QoS - Uplink bandwidth management

Hello,

we have an ASG 220 appliance in use and are planning to activate QoS on the WAN interface (outbound). Before we hit the button there are some questions we were not able to resolve reading the documentation:

1. Traffic selectors > The v8.2 documentation states "Select if you want to use the TOS/DSCP field in the IP header to mark priority traffic. For example, in large VoIP installations, the TOS/DSCP flag is often used to mark VoIP traffic. If you do not want to reserve a fixed bandwidth for VoIP connections based on VoIP protocols, select the TOS-bits or DSCP bits used within your VoIP environment" The questions:

1.a) Are the packets really marked/mangled (DSCP value (re)written). Or is this rather a matching/selecting criteria?

1.b) What is meant with If you do not want to reserve a fixed bandwidth? Is there any QoS-Mechanism active without assigning the traffic selector to a bandwidth pool? If so, which?

2. Bandwidth pools > Supposed there is a bandwidth of 1000 kb/s assigned to VoIP-Traffic (10 VoIP lines): Does the complete configured bandwidth get reserved the moment the first 100 kb/s VoIP-line opens or does the bandwidth fill up dynamically? The latter would be the ideal case as 1 VoIP-line would not throttle the rest of the traffic too much.

Thanks for helping. Marko.

Parents

0 BAlfson over 12 years ago

If you do not want to reserve a fixed bandwidth for VoIP connections based on VoIP protocols, select the TOS-bits or DSCP bits used within your VoIP environment. How can a traffic selector (with a DSCP filter set) that is not assigned to a bandwidth pool have any effect on QoS? Is there some kind of "hidden" priority queueing or something else going on?

You're right, that is a pretty clumsy formulation. I think I would have said, "If it is impractical to use a traffic selector based on VoIP protocols (like SIP), then you can make one based on the DSCP/TOS bits used in your VoIP environment."

An example of where that's needed is when you have two sites connected by a VPN, and you want to make sure that VoIP calls between the two sites are not short of bandwidth. Since you only can apply a bandwidth pool to traffic leaving the Astaro, and since the only traffic leaving Astaro to the other site is IPsec, you can't make a traffic selector based on SIP. You can, however, make a traffic selector for IPsec with DSCP bits set.

Just to get this perfectly clear: If a VoIP stream uses just 100 kb/s of a configured 1000 kb/s bandwidth, other traffic is "allowed" to use the remaining 900 kb/s as long as it does not affect/limit the VoIP stream in any way?

Egg-zactly!

Cheers - Bob
PS And, you're right, the guide should read Select if you have used instead of if you want to use.

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 BAlfson over 12 years ago

If you do not want to reserve a fixed bandwidth for VoIP connections based on VoIP protocols, select the TOS-bits or DSCP bits used within your VoIP environment. How can a traffic selector (with a DSCP filter set) that is not assigned to a bandwidth pool have any effect on QoS? Is there some kind of "hidden" priority queueing or something else going on?

You're right, that is a pretty clumsy formulation. I think I would have said, "If it is impractical to use a traffic selector based on VoIP protocols (like SIP), then you can make one based on the DSCP/TOS bits used in your VoIP environment."

An example of where that's needed is when you have two sites connected by a VPN, and you want to make sure that VoIP calls between the two sites are not short of bandwidth. Since you only can apply a bandwidth pool to traffic leaving the Astaro, and since the only traffic leaving Astaro to the other site is IPsec, you can't make a traffic selector based on SIP. You can, however, make a traffic selector for IPsec with DSCP bits set.

Just to get this perfectly clear: If a VoIP stream uses just 100 kb/s of a configured 1000 kb/s bandwidth, other traffic is "allowed" to use the remaining 900 kb/s as long as it does not affect/limit the VoIP stream in any way?

Egg-zactly!

Cheers - Bob
PS And, you're right, the guide should read Select if you have used instead of if you want to use.

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 rolla over 12 years ago in reply to BAlfson

Perfect! This enables us to implement the exact scenario I had in mind:

> Clients in the back mark the traffic using TOS/DSCP (VOIP-Phones, Citrix ICA, Video Conferencing...)

> VPN Concentrator in the middle IPSEC-ing the packets and copying the TOS/DSCP to the IPSEC-header

> Astaro at the edge queueing and shapintg the traffic based on the TOS/DSCP bits regardless if it is a tunnel IPSEC-packet flowing to the branch office or a regular IP-packet on it's way to the Internet.

Your advice has been very helpful. Thanks Bob!

P.S. I will try to contact the documentation team at Astaro to get the guide fixed. There are surely others who struggled with this...
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 heja over 11 years ago in reply to rolla

Hi rolla and BAlfson,

we improved our QoS documentation in version UTM9.
Please have a look at it. Any comments are appreciated.

Cheers
Heike
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 jjohnston62 over 11 years ago in reply to heja

link???

How 'bout a link to the UTM-9 documentation?

This stuff ain't so easy to find anymore given how big y'all are gettin'.

Thanks,
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 jjohnston62 over 11 years ago in reply to jjohnston62

Jon, you whiny person. Here's your link. Get some patience, will you?

Sophos UTM - Documentation - Support - Sophos
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 jjohnston62 over 11 years ago in reply to jjohnston62

That one doesn't work, but results in a 404 error for the actual admin guide.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel