Quality of Service within a VPN tunnel over Dialer-Interface

Today I will show you how to configure QoS for outgoing SIP VoIP traffic who goes throw a VPN tunnel / crypto-map. To solve this we need to create class-maps for all IP traffic and for our SIP traffic and bind them to the crypto map and the outgoing interface because VPN traffic is encapsulated “within” the router. First we configure our class-map for all outgoing traffic:

class-map match-any MyCompleteTraffic
match any

this will be our access-list and class-map which defines our “interesting” priority-packets:

ip access-list extended QoS_Packets
permit tcp any any eq 5904
permit tcp any eq 5904 any

class-map match-any MyPriorityPackets
match access-group name QoS_Packets

A very important thing is to configure the bandwidth in the WAN interface which is going to the world wide web. Even if you have a FastEthernet interface connected to the ISP router with a speed (for example) a 5 MBit sync line because the default bandwidth on a FastEthernet interface is 100MBit! Our WAN interface is a Dialer for a standard ADSL line:

interface Dialer1
description ADSL line with 6/0,7 MBit Up/Down
bandwidth 6000
bandwidth receive 700

Now we will configure policy-maps where we bind the pre-defined class-maps:

policy-map SIP_Priority
class MyPriorityPackets
priority percent 20 // here we will define the granted bandwidth for our SIP traffic in Kbits or in percent
class class-default
fair-queue
random-detect

policy-map OutgoingTraffic
class MyCompleteTraffic
shape average percent 95 // take the nearly complete upload bandwidth which is available in bits or also configure a percentage number
service-policy SIP_Priority

We need to configure QoS pre-classify on the specific crypto-map and bind the service-policy for all outgoing traffic to the ip nat outside interface:

Router(config-crypto-map)#qos ?
pre-classify  Enable QOS classification before packets are tunnel encapsulated

crypto map CompanyMap 10 ipsec-isakmp
description Tunnel to central office
set peer x.x.x.x
set transform-set ESP-AES-SHA
match address vpn_traffic
qos pre-classify

interface Dialer1
crypto map CompanyMap
service-policy output OutgoingTraffic

To define the reservated upload for your VoIP traffic can be calculated. I found a cool website calculator @ http://www.asteriskguru.com/tools/bandwidth_calculator.php. In my case I had only one IP phone at the branch office so 32 kbit would be the recommondation for the SIP traffic.

To check the QoS configuration you can look to the priorized packets with “show policy-map interface Dialer1”:

 Dialer1

Service-policy output: OutgoingTraffic

Class-map: MyCompleteTraffic (match-any)
17999 packets, 1960216 bytes
5 minute offered rate 3000 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
shape (average) cir 5700000, bc 57000, be 57000
target shape rate 5700000

Service-policy : SIP_Priority

queue stats for all priority classes:

queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0

Class-map: MyPriorityPackets (match-any)
6713 packets, 490018 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name QoS_Packets
6713 packets, 490018 bytes
5 minute rate 0 bps
Priority: 20% (600 kbps), burst bytes 15000, b/w exceed drops: 0

Class-map: class-default (match-any)
11286 packets, 1470198 bytes
5 minute offered rate 3000 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops/flowdrops) 0/0/0/0
(pkts output/bytes output) 0/0
Fair-queue: per-flow queue limit 16
Exp-weight-constant: 9 (1/512)
Mean queue depth: 0 packets
class     Transmitted       Random drop      Tail/Flow drop Minimum Maximum Mark
pkts/bytes    pkts/bytes       pkts/bytes    thresh  thresh  prob

0               0/0               0/0              0/0                 20            40  1/10
1               0/0               0/0              0/0                 22            40  1/10
2               0/0               0/0              0/0                 24            40  1/10
3               0/0               0/0              0/0                 26            40  1/10
4               0/0               0/0              0/0                 28            40  1/10
5               0/0               0/0              0/0                 30            40  1/10
6               0/0               0/0              0/0                 32            40  1/10
7               0/0               0/0              0/0                 34            40  1/10

Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0

If you have any other wishes for QoS instructions, please just let me know! Have a nice weekend!

4 thoughts on “Quality of Service within a VPN tunnel over Dialer-Interface”

    • Hi Michael!

      Yes it’s this router:

      Router#show inventory
      NAME: “881”, DESCR: “881 chassis, Hw Serial#: xxx, Hw Revision: 1.0”
      PID: CISCO881-SEC-K9 , VID: V01, SN: xxx

      NAME: “motherboard”, DESCR: “C880 Motherboard”
      PID: CISCO881-SEC-K9 , VID: 1.0, SN: xxx

      Router#show version
      Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.0(1)M7, RELEASE SOFTWARE (fc2)

      System image file is “flash:c880data-universalk9-mz.150-1.M7.bin”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.