priority settings do not work in both directions with Nets..

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Hello all,

i have a VoIP device (VT1000) behind the Netscreen 5XP. To ensure
higher priority for VoIP traffic, i created a trust->untrust policy
(set policy id 2 name "voip" from "Trust" to "Untrust" "VT1000" "Any"
"ANY" Permit log traffic gbw 100 priority 0 mbw 2000) and for the rest
of the traffic I set a lower priority (set policy id 0 name "internet
access" from "Trust" to "Untrust" "Any" "Any" "ANY" Permit traffic
gbw 500 priority 6 mbw 2000 dscp enable).

Unfortunately, it appears that the priority settings does not have
affect on incomming traffic. When i surf the web, i still notice that
the party on the other side of the line is cutting off every few
words.

Is it possible that policy id 2 (above) only affects the outgoing
traffic and not the incoming traffic? I also tried adding this policy
(set policy id 1 name "VOIP" from "Untrust" to "Trust" "Any"
"MIP(55.126.042.43)" "ANY" Permit log traffic gbw 100 priority 0 mbw
2000), but wihtout much success.

How can i fix this?


thanks
Alon

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

alon_rosenfeld@hotmail.com (alon rosenfeld) wrote in message news:<7aa1cb98.0404102304.5f976b5a@posting.google.com>...

> Unfortunately, it appears that the priority settings does not have
> affect on incomming traffic. When i surf the web, i still notice that
> the party on the other side of the line is cutting off every few
> words.

In order to properly have bi-directional priority sorting over a given
network link _both_ routers on both sides of the link need to be
configured for QoS.

The inbound priority will affect what order the netscreen processes
packets in, but it cannot affect what order packets are put onto the
wire by the router on the other end of the link. In short, inbound
priority levels only matter if multiple inbound packets are queued up
inside your netscreen. While this is one part of a complete QoS
solution, it's not a complete solution.

Your netscreen cannot prevent your internet downloads from
monopolizing the bandwidth of the network interface, which is where
your problem seems to be. That problem MUST be handled by the router
on the other side, and there's nothing you can do to change this.

I manage a working netscreen QoS link carrying VOIP and internet.
There are netscreens on both ends of a limited bandwidth link, and
both units have inbound and outbound priority settings. This actually
works quite well, but it takes QoS on both sides to work properly.