Re: Network Upgrade

["Jon R. Kibler" <Jon.Kibler () aset com>]

James Lee Bell wrote:
> Really? So within an apparent single IPSEC stream that's actually 
> multiple data streams, the router applies DSCP setting on a per packet 
> basis, or perhaps rather a per SA basis?  Very cool. Thanks for the info.

Okay, let me clarify just a little. Pardon the ASCII art.

          +-----------+
          |           |
LAN ------+A         B+------- MPLS
          |           |
          +-----------+

Here you have a router with 2 Interfaces. I/F A is LAN facing. I/F B is
world facing via MPLS.

I/F A originates all the data streams from the LAN. That is where all
QoS processing occurs on clear text traffic. It can see all the Layer 3
and above info to make these decisions. When traffic has completed it
I/F A processing, it has the DSCP values set in the IP header.

Next, when outbound traffic hits I/F B, it has IPSec encryption and
authentication applied (assume: tunnel mode ESP), and the existing DSCP
value set by I/F A is copied into the new tunnel mode IP header. Thus,
you get both QoS and IPSec.

Word of warning thoough with MPLS. Most MPLS vendors do not support
the full set of DSCP values and if you do not tightly control how
you set DSCP, you may get traffic routed at precidence 0 that should
have been at a higher presidence -- all because the ISP did not
recognize the AF DSCP setting. Take care how you apply DSCP in an
MPLS environment and make sure you follow the ISP's rules for mapping
IP QoS to MPLS CoS.


Jon K.
--
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
(843) 849-8214





==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.