hate to trouble the experts but can you help me understand
hey guys. sorry to take up your time but can you lead me inthe right direction or explain SSL and VPN IPSEC traffic and CBQOS?
I have seen and used CBQOS for Citrix but just is weird to me. Does the router see inside the SSL and or IPSEC tunnel and then understand the Ports and ip addresses? just wondering How CBQOS works with SSL portals for citrix if the traffic is in a tunnel end to end how does it work and same for IPSEC tunnel how does this work?
https://glazenbakje.wordpress.com/2010/12/21/cisco-qos-configuration-simple-example/
I have seen and used CBQOS for Citrix but just is weird to me. Does the router see inside the SSL and or IPSEC tunnel and then understand the Ports and ip addresses? just wondering How CBQOS works with SSL portals for citrix if the traffic is in a tunnel end to end how does it work and same for IPSEC tunnel how does this work?
https://glazenbakje.wordpress.com/2010/12/21/cisco-qos-configuration-simple-example/
Comments
-
d4nz1g Member Posts: 464Usually, for IPsec tunnels, the QoS marking is copied from the original header (which will be encrypted) to the IPsec generated header (the one that will traverse the internet/mpls).
-
itdaddy Member Posts: 2,089 ■■■■□□□□□□okay. Yeah I was wondering how that happend. So in IPSEC CBQOS is handled by copying the information before encrypted. I wonder how SSL handles it?
-
d4nz1g Member Posts: 464In theory, the router won't be able to decrypt the traffic in order to recognize the application. For encrypted traffic, I would suggest to use acls based on destination IP addresses (your citrix servers, for example).
-
itdaddy Member Posts: 2,089 ■■■■□□□□□□i am trying to picture this is my mind. How to setup QOS for citrix if it is a SSL tunnel from end to end and how do you control the pipe width of SSL for citrix traffic? just allocate or shape traffic for ssl and allocate band pipe limits? and then it is FIFO for traffic in the SSL tunnel??
-
d4nz1g Member Posts: 464Just match the traffic (layer 3 and layer 4 information) and queue it.
ip access-list extended CITRIX-AF41
permit tcp any citrix-server eq app-port
and use class-maps followed by policy-maps to put them on a queue.
The router does not need to see the application information in order to mark the IP packet.
You won't be using NBAR on encrypted traffic. -
itdaddy Member Posts: 2,089 ■■■■□□□□□□i read in IPSEC the TOS is copied to the tunnel but I wonder how it is for the SSL? it sounds like it is copied for SSL too what ya think d4nz1g?
-
d4nz1g Member Posts: 464SSL encryption does not change the IP header, it only encrypts the application data.
In IPsec tunnels, the vpn endpoints create a new header and encrypts the whole datagram. So in this specific case, the service type marking should be copied to the new (outer) header. -
itdaddy Member Posts: 2,089 ■■■■□□□□□□So this will suffice basic idea for the traffic pre encypted state in either case as long as it affects header the CBQOS works?
-
linuxabuser Member Posts: 97 ■■□□□□□□□□You have to write your QoS policy to match tcp 443. Then, if you're pushing that SSL-encrypted traffic over an IPsec tunnel, you'll do qos pre-classify on the tunnel interface. The regular ICA ports go out the window once you throw a Netscaler doing SSL encryption in front.