QoS for specific traffic but overlapping classmap

[Dieselboy]

Request for comments here

I have a BOVPN to a remote site. The remote site has 10M internet. I am already qos-ing traffic to the site, prioritising DSCP EF and shaping the rest to 10MB so as not to saturate the remote site inbound bandwidth.

I am finding that my class-map is not picking up the generic internet traffic and so what I would like to do is at least guarantee some bandwidth as it leaves the head office to the remote site. Otherwise, DSCP EF traffic is priority everywhere as we run VOIP and jabber VOIP.

My concern is that I'm marking laptop jabber VOICE traffic at the access-level to DSCP EF. The phones already mark the voice traffic. I have thought that I could set a DSCP marking on traffic to the remote site /20 subnet, such as AFxx but of course I do not want to re-write the EF traffic to AFxx. -> Is this possible?

Another way would be to try and mark the traffic as it leaves through the ASA firewall. ESP packets will already be set to have a DSCP EF, when those ESP packets are encapsulating voip (qos pre classify), so after they have been NATted the upstream ISP router will / is already prioritising them.
I thought about trying to mark the rest of the site's traffic based on source / dest. IP address at the firewall but the same concern - I don't want to break the DSCP EF packets containing voip.

Is it achievable? is the first question,

Is it worth it? Is the 2nd question.

We have 20M internet at the main office which will be 50M very soon.. I'm really only trying to think ahead and ensure the remote office can access resources without impact if we do any uploading etc, which we do in fact do.

[routerdork]

I got a little confused reading through this. But my first thought was to create an ACL for traffic destined to ports 80/443 and then match it in your QoS policy for Internet. I've not done it this way but that was what came to mind.

[wintermute000]

For DMVPN do it like this.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-mt/sec-conn-dmvpn-15-mt-book/sec-conn-dmvpn-per-tunnel-qos.html

Use the standard method per class: a parent map shaping to 10M then a sub policy within it to prioritise EF etc.

As for your first question, policy maps are sequential, so traffic matching a first class is no longer examined by the second class. So in your case, say you have two queues (btw KISS is my motto when it comes to QoS), I'd just prioritise 2M EF and best effort the rest in your child map. Leave the parent map to enforce the overall 10M shaping. And do it using the per group method so its scalable and the 10M parent is automagically applied only to the traffic from hub to this particular spoke.


Reading your question again I think you may be missing the parent/child structure? If so read up on it - this is the correct way to do QoS, whether tunnel group based or not. The parent class introduces the contention that allows the sub policy to introduce guarantees/priority etc. otherwise the QoS algo doesn't think there's any contention (and hence does not prioritise anything) until the interface hits its physical limit.

[Dieselboy]

Thanks mate for the link, yes I somehow didn't remember the order of the class map. I do have parent / child class maps.

What I was trying to say was it doesn't really matter about the DSCP EF traffic because even after it goes through the VPN encapsulation into ESP, the ESP packets should have DSCP EF still tagged. So I don't care where the EF traffic is going, I have just given a priority amount to all EF traffic as it exits the internet router. Because we use ITSP's, RTP out to the internet also has EF traffic. I'm am accounting for, monitoring and prioritising all EF traffic as it leaves.

What I was thinking of doing was guaranteeing bandwidth to a remote site. I will have 2 lots of traffic going to a remote site.
> ESP traffic with EF
> ESP traffic without EF

Is it possible to use an ACL to classify based on source/destination IP address, or use an ACL to classify ESP traffic; but at the same time deny traffic that has DSCP EF set?I don't think so.