PIX VPN + IOS routers for QoS over VPN.. will this work?

[Axemanmisl]

Hi all,

My company has two offices on opposite sides of the continent, and we are currently running a VPN between the two using Cisco PIX 515E firewalls.

We have an AVAYA IP Office PBX in location A, and are planning to deploy a second unit in location B, using the VPN for voice traffic between locations.

I have been told the the PIXes do not perform any QoS functions. Can I purchase two Cisco IOS routers and put them inline with the PIXs on either end to achieve voice prioritization over the VPN? The data would flow as follows:

LAN-->IOS router-->PIX--> *INTERNET* <--PIX<--IOS router<--LAN

please HELP! Thanks!

 

[rburke]

That would work great.

 

[BuckWeet]

No, that will not work.. You can prioritize the VPN traffic out into the internet, but as for the QoS in the VPN tunnel, no.. Because the routers just see it as regular UDP/TCP traffic.. You need to have the VPN tunnel terminate on a router to get the QoS features (and I'm not even sure if you can do QoS on the routers themselfs for the tunnel interfaces) Let alone you don't have any QoS on the internet itself..


BuckWeet

 

[Axemanmisl]

my impression was that the routers will route the data using QoS to break up large data packets, etc. (my understanding of what the QoS actually does is limited)... would this not be the same as communicating between two IOS routers directly connected to the internet? The only difference being that there are two PIXs encrypting the data?

If my solution above will not work, is there any other way to implement QoS between the two sites?

 

[computerhighguy]

This is a very good question. The answer is, "It depends". You can use the configuration you mentioned above to give priority on the ourbound for all destined for the other site. This should work pretty well since the PIX will encapsulate the packets as it gets them. You can set up a Cisco 806 as the IOS router to forward all packets to the PIX firewall destined for the VPN before other traffic. You can even bump up its QoS value and the PIX will retain that once it is decapsulated. However, the PIX doesn't understand, yet, QoS and doesn't prioritize traffic either. So weighted queueing would probably be the answer here.

There may be an easier way to do this. If you have routers connecting you to the internet (versus a cable modem), you can set up queueing on them instead. You can set all traffic desitined from the local PIX to the remote PIX to be sent out before other traffic. Granted this is all VPN traffic, but most companies won't mind that. You may have everything you need to do it already.

As far s the Avaya PBX, scrap it for a new callmanager system. It is typically cheaper and works better with your PIX and, hopefully, Cisco infrastructure.


It is what it is!!
__________________________________
A+, Net+, I-Net+, Certified Web Master, MCP, MCSA, MCSE, CCNA, CCDA, and few others (I got bored one day)

 

[BuckWeet]

While I like Cisco, the AVAYA IP Office has tons more features than the callmangler..

And AVAYA's IP office is their cheap solution. Put a Callmangler up to a Definity, and its no competition..

 

[avayaconsultant]

I have a Pix501 using a VPN tunnel into a 2600. We also have a G3 V1.3 and have a fully deployed IP environment on the remote office. Your only problems may arise if your overall pipe was to get saturated. You will definitely want to set all of your switches behind the PIX to prioritize voice traffic. Some will call it QOS and a few older ones might call it COS. That will be your key to making this happen. I would suggest, if the finances are there, to buy a couple of Cajun switches and prioritize the traffic.

Chris Shelton
Innovative Technology Solutions

http://www.inntechsolutions.net

 

[Axemanmisl]

Thanks Avayaconsultant- I have a couple of questions:

1. You say you're running your VPN "into" the 2600 router? Wouldn't that mean that the router could not perform QoS on the traffic since it would all be encrypted?

2. If QoS is implemented on the switches BEHIND the pix, does that mean that the traffic going into the PIX(headed for the other location) has already been prioritized? We have D-link switches here with Layer2 QoS, but I haven't needed to configure it as of yet.

Thanks again!!

 

[ccmuser]

buckwheat.. What features can you not perform on you callmanager that you are performing on your PBX. Lack of understanding or experience on a platform does not mean it does not have the features you may need..

