hate to trouble the experts but can you help me understand

hey guys. sorry to take up your time but can you lead me inthe right direction or explain SSL and VPN IPSEC traffic and CBQOS?
I have seen and used CBQOS for Citrix but just is weird to me. Does the router see inside the SSL and or IPSEC tunnel and then understand the Ports and ip addresses? just wondering How CBQOS works with SSL portals for citrix if the traffic is in a tunnel end to end how does it work and same for IPSEC tunnel how does this work?

https://glazenbakje.wordpress.com/2010/12/21/cisco-qos-configuration-simple-example/

Find more posts tagged with

Comments

linuxabuser

The example you posted is QoS for unencrypted Citrix.

d4nz1g

Usually, for IPsec tunnels, the QoS marking is copied from the original header (which will be encrypted) to the IPsec generated header (the one that will traverse the internet/mpls).

itdaddy

okay. Yeah I was wondering how that happend. So in IPSEC CBQOS is handled by copying the information before encrypted. I wonder how SSL handles it?

d4nz1g

In theory, the router won't be able to decrypt the traffic in order to recognize the application. For encrypted traffic, I would suggest to use acls based on destination IP addresses (your citrix servers, for example).

itdaddy

i am trying to picture this is my mind. How to setup QOS for citrix if it is a SSL tunnel from end to end and how do you control the pipe width of SSL for citrix traffic? just allocate or shape traffic for ssl and allocate band pipe limits? and then it is FIFO for traffic in the SSL tunnel??

d4nz1g

Just match the traffic (layer 3 and layer 4 information) and queue it.

ip access-list extended CITRIX-AF41
permit tcp any citrix-server eq app-port

and use class-maps followed by policy-maps to put them on a queue.

The router does not need to see the application information in order to mark the IP packet.

You won't be using NBAR on encrypted traffic.

itdaddy

i read in IPSEC the TOS is copied to the tunnel but I wonder how it is for the SSL? it sounds like it is copied for SSL too what ya think d4nz1g?

d4nz1g

SSL encryption does not change the IP header, it only encrypts the application data.

In IPsec tunnels, the vpn endpoints create a new header and encrypts the whole datagram. So in this specific case, the service type marking should be copied to the new (outer) header.

itdaddy

So this will suffice basic idea for the traffic pre encypted state in either case as long as it affects header the CBQOS works?

https://glazenbakje.wordpress.com/20...imple-example/

linuxabuser

You have to write your QoS policy to match tcp 443. Then, if you're pushing that SSL-encrypted traffic over an IPsec tunnel, you'll do qos pre-classify on the tunnel interface. The regular ICA ports go out the window once you throw a Netscaler doing SSL encryption in front.

itdaddy

thanks I think I got it hahahah thanks man