Skip to main content
Cisco Meraki

QoS over a Site-to-site VPN

If a traffic shaping rule is defined on a Cisco Meraki MX Security Appliance to include a DSCP tag, the DSCP tag will remain in the IP packet as it traverses the VPN tunnel to the remote end. This is because DSCP exists at layer 3 and as such is routed from network to network. Cisco Meraki MX Security Appliances use IPsec Encapsulating Security Payload (ESP) in conjunction with tunnel mode, so the IP packet is fully encapsulated and thus survives NAT traversal. When the ESP packet is de-encapsulated and decrypted at the remote site, the QoS tag remains intact. 

In figure 1, the traffic coming from the subnet on the San Francisco MX60 is tagged with a QoS tag as it leaves the MX as defined in the traffic shaping rule seen in figure 2. This tag is in the packet when it is received by the UK Host.


Figure 1. Site to site VPN between San Francisco branch and UK branch.

The following rule is defined on the SF MX60 under Configure > Traffic shaping. As this rule is designed to match traffic coming from a particular local source network, it is important that the localnet syntax be used in the Custom expression:

Figure 2. The DSCP tag will be applied as the packet leaves the source SF MX60.

Figure 3 shows a TCP SYN to destination port 80 from the host on the SF MX60 destined for the host on the UK MX60 LAN. In the capture it can be seen that the DSCP value is 7, which is what was defined in the traffic shaping rule on the SF MX60. Thus, the tag is applied at the ingress/source point to the VPN tunnel and remains applied at the egress/destination.


Figure 3. TCP packet arrives from SF MX60 host to the UK MX60 host.


Related Articles

Site-to-site VPN Configuration

Traffic Shaping Settings

Using Packet Prioritization on Traffic Shaping Rules

Traffic Shaping a Local Subnet or Host

  • Was this article helpful?