Technical data

ManualsBrandsCheck Point Software Technologies ManualsNetworkingVSX-1 3070

151

152

153

154

155

156

157

158

159

160

Optimizing VSX

Check Point VSX Administration Guide NGX R67 | 154

Without QoS Enforcement, all these different traffic types are given equal priority on the VSX gateway and

are handled in a simple FIFO (first in-first out) manner. When the VSX gateway is congested, all traffic types

suffer the same degree of latency and drops. Also, high-volume traffic may starve other types of low-volume

traffic.

With QoS, the special requirements of each traffic type can be met. For example:

 Latency-sensitive traffic will be given preference over other types of traffic

 Traffic which is sensitive to drops will suffer fewer drops than other types of traffic.

 High-volume traffic that consumes bandwidth will be limited during times of congestion.

Note - QoS requires the use of DiffServ-enabled routers to mark

preferred traffic types with a special tag. The tag is the DSCP (DiffServ

Code Point), which represents the six most significant bits of the IP

header's TOS field, as described in RFC 2474. The VSX gateway

should then be configured to give traffic with this tag the required

priority.

Architecture

Three major aspects of the QoS architecture are:

 Differentiated Services support

 Inbound prioritization

 Policy with a global scope

Differentiated Services Support

QoS provides basic support for Differentiated Services, an architecture for specifying and controlling

network traffic by class so that certain types of traffic receive priority over others. The differentiated services

architecture PHB's (per-hop behaviors).

When marked packets arrive to the VSX machine, they are classified and prioritized according to their

DSCP (differential services code-point) values. To enhance performance, QoS does not mark packets with

DSCP and does not change their Type of Service (ToS) values. QoS instead relies on peripheral devices

(namely routers) to mark packets with the appropriate ToS value.

Inbound Prioritization

While Differentiated Services support in routers is usually performed on outbound traffic, QoS for VSX

prioritizes traffic on the inbound side because, in VSX deployments, QoS is primarily governed by system

resources, namely the CPU, and not by network bandwidth.

To prevent the VSX machine from becoming a bottleneck in the network, prioritization is enforced when

packets arrive at the VSX machine, and before CPU processing is assigned.

Inbound prioritization allows an earlier control on the loss and delay rate.

Policy with Global Scope

To minimize the impact of QoS functionality on performance, QoS is not performed on a per interface basis,

but for the entire system. This means that a certain class of service will apply to all traffic entering the VSX

gateway or cluster, regardless of the specific interface from which the traffic originates.

Note - On multiple-CPU machines, enforcement is not performed

system-wide, but executed per-CPU. This means that global

enforcement is done separately on traffic processed by each CPU.