Kings - So that is pretty much my understanding, which is a good thing. Now on to bandwidth policing....
If I had a policy that restricted telnet to 40Kbps. With QoS pre-classify - encryption is completed last so that my actual telnet bandwidth is 40Kbps. Sent to the output queue where it's encrypted and sent on its way? Without QoS pre-classify - encryption is done first, so I would need to mark the telnet traffic (DSCP or ToS). It's then encrypted with IP header info preserved and given 40Kbps (including crypto overhead). Which means that I really don't have 40Kbps reserved for telnet - correct? Just trying to make sure my understanding is correct. Regards, Matt Blake From: Kingsley Charles [mailto:[email protected]] Sent: Tuesday, October 20, 2009 12:36 AM To: Matt Blake Cc: [email protected] Subject: Re: [OSL | CCIE_Security] QoS pre-classify Hi Matt With IPSec, the ToS value is copied to the new IP header but the other information is hidden. Let's say there is a QoS policy that says that telnet traffic should get 40 Kbps BW. With IPSec VPN, the payload is encrypted and hence the router will not be able to identify which type of traffic is inside the VPN packet. Thereby the QoS policy of identifying telnet traffic won't work. With QoS pre-classify, the classification is done before encryption and hence, QoS action can be taken. Without QoS-preclassify, you can just classify the VPN packet based on the ToS or DSCP value. With regards Kings On Tue, Oct 20, 2009 at 2:51 AM, Matt Blake <[email protected]> wrote: All, Would the 2 statements below be 100% accurate With QoS pre-classify encryption happens last so that if it's necessary to use TCP / UDP header information to apply QoS parameters it will be done prior to encryption. Without QoS pre-classify encryption is done first and the DSCP / ToS bits in the original IP header are preserved. No option to use layer 4 information for QoS. Also: I know that the actual reserved bandwidth differs between the two. Does anyone have a quick link (or explanation) on why this is the case? It has to do with the IPSec overhead but does it impact the actual bandwidth used if doing policing? Or will you be able to forward less "actual" traffic because of the overhead and the used bandwidth is the same regardless. - Matt _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
