer-ADDRESS 200.xx.xx.xx track 2

route outside2 Remote-Inside-network 200.xx.xx.xx track 2

priority-queue outside
class-map VPN-TRAFFIC
match tunnel-group tunnel-grp1
policy-map PRIORITY
policy-map SHAPE-10Mb
 class class-default
  shape average 5000000 <- this is half of 10Mbit – should it be 10000000??
 service-policy PRIORITY

service-policy SHAPE-10Mb interface outside
service-policy SHAPE-10Mb interface outside2
This was taken from here: yet it contradicts the hierarchical queing limitation for tunnel groups?
Could I mark the traffic on the way in to the firewall from the inside interface, if this will not work with the tunnel group?

Any help would be greatly appreciated 
Everyone's tags (4)
CreatePlease to create content