Virtual Circuits

Virtual circuits are created within circuits in the policy tree and are used to logically divide or partition the circuit. The virtual circuitlogical definitions that partition a a physical network circuit and used to determine what traffic passes through it and how much defines what traffic will be processed in this partition and how much bandwidth it is allowed. The virtual circuit can enforce fair sharing amongst the network hosts. Traffic is evaluated against the definition of the virtual circuit. Traffic that does not fall within the virtual circuit is evaluated by the next virtual circuit and so on. Each virtual circuit will have it's own set of policy rules.

The following are common use cases for virtual circuits.

  • Virtual circuits are configured to allocate bandwidth or specify policy rules for each branch office or service provider's customer.
  • Separate virtual circuits are configured for WANWide Area Network data and for Internet data.
  • Separate virtual circuits are configured for inbound traffic and for outbound traffic.Virtual circuits cannot be asymmetric, so this technique will accommodate the need for asymmetric partitioning of the circuit.
  • Separate virtual circuits are configured for different aspects of your network for monitoring purposes. For instance, one virtual circuit could be configured to control and monitor your wifi network, and another to control and monitor your servers, and another to control and monitor your back-office computers.
  • A virtual circuit can enforce fair sharing amongst the network hosts in the virtual circuit.
  • A virtual circuit can ensure that a limited number of hosts or connections get preferential treatment.

A virtual circuit can partition the circuit by filtering the traffic by time of day, by VLAN range, by subnets or hosts, by particular application or application group, by traffic direction, and by capping the number of active connections or capping the number of active hosts within the virtual circuit. Any combination of these filters can be applied. For example, you can create a virtual circuit such that a particular branch (or subnet) is allowed a certain set of policies for inbound traffic (as direction) during off work hours (using a schedule).

A virtual circuit specifies its desired bandwidth either as kbps or as a percentage of it's parent circuit. When the sum of the desired bandwidths for all the virtual circuits within a circuit exceeds the circuit's bandwidth, the circuit is oversubscribed. Each virtual circuit specifies how it would like to deal with oversubscription. That is, either let the system automatically share the bandwidth amongst the virtual circuits, or specify a minimum bandwidth that is required.

Additionally, a virtual circuit can enable fair sharing amongst hosts in the virtual circuit. When fair sharing is enabled, the virtual circuit is called a dynamic virtual circuit and a further level of traffic shaping is introduced. Traffic is first shaped at the host level, then at the policy level. The bandwidth allocated will be the minimum of the two levels.

A virtual circuit can provide preferential treatment to a limited number of active hosts or to a limited number of active connections.


When configuring a dynamic virtual circuit, the system will not allow the per host bandwidth to be less than 10 kbps, in which case the number of allowed hosts is calculated to be the virtual circuit bandwidth/10 kbps. Any hosts beyond the limit are then evaluated against later virtual circuits in the policy tree.

There is a system limit of 32,500 hosts that can fall into each dynamic virtual circuit. This may occur if the virtual circuit has more than 300 Mbps of bandwidth. When this limit is exceeded, hosts fall into the next applicable virtual circuit.


It is a best practice to create an overflow virtual circuit immediately after a virtual circuit with a connection limit or a host limit, to capture the connections or hosts that were excluded.

Setting options for a virtual circuit.

Network objects are typically used when virtual circuits are created for specific branch office locations, or other subsets of the network, or user groups. Each branch office location or user group would be represented by a static network objecta logical definition created and stored in the Exinda lilbrary, can represent any network component or a dynamic network objectnetwork objects automatically updated and maintained by the Exinda appliance (such as an Active Directory group). A default network object, private net, exists which defines all non-routable subnets. This can be used to create a virtual circuit for all WAN data.

The direction is used to ensure that the virtual circuit only captures traffic in a certain direction. This is useful for asymmetric circuits, as these generally require that at least two virtual circuits are defined - one for the inbound bandwidth and one for the outbound bandwidth.

Virtual circuits are part of the policy tree. To learn how circuits, virtual circuits, and policies work together, see Policy Tree.

Related Topics