qosdiagramClass Maps are referenced by Policy Maps, which are then applied to the external interface.  VPN traffic is “pre-classified” before entering the external interface. The example below is based on 512 kbps bandwidth available for upload traffic.

Create 2 class-maps like this:

class-map match-any Priority_Packets
match precedence 5
match dscp ef
class-map match-any All_Traffic
match any

Create 2 policy maps like this:

policy-map Voice_Priority
class Priority_Packets
priority 256 //256 is the amount of bandwidth in Kb you want to reserve for priority traffic. 256 is probably ok for 3 phones using the G.711 codec
class class-default
policy-map Shape_Out
class All_Traffic
shape average 480000 //480000 is the total amount of upload in bits available (should be less than actual speed or else the policy will never kick in and QoS will be useless. In this case I had 512k up on the internet connection.
service-policy Voice_Priority

On the crypto map add qos pre-classify

crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to68.118.31.246
set peer
set transform-set ESP-3DES-SHA
match address 103
qos pre-classify

On the interface apply the main policy-map:

interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
bandwidth 5000
ip address dhcp client-id FastEthernet4
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
service-policy output Shape_Out


That should be it. Then use “sh policy-map interface fa4” to see the QoS in action. Start a big upload and you should see Shaping Active: Yes while the uploading is going. You’ll see the two classes of traffic and if the phone traffic is being identified properly you’ll see counters under both classes.

Special thanks to Brian S. for assistance with this article.