Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

QoS Service-Policies on Dynamic VTI (IPSEC) Interfaces

Hi,

I'm looking at setting up a large scale (1000+) client VPN system and I'm trying to understand the new QoS capabilities of dynamic VTIs. From what I have read, I believe I can setup both inbound and output service policies for each VPN user. What I'd like to know is how these service policies affect the physical interface service policies?

My initial thoughts are that VTI service policies can only rate-limit/police matching traffic or remark traffic for use on the physical outbound service policy. This also implies that the re-marked DSCP/ToS is automatically copied to the IPSEC header and the IPSEC head DSCP/ToS setting used on the outbound service policy. Is this correct?

Ideally I'd like to setup an outbound LLQ for VoIP traffic. Is it possible / worthwhile setting up an LLQ on the VTI service policy? - or is it better to policy each user's VoIP traffic to a limit and rely on the outbound physical service policy to run the LLQ for all VoIP traffic combined?

Any help or comments would be greatly appreciated,

Thank you,

1 REPLY
Silver

Re: QoS Service-Policies on Dynamic VTI (IPSEC) Interfaces

Yes, re-marked DSCP/ToS is automatically copied to the IPSEC header and the IPSEC head DSCP/ToS setting used on the outbound service policy. Also, it is better to policy each user's VoIP traffic to a limit and rely on the outbound physical service policy to run the LLQ for all VoIP traffic combined

585
Views
4
Helpful
1
Replies
CreatePlease login to create content