Checkpoint and QoS in a cisco network

[steve_mils]

Hi,

We have a Cisco network that has end-to-end QoS deployed using Cisco best practices. For example, we have access-layer switches that classify and mark packets from end-user PCs. Upstream switches / routers can then act on those markings and queue packets accordingly.

We also use Checkpoint firewalls between our HQ and remote offices and at the moment they do not have QoS enabled. So in effect we have end-to-end QoS from the Cisco point of view; but the firewall is a gap at present.

My question is does anyone know what's happening to our packets as things stand? For example I'm sending a mixture of services marked as EF, AF11, AF12, AF21, AF22 etc. Do the Checkpoints remark the Qos markings at all? I'm hoping that they don't alter to markings at all because I have a router the other side of the Checkpoint which needs to see those markings!

Thanks

[sebastan_bach]

hi steve even i had this query long time back.but someone in the forum mentioned checkpoint doesn;t retain the markings of an ip packet. u will have to remark the packets in checkpoint again for the external router to receive the markings. i guess only cisco asa and netscreen support to retain the markings by the downstream and upstream routers.

however one thing i am not sure that when we are not using qos in checkpoint does it still remove the markings of an ip packet. ???

regards

sebastan

[steve_mils]

Hi Sebastan,

I think the thing to do now would be to do some packet sniffing - one capture without QoS enabled on the Checkpoint and another capture after QoS is enabled.

My suspicion is that without QoS enabled the markings are preserved, and with QoS enabled they're remarked.

I'll post here again when I've had the chance to test it...

Thanks, Steve

[sebastan_bach]

hi steve that;s the correct way to test it. even i was trying to test the same. i will work on it after i get over with vpns.

will surely wait for ur results.

regards

sebastan