QoS for Office365

• Previous message (by thread): QoS for Office365
• Next message (by thread): QoS for Office365
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jul 8, 2019 at 12:31 PM Jared Mauch <jared at puck.nether.net> wrote:
>
>
>
> > On Jul 2, 2019, at 5:18 PM, Joe Yabuki <joeyabukiyin at gmail.com> wrote:
> >
> > Hi all,
> >
> > How do you deal with QoS for Office365, since the IPs are subject to changes ?
> >
> > How can we mark the trafic while keeping the security (I fear the marking based on TCP/UDP Ports since they are not without an additional risk coming from worms/virus using those ports for example, and doing that directly on the PCs doesn't seem to be the best solution) ?
>
>
> Add bandwidth?
>
> QoS is a great tool when you’re constrained and must classify your critical traffic, but it’s not a substitute of getting enough capacity to offices.

Depends -- I'd note that the OP said "How can we mark the trafic while
keeping the security..." -- some people use the COS / DSCP bits to
annotate packets with security information, and use that to make
*security decisions* instead of using it to prioritize traffic. Now,
I'm not saying that this is why the OP is asking (or that I think it
is a good idea, because, well,  I don't think it is!), but it *is* a
practice worth knowing about.

One enterprise I've seen does:
firewall {
    family inet {
       filter Egress {
            term allow {
                from {
                    prefix-list {
                        TrustedSubnets;
                    }
                    dscp af42;
                }
                then accept;
            }
            term default {
                then {
                    encapsulate CaptiveGarden;
                }
            }
        }
  }
}

They have some shim thingie on corporate machines which tags
"approved" traffic with AF42 (and also mark on switches from other
devices which should have Internet access), and everyone else gets
bumped to a captive portal / logging / scrubbing firewall thingie.
This is remarkably bletcherous, but (because?) you can do 'iptables -t
mangle -A FORWARD -j dscp --set-dscp-class  AF42' to tag all
packets...

W

>
> I have only applied QoS to voice traffic to ensure it gets through, the rest you need to budget for the bandwidth needs of the site.  The price of bandwidth likely isn’t insane in your market, but your budget may be.. I’ve found that most places won’t quote you a service for less than $1500 USD MRC.  I know you can get the incumbents to often deliver 1G service for $2k/mo in the US (and possibly cheaper).
>
> I’ve found a lot of people are still stuck in TDM mentality instead of just getting a 1G/10G service.
>
> - Jared



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

• Previous message (by thread): QoS for Office365
• Next message (by thread): QoS for Office365
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]