QoS for VOIP over IPSEC VPN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

QoS for VOIP over IPSEC VPN

L3 Networker

Hi All

 

I have four VPN sites and HQ with VOIP deployed. On HQ Palo Alto, I want if traffic come from LAN with some marking like 'af41' then give priority (real time) and copy the dscp marking when send across IPSEC VPN? 

-> For this, I have made one qos profile say 'vpn_profile_voip' with class '2' and assign priority 'real time'

-> Then applied on egress physical interface ethernet1/1 by selecting the profile 'vpn_profile_voip' in drop down menu of 'tunneled interface' 

-> Made Qos policy with source any, destination VPN destination subnets, dscp marking 'af41' then assign class '2'

 

My question are, 

 

1- After applying the Qos will it again copy the 'af41' in ESP header, when traffic tunnled through IPSEC VPN? so ISP can also enforce qos based on that dscp code in their network

2- I do not want to apply Qos on clear text traffic going to internet from same egress interface ethernet1/1. So should I apply 'default' qos profile for 'clear text' or should I have to make one new qos profile say 'no-qos' without defining any class (so all clear text traffic will fall under class 4)?

3- For the traffic (marked with 'af41' comes from sites to HQ), how to apply the qos with same requirement of match with 'af41' then set priority 'real time' Where I need to apply Qos profile?

 

@reaper

3 REPLIES 3

L7 Applicator

@faizankhurshid wrote:

1- After applying the Qos will it again copy the 'af41' in ESP header, when traffic tunnled through IPSEC VPN? so ISP can also enforce qos based on that dscp code in their network


Good question. But I think unlike Cisco this isn't the case with Paloalto.

 


@faizankhurshid wrote:

2- I do not want to apply Qos on clear text traffic going to internet from same egress interface ethernet1/1. So should I apply 'default' qos profile for 'clear text' or should I have to make one new qos profile say 'no-qos' without defining any class (so all clear text traffic will fall under class 4)?


Are you talking about Paloalto-QoS or QoS marking? Anyway to apply QoS marking you simply specify this in the actions tab in the security policy rule and you do not set this option for traffic that shouldn't be marked. QoS could still be applied to traffic (without marking) to slow down exessive bandwidth applications to have enough bandwith for your s2s vpn for example.

 


@faizankhurshid wrote:

3- For the traffic (marked with 'af41' comes from sites to HQ), how to apply the qos with same requirement of match with 'af41' then set priority 'real time' Where I need to apply Qos profile?


In your QoS policy you could create a rule to match af41 and then set a specific class for which you configure "real time" in the QoS profile in the network tab and apply that profile in the interface QoS traffic in the direction you want to set that.

 

@Remo

OK. The Qos requirement is, for traffic coming from LAN with marking af41 when goes to a particular IPSEC VPN tunnel then it should get real time priority and 2MB bandwidth. I know,

 

1- I have to make on Qos profile say 'VPN-QOS' for IPSEC VPN traffic, define class (say class 2) and assing priority and bandwidth.

2- I will make Qos policy and match dscp marking af41 and assign class 2

 

The question is when I apply Qos Profile on egress interface. There is option for clear text traffic and tunnel traffic. For tunnel traffic, I selected 'VPN-QOS'. For clear text traffic what I need to select? (as for clear text traffic, I do not want any Qos)

 

@faizankhurshid

As I assume you also haven't configured any QoS policy for this traffic, all traffic will have default class 4 assigned. So for clear text traffic you could just assign the default QoS profile. Because you configured the higher priority for your VPN traffic the firewall will slow down the normal traffic when there otherwise wozldn't be enough bandwidth left for VPN. Just make sure to set the interface max bandwidth to match your actual bandwidth that the firewall knows when it has to slow down everything else except VPN.

  • 4686 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!