Perhaps you can help me :)
We have various remote offices with Voip(Asterisk) connected with VPN=B4s (IPsec). This is the topology in all remote offices:
LAN (VLAN DATA & VLAN VoIP) =96 Firewall Fortinet (VPN=B4s Ipsec) =96 ROUTE= R (Cisco 1800 Series)
I need to do Qos in the Router Cisco (fortinet doesn't have Qos) but the packets that arrived to the router are encrypted by Fortinet (IPsec). How could I apply Qos to encrypted traffic to prioritize VoIP traffic in these routers??
Best Regards,
Firstly, you can only prioritise outbound traffic, just in case you had not noticed that:)
Unless the fortinet can set some QoS bits in the L3 DS byte or the L2 CoS bits then you can't.
Oh maybe you can?!
Voice payload packets tend to be the same length and different from most data packets so you could classify them on the length and very probably get the effect that you wanted almost all of the time or more. Each codec will produce voice packets of a particualr length and I am pretty sure that the IPSEC header is always the same length for a particular length input packet.
Another approach would be to consider putting then in a diffrent IPSEC tunnel with at least one different end address. Perhaps if you arrange to get the packets to the fortigate with the QoS bits set it will copy them to the new IPSEC header. This is the cisco behaviour I believe as long as the input port is configured to "trust QoS".
Finally you might want to look at IPSEC Tunnel mode vs Transport mode. One of these I think preserves the IP header.
This all depends on getting QoS going on the 1800. I have had variable luck with 877 but maybe the 1800 has a more complete implementation?
You might also move the VPN to the cisco. This would require a crypto feature set and I am not sure of the 1800 crypto performance.
"Another approach would be to consider putting then in a diffrent IPSEC tunnel with at least one different end address. Perhaps if you arrange to get the packets to the fortigate with the QoS bits set it will copy them to the new IPSEC header. This is the cisco behaviour I believe as long as the input port is configured to "trust QoS". "
I have different IPSEC tunnels for data and voice.
How could I config Qos in Cisco Router to apply more priority to IPSec voice ??
There is the possibility we are not on the same wavelength here. I meant by seperate tunnels, having different IP addresses for the endpoints.
If that is the case you could classify the traffic on the different IP addresses then do the recommended LLQ.
What kind of outside interface do you have?
In have Serial Interface. 2Mbps point to point.
Wouldn't your VoIP equipment already be setting DSCP in the IP headers to differentiate these from data?
The local IPSec endpoint may also be copying the DSCP of the inner IP header to the outer encapsulating IP header.
A sniffer would determine the answers to both.
If your voice traffic is already marked, and the encapsulated voice traffic is already marked, then you may only need to address output policy (congestion management and avoidance) on the router.
Best Regards, News Reader
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.