On Mon, Jul 8, 2019 at 12:31 PM Jared Mauch <jared@puck.nether.net> wrote:
On Jul 2, 2019, at 5:18 PM, Joe Yabuki <joeyabukiyin@gmail.com> wrote:
Hi all,
How do you deal with QoS for Office365, since the IPs are subject to changes ?
How can we mark the trafic while keeping the security (I fear the marking based on TCP/UDP Ports since they are not without an additional risk coming from worms/virus using those ports for example, and doing that directly on the PCs doesn't seem to be the best solution) ?
Add bandwidth?
QoS is a great tool when you’re constrained and must classify your critical traffic, but it’s not a substitute of getting enough capacity to offices.
Depends -- I'd note that the OP said "How can we mark the trafic while keeping the security..." -- some people use the COS / DSCP bits to annotate packets with security information, and use that to make *security decisions* instead of using it to prioritize traffic. Now, I'm not saying that this is why the OP is asking (or that I think it is a good idea, because, well, I don't think it is!), but it *is* a practice worth knowing about. One enterprise I've seen does: firewall { family inet { filter Egress { term allow { from { prefix-list { TrustedSubnets; } dscp af42; } then accept; } term default { then { encapsulate CaptiveGarden; } } } } } They have some shim thingie on corporate machines which tags "approved" traffic with AF42 (and also mark on switches from other devices which should have Internet access), and everyone else gets bumped to a captive portal / logging / scrubbing firewall thingie. This is remarkably bletcherous, but (because?) you can do 'iptables -t mangle -A FORWARD -j dscp --set-dscp-class AF42' to tag all packets... W
I have only applied QoS to voice traffic to ensure it gets through, the rest you need to budget for the bandwidth needs of the site. The price of bandwidth likely isn’t insane in your market, but your budget may be.. I’ve found that most places won’t quote you a service for less than $1500 USD MRC. I know you can get the incumbents to often deliver 1G service for $2k/mo in the US (and possibly cheaper).
I’ve found a lot of people are still stuck in TDM mentality instead of just getting a 1G/10G service.
- Jared
-- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf