Firewall Settings > QoS Mapping
756
SonicOS 5.8.1 Administrator Guide
Example Scenario
In the scenario above, we have Remote Site 1 connected to ‘Main Site’ by an IPsec VPN. The
company uses an internal 802.1p/DSCP capable VoIP phone system, with a private VoIP
signaling server hosted at the Main Site. The Main Site has a mixed gigabit and Fast-Ethernet
infrastructure, while Remote Site 1 is all Fast Ethernet. Both sites employ 802.1p capable
switches for prioritization of internal traffic.
1. PC-1 at Remote Site 1 is transferring a 23 terabyte PowerPoint™ presentation to File
Server 1, and the 100mbit link between the workgroup switch and the upstream switch is
completely saturated.
2. At the Main Site, a caller on the 802.1p/DSCP capable VoIP Phone 10.50.165.200 initiates
a call to the person at VoIP phone 192.168.168.200. The calling VoIP phone 802.1p tags
the traffic with priority tag 6 (voice), and DSCP tags the traffic with a tag of 48.
a. If the link between the Core Switch and the firewall is a VLAN, some switches will
include the received 802.1p priority tag, in addition to the DSCP tag, in the packet sent
to the firewall; this behavior varies from switch to switch, and is often configurable.
b. If the link between the Core Switch and the firewall is not a VLAN, there is no way for
the switch to include the 802.1p priority tag. The 802.1p priority is removed, and the
packet (including only the DSCP tag) is forwarded to the firewall.
When the firewall sent the packet across the VPN/W
AN link, it could include the DSCP tag
in the packet, but it is not possible to include the 802.1p tag. This would have the effect of
losing all prioritization information for the VoIP traffic, because when the packet arrived at
the Remote Site, the switch would have no 802.1p MAC layer information with which to
.ETWORK3ECURITY!PPLIANCE