Nortel 4134 用户指南
60
IPsec VPN fundamentals
QoS over VPN
Enabling VPN on WAN interfaces complicates the configuration of Quality of
Service (QoS) in the WAN outbound direction. Because the packets coming
from the Ethernet side are encapsulated and encrypted, the original IP
addresses and ports are inaccessible for QoS on outbound WAN traffic.
Service (QoS) in the WAN outbound direction. Because the packets coming
from the Ethernet side are encapsulated and encrypted, the original IP
addresses and ports are inaccessible for QoS on outbound WAN traffic.
However, the SR4134 can support QoS over VPN using DSCP (DiffServe
Code Point). While encapsulating (and encrypting) the packet, the secure
router preserves the DSCP information by copying the TOS byte information
from the inner IP header to the outer IP header. Since the DSCP information
is available in the outer IP header also, QoS on the WAN outbound direction
can be applied. To enable this configuration, packets arriving at the ingress
point on the Ethernet interface must be marked with DSCP.
Code Point). While encapsulating (and encrypting) the packet, the secure
router preserves the DSCP information by copying the TOS byte information
from the inner IP header to the outer IP header. Since the DSCP information
is available in the outer IP header also, QoS on the WAN outbound direction
can be applied. To enable this configuration, packets arriving at the ingress
point on the Ethernet interface must be marked with DSCP.
For more information on QoS configuration, see Nortel Secure Router 4134
Configuration – Traffic Management (NN47263-601).
Configuration – Traffic Management (NN47263-601).
Crypto QoS (CBQ) for IPsec VPN
The SR4134 crypto engine preforms encryption and hashing of packets for
IPsec VPN tunnels. However, the crypto engine throughput is less than the
system throughput, and therefore, there is potential for congestion to build
up and packets to be dropped at the crypto engine queue. You can apply
CBQ to packets entering the encryption engine to guarantee bandwidth and
reduce the latency for delay sensitive voice packets.
IPsec VPN tunnels. However, the crypto engine throughput is less than the
system throughput, and therefore, there is potential for congestion to build
up and packets to be dropped at the crypto engine queue. You can apply
CBQ to packets entering the encryption engine to guarantee bandwidth and
reduce the latency for delay sensitive voice packets.
As shown in the following figure, the crypto engine maintains an input FIFO
queue and an output FIFO queue. The packets needing crypto services
(encryption, decryption, hashing, and so on) have to be queued into the
input FIFO queue for the crypto engine to act on it. When the processing is
completed, the packet is placed on the crypto output queue.
queue and an output FIFO queue. The packets needing crypto services
(encryption, decryption, hashing, and so on) have to be queued into the
input FIFO queue for the crypto engine to act on it. When the processing is
completed, the packet is placed on the crypto output queue.
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600
01.02
Standard
10.0
3 August 2007
Copyright © 2007, Nortel Networks
.