prioritization and IP VPN

Eric Vyncke evyncke at CISCO.COM
Tue Jul 18 01:47:39 EDT 2000


First have a look at my email address to detect any bias ;-)

As you know, there are a couple of ways to implement quality of services:
- diff-serv: coloring IP packets with precedence/DSCP and having all
   routers and switches to apply different shaping/scheduling/dropping on
   the data paths.
- int-serv: using a out-of-band signaling called RSVP to signal the requested
   bandwidth/delay on all the routers and switches on the way
- proprietary (but useful in some configurations) tricks like TCP window pacing

diff-serv and int-serv need to be implemented in the majority of the routers/switches
to be efficient. Hence, they are usually reserved for SP network and/or enterprise
network. They are useless over the Internet.

The TCP window pacing works over an unmanaged networks like the Internet but
has other drawbacks (this is where my vendor bias can be smelled).

Anyway, IPSec works fine with diff-serv. More specifically with Cisco IOS IPSec,
the precedence color is kept after encryption and all QoS mechanism (except
WFQ in most cases) works with encrypted packets. I have designed about half of
dozens of network using this capability, and, QoS is indeed enforced ;-)

AFAIK, int-serv is broken after IPSec.

TCP window pacing should still work provided that the pacing is applied on
the clear text TCP connection (outside of IPSec tunnel)

Hope this helps

-eric

At 00:00 18/07/2000 +0200, MaN-H wrote:
>We want to implement a site to site connectivity using the CISCO IP VPN solution
>(IPSec tunnels, ESP).
>The problem is that we want to prioritize some applications (Citrix, VoIP).
>We have successfully tested the PacketShaper product provided buy Packeeter set
>before each CPE.
>Has somebody  tested another solution, can he share his experience ?
>
>MaN-H
>
>VPN is sponsored by SecurityFocus.COM

Eric Vyncke
Senior Consulting Engineer         Cisco Systems EMEA
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke at cisco.com          Mobile: +32-75-312.458

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list