- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-19-2015 12:19 PM
We run our site-to-site VPNs in a tunnel-all configuration to enforce content filters, IPS, app detection, etc. Recently my company has selected a Internet-based learning management system for staff training. At times it can be a bit of a bandwidth hog. With all of the other traffic I have going through my WAN I would like to guarantee that it has a certain amount of bandwidth. Now with physical interfaces this is pretty easy. I have a LAN (named default-profile-lan) and WAN (named default-profile-wan) QoS profile and set aside 10ms/s on each for Class 2. Since it is egress based I wanted to make sure that any traffic uploaded or downloaded is covered. The issue I am struggling on relates to how I guarantee it though a site-to-site VPN tunnel. Since the WAN interface is my ingress & egress interface for all VPN terminated traffic, would Class 2 under default-profile-wan apply for both directions or would I need to do something with guarenteed traffic on a tunnel-by-tunnel basis. My QoS rule is structured as
Name | Tags | Src. Zone | Src. Address | Src. User | Dst. Zone | Dst. Address | Application | Service | Class | Schedule |
---|---|---|---|---|---|---|---|---|---|---|
LMS Traffic | none | any | any | any | outside | 64.78.147.55 | any | any | 2 | none |
I would think that this would apply for any traffic coming from my vpn-tunnel zone or inside zone and use the default-profile-wan policy, but I could be wrong. Can anyone shed some light on it?