Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

QoS on IPSec VPN (GRE tunnel) over DSL.

I am trying to apply QoS to a clients 1800 router at a remote site. They have and IPSec VPN to a central router, with all the branch traffic coming down the VPN. There are 2 VLANs at the remote site, 1 for data and 1 for voice, and both are up and working and data & voice traffic is passing from remote subnets to central site fine. Voice quality suffers during congested periods, hence the need for some QoS (the client assures me that their SP does QoS across the WAN). I have tried to apply CBWFQ to the router, but am unsure of exactly where the policy should be applied, as some documents state physical i/f (ATM0), some the pvc, some the tunnel, and some the BVI i/f! Also a little unsure about whether I should do a nested parent/child policy. Below is the config from the router which did not work when we used WanKiller to overload the link. I have included Telnet traffic for ensuring we could still manage the router while we were using the WanKiller (didn't work!).

class-map match-all Telnet

match protocol telnet

class-map match-all VoIP_Traffic

match access-group name VoIP_Traffic


policy-map VoIP_QOS

class VoIP_Traffic

priority percent 50

class Telnet

bandwidth percent 10


interface Tunnel100

description Link to LAN-VPNCORE-R01

bandwidth 1024

ip unnumbered Loopback0

ip mtu 1410

qos pre-classify

cdp enable

tunnel source x.x.x.x

tunnel destination y.y.y.y


interface ATM0

mtu 1500

no ip address

no atm ilmi-keepalive

pvc 0/101

encapsulation aal5snap



dsl operating-mode auto

bridge-group 1

bridge-group 1 spanning-disabled

service-policy output VoIP_QOS


interface Vlan1

no ip address


interface Vlan100

ip address

ip helper-address


interface Vlan300

ip address

ip helper-address

standby 0 ip

standby 0 priority 105

standby 0 preempt


interface BVI1

ip address x.x.x.192

ip access-group 100 out

crypto map INTERNET


ip access-list extended VoIP_Traffic

permit ip any

I have done the qos pre-classify on the crypto map as well. Any ideas?


Re: QoS on IPSec VPN (GRE tunnel) over DSL.

CreatePlease to create content