EzVPN using DVTIs & QoS

Unanswered Question
Sep 19th, 2007
User Badges:
  • Silver, 250 points or more

I am configuring an EzVPN client to use Dynamic VTIs; the config fragments are:

class-map match-all VOICE

match ip dscp ef

class-map match-any CALL-SETUP

match ip dscp af31

match ip dscp cs3

class-map match-any INTERNETWORK-CONTROL

match ip dscp cs6



policy-map 256-UPSTREAM


bandwidth percent 2


bandwidth percent 5

class VOICE

priority 128

class class-default



policy-map SHAPER-256-UPSTREAM

class class-default

shape average 192000

service-policy 256-UPSTREAM


interface FastEthernet0/0

ip address dhcp

ip access-group EXT-IN-PLUS in

duplex auto

speed auto

crypto ipsec client ezvpn TEST

service-policy output SHAPER-256-UPSTREAM


interface FastEthernet0/1

ip address

duplex auto

speed auto

no keepalive

crypto ipsec client ezvpn TEST inside


interface Virtual-Template1 type tunnel

no ip address

ip mtu 1408

ip tcp adjust-mss 1368

tunnel mode ipsec ipv4

I've discovered that the counters displayed in the "show policy-map interface ..." command only increment when the service-policy is attached outbound on the physical outside crypto interface. The examples I've seen on CCO suggest applying the service-policy on the virtual-template interface, but the counters don't increment and the QoS policies are not enforced. Where should the service-policy be applied in a DVTI EzVPN Client configuration?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion