01-15-2004 01:15 AM
I've this situation (different QoS needed):
traffic_1 priority = 1
traffic_2 priority = 2
traffic_3 priority = 3
The traffic is flowing among different sites. Sites are connected by the service provider's MPLS network. I use MPLS to give the QoS needed (different label for different priority)
traffic_1 --> --------- --> label_1[traffic_1]
traffic_2 --> |MPLS CE| --> label_2[traffic_2]
traffic_3 --> --------- --> label_3[traffic_3]
I don't trust the provider, I'd like to add IPsec to protect my traffic (I guess in transport mode).
traffic_1 --> ----------- ---------
traffic_2 --> |IPsec box| --> |MPLS CE| --> MPLS NTW
traffic_3 --> ----------- ---------
If I use IPsec before the CE is it still possible for the CE discriminate the traffic for the MPLS labeling? or IPsec hide the fields used to discriminate traffic? I think this is true for IPsec-ESP but not for AH
Ale
01-15-2004 01:40 AM
Hello,
Unless you are encrypting end to end (i.e. client to host) you will need to use tunnel mode.
With both tunnel and transport mode IPSEC and IKE use their own IP protocol ID, so you won't be able to classify your traffic anymore based on their original protocol ID and port.
01-15-2004 01:53 AM
What about using TOS field to labal to packet? I read that IPsec even in Tunnel mode copy the TOS field from the original packet to the new IP header.
Do I have to use Tunnel mode even if the VPN is provided by MPLS itself? the MPLS is used first to create VPN site to site over the provider's public network and secondly to provide different QoS for traffic flowing inside the VPN itself.
Ale
01-15-2004 04:43 AM
I've also heard that the TOS is carried through, but I haven't tested this.
IPSEC Tunnel mode is independent of how the MPLS VPN is provided.
If a router is providing the IPSEC for a number of client connections normally the client's packet will come in with ipaddress_a and then be placed in an IPSEC tunnel with source ipaddress_b which is the ip address of the router. Perhaps some routers can provide transport mode, and retain the source ipaddress_a even in ipsec, but I haven't come across this. I would be interested if others have.
03-19-2004 07:54 AM
You can try and use "qos pre-classification" feature of Cisco IOS to do TOS Byte reflection of the actual packet to the IPSec VPN Tunnel header.
Ashraf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide