«

[theizer1]

Scenario: I have a LAN with with two Cisco 3750G-48TS-E switches as my core. We have a pix 515E firewall running 8.0.4 connected to a 20Mbps internet pipe. My company utilizes a lot of video conferencing and voip services via the internet so I cannot do end to end QoS. I also have L2L vpn traffic to a remote data center (no voice or video ove vpn though) which I would like to limit to 15Mbps. My thought to just trust dscp/cos on the 3750s to do QoS on the pix using a combination of ACLs, class-maps, policy-maps, etc with priority queues.

I am not sure if I should apply my service-policy to just the inside interface, just the outside or both. Also, will this at least give my identified traffic priority like I think it will?

Here's my config:

class-map cm_voice
description matches all dscp ef traffic
match dscp ef

class-map cm_video
description matches all dscp af41 traffic
match dscp af41

access-list al_tcp_traffic permit tcp any any
class-map cm_tcp_traffic
description matches all non-tunneled tcp traffic
match access-list al_tcp_traffic

##classify all tunneled traffic for L2L vpn
access-list al_ip_vpn extended permit ip 192.168.0.0 255.255.240.0 69.xxx.xxx.xxx 255.255.255.128
access_list al_ip_vpn extended permit ip 10.0.0.0 255.224.0.0 69.xxx.xxx.xxx 255.255.255.128

class-map cm_vpn_all
description matches all TUNNELED ip traffic to hosted solutions
match access-list al_ip_vpn
match tunnel-group 69.xxx.xxx.xxx

policy-map qos
class cm-voice
priority
class cm-video
priority
class cm_vpn_all
police output 15728500 15728500
police input 15728500 15728500

priority-queue outside
priority-queue inside


## DO I APPLY THIS JUST TO INSIDE, OUTSIDE, OR IS BOTH BEST?
service-policy qos interface outside
service-policy qos interface inside