We run our site-to-site VPNs in a tunnel-all configuration to enforce content filters, IPS, app detection, etc. Recently my company has selected a Internet-based learning management system for staff training. At times it can be a bit of a bandwidth hog. With all of the other traffic I have going through my WAN I would like to guarantee that it has a certain amount of bandwidth. Now with physical interfaces this is pretty easy. I have a LAN (named default-profile-lan) and WAN (named default-profile-wan) QoS profile and set aside 10ms/s on each for Class 2. Since it is egress based I wanted to make sure that any traffic uploaded or downloaded is covered. The issue I am struggling on relates to how I guarantee it though a site-to-site VPN tunnel. Since the WAN interface is my ingress & egress interface for all VPN terminated traffic, would Class 2 under default-profile-wan apply for both directions or would I need to do something with guarenteed traffic on a tunnel-by-tunnel basis. My QoS rule is structured as
|Name||Tags||Src. Zone||Src. Address||Src. User||Dst. Zone||Dst. Address||Application||Service||Class||Schedule|
I would think that this would apply for any traffic coming from my vpn-tunnel zone or inside zone and use the default-profile-wan policy, but I could be wrong. Can anyone shed some light on it?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!