QoS over a Site-to-site VPN
If a traffic shaping rule is defined on a Cisco Meraki MX Security Appliance to include a DSCP tag, the DSCP tag will remain in the IP packet as it traverses the VPN tunnel to the remote end. This is because DSCP exists at layer 3 and as such is routed from network to network. Cisco Meraki MX Security Appliances use IPsec Encapsulating Security Payload (ESP) in conjunction with tunnel mode, so the IP packet is fully encapsulated and thus survives NAT traversal. When the ESP packet is de-encapsulated and decrypted at the remote site, the QoS tag remains intact.
- LAN-to-WAN: DSCP tags maintained
- LAN-to-AutoVPN: DSCP tags are maintained and copied to the external header of AutoVPN
- MX, will maintain the DSCP tags in the tunnel and also copy to the IPSec header which can be read, for example, by the ISP
In figure 1, the traffic coming from the 172.27.0.0/24 subnet on the San Francisco MX60 is tagged with a QoS tag as it leaves the MX as defined in the traffic shaping rule seen in figure 2. This tag is in the packet when it is received by the UK Host.
Figure 1. Site to site VPN between San Francisco branch and UK branch.
In figure 2, the following rule is defined on the SF MX60 under Configure > Traffic shaping. As this rule is designed to match traffic coming from a particular local source network, it is important that the localnet syntax be used in the custom expression:
Figure 2. The DSCP tag will be applied as the packet leaves the source SF MX60.
Figure 3 shows a TCP SYN to destination port 80 from the 172.27.0.252 host on the SF MX60 destined for the 10.10.10.2 host on the UK MX60 LAN. In the capture it can be seen that the DSCP value is 7, which is what was defined in the traffic shaping rule on the SF MX60. Thus, the tag is applied at the ingress/source point to the VPN tunnel and remains applied at the egress/destination.
Figure 3. TCP packet arrives from SF MX60 host to the UK MX60 host.
Related Articles
Site-to-site VPN Configuration