SonicOS 7.1 Objects

Table of Contents

Main Site: Sample Access Rule or Security Rule Configurations

Setting Access Rule or Security Rule 1 Access Rule or Security Rule 2
General View  
ActionAllowAllow
From ZoneLANVPN
To ZoneVPNLAN
ServiceVOIPVOIP
SourceLan SubnetsRemote Site 1 Subnets
DestinationRemote Site 1 SubnetsLan Subnets
Users AllowedAllAll
ScheduleAlways onAlways on
Enable LoggingEnabledEnabled
Allow Fragmented PacketsEnabledEnabled
Qos View   
DSCP Marking ActionMapMap
Allow 802.1p Marking to override DSCP valuesEnabledEnabled
802.1p Marking ActionMapMap

VoIP traffic (as defined by the Service Group) arriving from Remote Site 1 Subnets across the VPN destined to LAN Subnets on the LAN zone at the Main Site would hit the Access Rule or Security Rule for inbound VoIP calls. Traffic arriving at the VPN zone does not have any 802.1p tags, only DSCP tags.

  • Traffic exiting the tunnel containing a DSCP tag (for example, CoS = 48) would have the DSCP value preserved. Before the packet is delivered to the destination on the LAN, it will also be 802.1p tagged according to the QoS Mapping settings (for example, CoS = 6) by the firewall at the Main Site.
  • Assuming returned traffic has been 802.1p tagged (for example, CoS = 6) by the VoIP phone receiving the call at the Main Site, the return traffic will be DSCP tagged according to the conversion map (CoS = 48) on both the inner and outer packet sent back across the VPN.
  • Assuming returned traffic has been DSCP tagged (for example, CoS = 48) by the VoIP phone receiving the call at the Main Site, the return traffic will have the DSCP tag preserved on both the inner and outer packet sent back across the VPN.
  • Assuming returned traffic has been both 802.1p tagged (for example, CoS = 6) and DSCP tagged (for example, CoS = 14) by the VoIP phone receiving the call at the Main Site, the return traffic will be DSCP tagged according to the conversion map (CoS = 48) on both the inner and outer packet sent back across the VPN.