We run our site-to-site VPNs in a tunnel-all configuration to enforce content filters, IPS, app detection, etc. Recently my company has selected a Internet-based learning management system for staff training. At times it can be a bit of a bandwidth hog. With all of the other traffic I have going through my WAN I would like to guarantee that it has a certain amount of bandwidth. Now with physical interfaces this is pretty easy. I have a LAN (named default-profile-lan) and WAN (named default-profile-wan) QoS profile and set aside 10ms/s on each for Class 2. Since it is egress based I wanted to make sure that any traffic uploaded or downloaded is covered. The issue I am struggling on relates to how I guarantee it though a site-to-site VPN tunnel. Since the WAN interface is my ingress & egress interface for all VPN terminated traffic, would Class 2 under default-profile-wan apply for both directions or would I need to do something with guarenteed traffic on a tunnel-by-tunnel basis. My QoS rule is structured as Name Tags Src. Zone Src. Address Src. User Dst. Zone Dst. Address Application Service Class Schedule LMS Traffic none any any any outside 64.78.147.55 any any 2 none I would think that this would apply for any traffic coming from my vpn-tunnel zone or inside zone and use the default-profile-wan policy, but I could be wrong. Can anyone shed some light on it?
... View more