topic QoS Service-Policies on Dynamic VTI (IPSEC) Interfaces in Network Security https://community.cisco.com/t5/network-security/qos-service-policies-on-dynamic-vti-ipsec-interfaces/m-p/519465#M1055106 <P>Hi,</P><P></P><P>I'm looking at setting up a large scale (1000+) client VPN system and I'm trying to understand the new QoS capabilities of dynamic VTIs. From what I have read, I believe I can setup both inbound and output service policies for each VPN user. What I'd like to know is how these service policies affect the physical interface service policies?</P><P></P><P>My initial thoughts are that VTI service policies can only rate-limit/police matching traffic or remark traffic for use on the physical outbound service policy. This also implies that the re-marked DSCP/ToS is automatically copied to the IPSEC header and the IPSEC head DSCP/ToS setting used on the outbound service policy. Is this correct?</P><P></P><P>Ideally I'd like to setup an outbound LLQ for VoIP traffic. Is it possible / worthwhile setting up an LLQ on the VTI service policy? - or is it better to policy each user's VoIP traffic to a limit and rely on the outbound physical service policy to run the LLQ for all VoIP traffic combined?</P><P></P><P>Any help or comments would be greatly appreciated,</P><P></P><P>Thank you,</P> Fri, 21 Feb 2020 08:54:56 GMT richardwatson 2020-02-21T08:54:56Z QoS Service-Policies on Dynamic VTI (IPSEC) Interfaces https://community.cisco.com/t5/network-security/qos-service-policies-on-dynamic-vti-ipsec-interfaces/m-p/519465#M1055106 <P>Hi,</P><P></P><P>I'm looking at setting up a large scale (1000+) client VPN system and I'm trying to understand the new QoS capabilities of dynamic VTIs. From what I have read, I believe I can setup both inbound and output service policies for each VPN user. What I'd like to know is how these service policies affect the physical interface service policies?</P><P></P><P>My initial thoughts are that VTI service policies can only rate-limit/police matching traffic or remark traffic for use on the physical outbound service policy. This also implies that the re-marked DSCP/ToS is automatically copied to the IPSEC header and the IPSEC head DSCP/ToS setting used on the outbound service policy. Is this correct?</P><P></P><P>Ideally I'd like to setup an outbound LLQ for VoIP traffic. Is it possible / worthwhile setting up an LLQ on the VTI service policy? - or is it better to policy each user's VoIP traffic to a limit and rely on the outbound physical service policy to run the LLQ for all VoIP traffic combined?</P><P></P><P>Any help or comments would be greatly appreciated,</P><P></P><P>Thank you,</P> Fri, 21 Feb 2020 08:54:56 GMT https://community.cisco.com/t5/network-security/qos-service-policies-on-dynamic-vti-ipsec-interfaces/m-p/519465#M1055106 richardwatson 2020-02-21T08:54:56Z Re: QoS Service-Policies on Dynamic VTI (IPSEC) Interfaces https://community.cisco.com/t5/network-security/qos-service-policies-on-dynamic-vti-ipsec-interfaces/m-p/519466#M1055107 <HTML><HEAD></HEAD><BODY><P>Yes, re-marked DSCP/ToS is automatically copied to the IPSEC header and the IPSEC head DSCP/ToS setting used on the outbound service policy. Also, it is better to policy each user's VoIP traffic to a limit and rely on the outbound physical service policy to run the LLQ for all VoIP traffic combined</P></BODY></HTML> Fri, 26 May 2006 12:47:39 GMT https://community.cisco.com/t5/network-security/qos-service-policies-on-dynamic-vti-ipsec-interfaces/m-p/519466#M1055107 ebreniz 2006-05-26T12:47:39Z