When you have a requirement for QoS in an environment that utilizes VPN tunnels, you can run into problems, because...
when high priority packets enter a tunnel, they are treated the same as low priority packets by all device that the tunnel traverses, simply because these devices cannot see through the encryption to discern the priority of the concealed packets, which will have a bad impact on QoS.
If you're using the ToS (type of service) byte to differentiate your traffic, and Cisco routers and switches as your networking infrastructure, you may not have as much of a problem, because the ToS byte is automatically copied from the original packet's header to the encrypted packet's header. However, if your scheme is more granular and flow-based, you may want to use the "qos pre-classify" feature.
This feature allows the encrypting device to run its QoS classification before a packet is encrypted. You can use the pre-classify feature on the tunnel interface or a physical interphase, depending on where your policy is applied or what your anticipated congestion points are.
You can find more information about this on Cisco's CCO Web site. According to their Web site, Cisco recommends using a hierarchical policy on the physical interface, where the parent policy includes one class per tunnel for all traffic in the tunnel, in conjunction with the shape command for managing the output. Child policies provide classification inside the tunnels and use the qos-preclassify feature.
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.