Configure QoS for VPN Tunnel on Cisco Router

Class Maps are referenced by Policy Maps, which are then applied to the external interface.  VPN traffic is "pre-classified" before entering the external interface. The example below is based on 512 kbps bandwidth available for upload traffic.

Create 2 class-maps like this:

class-map match-any Priority_Packets match precedence 5 match dscp ef class-map match-any All_Traffic match any

Create 2 policy maps like this:

//256 is the amount of bandwidth in Kb you want to reserve for priority traffic. 256 is probably ok for 3 phones using the G.711 codec//480000 is the total amount of upload in bits available (should be less than actual speed or else the policy will never kick in and QoS will be useless. In this case I had 512k up on the internet connection.

On the crypto map add qos pre-classify

crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to68.118.31.246 set peer 68.118.31.246 set transform-set ESP-3DES-SHA match address 103 qos pre-classify

On the interface apply the main policy-map:

interface FastEthernet4 description $ES_WAN$$FW_OUTSIDE$ bandwidth 5000 ip address dhcp client-id FastEthernet4 ip access-group 101 in no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip inspect DEFAULT100 out ip virtual-reassembly ip route-cache flow duplex auto speed auto crypto map SDM_CMAP_1 service-policy output Shape_Out

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

That should be it. Then use “sh policy-map interface fa4” to see the QoS in action. Start a big upload and you should see Shaping Active: Yes while the uploading is going. You’ll see the two classes of traffic and if the phone traffic is being identified properly you’ll see counters under both classes.

Special thanks to Brian S. for assistance with this article.