QoS before Black Core

Started by config t, March 08, 2021, 06:34:06 AM

Previous topic - Next topic

config t

One of my sites occasionally has service degradation issues because they are maxing out their bandwidth allocation on a shared black core circuit. The circuit provider is also telling me the traffic is not being tagged properly. I'm assuming they are talking about QoS.

What are my options for prioritizing traffic before it hits the black core? Wouldn't it become a moot point once the traffic is encrypted?
:matrix:

Please don't mistake my experience for intelligence.

deanwebb

Are the headers with source/destination and port numbers encrypted?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

Take a look at the device doing the encryption, and look for an option to copy the QoS bits from the plain text packet to the cypher text packet. This is an option that some devices have.

-Otanx

Dieselboy

As Otanx said. I've done this with my traffic to give voip priority and then allocate bandwidth to corp web apps. over a series of VPN tunnels between sites over the internet. Basically, give all the traffic a QoS tag that needs classification/priority, then copy that qos tag so that it's present post-encryption. Caveat is that you could tell which encrypted ESP packets are voice/video, or corp HTTP because they're effectively marked as such through qos.

Quoteinterface Tunnel41
qos pre-classify

config t

I appreciate the input.

Frustratingly this is out of my hands at the moment. The service provider to our service provider "a.k.a. big daddy" has a QoS marking standard and if it's not implemented end to end the point is moot. Still waiting for feedback. I did learn more about QoS and tunneling through TACLANEs though. There is a check box "DSCP bypass" that allows the headers to pass unencrypted.
:matrix:

Please don't mistake my experience for intelligence.