My network setup consists of a PIX firewall connected to a switched network with the PIX in turn connected to an Internet router. The PIX is used to for both web browsing and for termination of a handful of VPN tunnels with IOS routers on the other end of the tunnels. I would like to use QoS to prioritize IPSec traffic on this setup. All the examples that I have read show how to classify the traffic (using IP precedence) and to apply the QoS policy on the Internet router. The classfying is done on the router before the IPSec process so that the ToS bytes can be copied into the IPSec packet as it is encrypted. Later the ToS is used by the CBWFQ process to guarantee bandwidth and queue priority. These examples all assume that the IPSec process and QoS are both done at the router. In my case, the IPSec is done on the PIX before the router. That means that the classifying process needs to be done either on the PIX or on the switches. My switches are a mix of 2900 and 3500 series switches. My PIX is a 515e running 6.2.2. Can any of these boxes be used to classify data?
You can at least, prioritize ipsec packets on the router, so that they have a higher priority than web traffic. Use something like priority-list or class based QoS. This scheme will prioritize ipsec packets inside the router. IP precedence is used to give your packets priority in the internet, but it's just a bet, it depends on ISPs routers.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...