Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

FloodGate-1

DiffServ Support

FloodGate-1® enables extending corporate QoS requirements to the WAN by classifying traffic according to the Differentiated Services (DiffServ) standard. DiffServ support enables service providers with IP networks to offer end-to-end Quality of Service (QoS) for both VPN and unencrypted traffic. End-users in turn, can quickly realize the benefits of optimized, end-to-end network performance.

How Does DiffServ Support Work?

DiffServ is an IETF protocol (see RFC 2474 and RFC 2475) for managing traffic. DiffServ is supported in both standard IP networks and Multiprotocol Label Switching (MPLS) IP networks. Based on a customer's QoS policy packet are given one of several possible forwarding, or "per hop" behaviors (PHB). The PHBs are specified in a six-bit field in an IP header, known as the Differentiated Services Code Point (DSCP). Service provider network routers subsequently use DSCP information to make traffic forwarding decisions.

Standalone QoS Limitations

When a standalone QoS device provides DiffServ support, the QoS scheme breaks when traffic has been encrypted at the customer premise. This is because service provider edge routers cannot accurately classify encrypted traffic.

Integrated QoS/VPN Solutions

By integrating DiffServ and VPN functionality on the same device, FloodGate-1 solves the problem described above for a standalone QoS device. With FloodGate-1, information in the DSCP field is copied to the outer IPSec header, so that DiffServ information is accessible to the service provider's edge router.

The network diagram below illustrates this process, as it applies to an MPLS network.



DiffServ in an MPLS network
View Image Detail

Note that MPLS networks provide for routing high priority traffic through a specified low latency path. Such a path is shown in the diagram, highlighted in orange.

Integrated SMART Management

Corporate system administrators create, deploy and manage DiffServ policies from the QoS Policy section of the Check Point Management Console. Alternatively, system administrators may opt to outsource policy management to a Service Provider. (Administrative rights can be controlled such that different people can manage QoS and VPN-1®/FireWall-1® functionality.)

Example Application

The figure below shows a FloodGate-1 DiffServ policy with four DiffServ service levels. Within each service level, each class of traffic can have QoS attributes, for shaping traffic on the local access link.


Sample FloodGate-1 Policy with DiffServ Service Levels
View Image Detail


In this case, the system administrator has created a FloodGate-1 rule that classifies VoIP traffic as high priority (Gold Class) traffic. As a result, FloodGate-1 will mark the IP header of VoIP packets to designate that they have "Expedited Forwarding." (This corresponds to a DSCP of 101110.) FloodGate-1 subsequently copies this mark to the outer IPSec header, so that the service provider's edge router can accurately prioritize the packets.