I know there are some features now that are not available on a CCM compared to a G3. But the list is also quite large the other way(I think larger by quite alot actually)

instead of just saying a CCM does not have the features someone needs, why don't we ask them what features they may need/reequire. And BTW what feature of CCM are you having a hard time implementing?

 

[ccmuser]

Axemanmisl

bye into the phrase into I am pretty sure he is reffering to originating and terminating the VPN tunnels on his IOS enabled software. When you take that approach you are allowed to perform QOS on VPN traffic.

Not if the router is an interediate point in the tunnel.. but if it is the actuall VPN endstation of aggregation point..

 

[webnetwiz]

One question here for Axemanmis, what will you do when a link tou your ISP at one site goes down, and your VPN tunnel to the other office is down as well? Do you have a backup link to the PSTN? Reason I'm asking is because users are a lot more sensitive to voice network outages rather than data, so if you're going to run voice accross data networks, I'd suggest getting a point-to-point T1 dedicated to interooffice data/voice. And then you can run Internet-bound traffic to your internet link.

 

[ccmuser]

webnetwiz..

Both of these solutions offer automated alternate routing schemes... Most sites require some sort of local pstn loop regardless of how resiliant your data network. For example 911 has to go out locally.. most sites require a few local exchange numbers for inbound. So depending on the needs of the org utilizing there VPN may and often is a viable solution. But after that is said and done. ON a get all your wish list network.. Dumb the VPN in favor of a ATM or Frame. point to point does not seem to be a viable solution due to there geographic distance. depending on carriers on either end.. ATm or frame may not even be that viable..

 

[BuckWeet]

CCMUSER, I know what the CallManager can and can't do. and I know what the AVAYA can and can't do.. I was an integrator of both systems for several years. Not to mention that I'm certified on AVAYA and Cisco telephony products.

Some basic features that CCM doesn't have are: hunt groups, coverage answer groups, basic ACD, bridged line appearances, coverage paths, vectoring, announcements, auth codes, time of day routing, list goes on and on..


-Yes CCM 4 has hunt groups, which are still basic to what AVAYA's capabilities are
-ACD only comes in when you add external apps (another server)
-bridged line appearances are shared-lined appearance in CCM world, but the functionality is better in AVAYA
-no coverage paths in CCM, go to voicemail or call forwarding only
-to do vectoring (call scripts) you need external apps
-no coverage answer groups
-no built in announcement features
-no auth codes in ccm 4 (they did start to implement that in CCM 3.3.3, but didn't include it in CCM 4)
-no time of day routing


I've put in tons of CallManagers and AVAYA IP Office/Multivantage solutions.. They each have their place. But in my experience, the average business needed more than what the CCM could provide. We always had to jerry rig it make it work like a real PBX would.

I remember our first CallManager install, in the CCM 3.1 days, we replaced a 15yr old Toshiba Perception, and we had troubles getting the Callmanager to do 1/4 of what the Perception did..

In all reality the CallManager is still a blushed up key system. It has no place in a business that needs real PBX features.


BuckWeet

 

[ccmuser]

Again lack of understanding of people"certified on AVAYA and Cisco telephony products" and perhaps bad marketing strategy on cisco's part.

ICD and CRA (wich will run on the same box as your publisher if you choose... ) I don't quite see you why you throw around the problem of another server in a system that was designed from the ground up to be distributed. Kinda like complaining you can see through your windshield.

if it is price... All these apps bundled together in a three server cluster is still less then a comparable G3 by a large margin.

Cisco provides a gui for ICD that handles every option that you mentioned above.

If the gui is not robust enough for you, then you have the ability to call any voiceXML and java routine you choose. I do not understand when people always say the cisco system is not robust enough; Then you describe all the tools that are actually available and get the classic open mouth stare with response
"But that is SOOOO complicated"

I usually respond....Did you eat paint chips as a child?

 

[webnetwiz]

now this thread is becoming very interesting...