Can QoS be implemented when VPN tunnel bandwidth is unknown?

Unanswered Question
Aug 7th, 2007

Is it possible to have some sort of QoS on both sides of a VPN tunnel when the speed at the endpoint is unknown. In other words is it possible to have QoS bandwidth parameters to be automatically detected/adapted to the actual bandwidth?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mheusing Tue, 08/07/2007 - 03:38


General answer: within DiffServ NO, with IntServ - YES/maybe

DiffServ was designed to have no signalling of QoS parameters, thus one node does not know anything about the rest of the network. IntServ uses signalling (RSVP), which would allow some sort of "detection", but it requires the whole network to support RSVP, which usually is not implemented because of complexity and scalability.

What is your underlying issue? Maybe there is solution, but without further details it is hard to say more than general remarks.

Regards, Martin

vanbergehenegouwen Tue, 08/07/2007 - 04:53

Hey Martin,

Thanks for your reply. I Think IntServ won't be a solution straight away, I'll try to explain what I would like to do.

What my issue is that I have a few locations who are kind of mobile, and each location connects to the internet via various links, depending on which is available. This link can be a normal ISP which blocks all traffic except port 80 and 443. The connection could be a simple ISDN dialin or a dedicated T1 link.

Because there is a Cisco VoIP router on the mobile location and some users' data should have precedence over others' I would like to implement QoS.

My idea was when I were able to set up a site-to-site SSL VPN tunnel to a router in a datacenter (using Array Network stuff if the Cisco can't do site-to-site SSL) I would have more control over the internetlink. I Would not be limited to using only port 80 and 443: all traffic would just go encrypted and look like normal HTTPS traffic.

It's likely that this VPN link would always consume the maximum available bandwidth. When it is be possible for some QoS mechanism to "detect" the speed of the VPN I could let's say dedicate bandwidth for 4 VoIP calls and the remaining bandwidth can be made available for normal traffic. Note that this normal traffic should have some priority levels too.

Assigning dedicated bandwidth to VoIP isn't a big problem I think, however how can I make x percentage of the remaining bandwidth available to user x and y percentage available to user y?

I Hope I wrote it understandable ;).


mheusing Wed, 08/08/2007 - 01:30


I am afraid that you will not find an easy solution (if at all). The main reason is DiffServ and the lack of information regarding the rest of the network. The usual approach is to configure the devices appropriately for the environment, i.e. the admin provides the QoS info, no router based detection mechanism involved. In DiffServ you can only control local ressources. So in case your ISP does not help you, there is also little influence on end-to-end QoS. Finally for voip it does not matter who drops or delays a packet, your ISP or your LAN.

All I could think of are different policies on different interfaces, depending on the connection method (dialer, LAN, T1). If you control all the connection devices you could also use markings (DSCP) on encrypted packets and setup matching QoS policies on the routers with T1, ISDN, etc. connecting to the internet.

Regards, Martin


This Discussion