QoS for Office365

Hi all,

How do you deal with QoS for Office365, since the IPs are subject to changes ?

How can we mark the trafic while keeping the security (I fear the marking based on TCP/UDP Ports since they are not without an additional risk coming from worms/virus using those ports for example, and doing that directly on the PCs doesn’t seem to be the best solution) ?

Many thanks,
Joe

Add bandwidth?

QoS is a great tool when you’re constrained and must classify your critical traffic, but it’s not a substitute of getting enough capacity to offices.

I have only applied QoS to voice traffic to ensure it gets through, the rest you need to budget for the bandwidth needs of the site. The price of bandwidth likely isn’t insane in your market, but your budget may be.. I’ve found that most places won’t quote you a service for less than $1500 USD MRC. I know you can get the incumbents to often deliver 1G service for $2k/mo in the US (and possibly cheaper).

I’ve found a lot of people are still stuck in TDM mentality instead of just getting a 1G/10G service.

- Jared

Funny, I was just answering an internal question about this, last week.

As with all things Internet, my stance is if you don't have end-to-end
control, trying to do QoS is pointless.

That said, I believe it should be possible to apply some kind of
meaningful, end-to-end QoS together with Microsoft if you took up one of
their Express Route services, given that is considered a private,
premium service.

Mark.

In some cases, the motivation for these requirements is fueled by trying
to outsmart your competitors.

I just don't know of a reliable, contractual way that you can use QoS to
say your DIA or IP Transit service is better than that of your competitor.

Mark.

>
> Hi all,
>
> How do you deal with QoS for Office365, since the IPs are subject to changes ?
>
> How can we mark the trafic while keeping the security (I fear the marking based on TCP/UDP Ports since they are not without an additional risk coming from worms/virus using those ports for example, and doing that directly on the PCs doesn't seem to be the best solution) ?

Add bandwidth?

QoS is a great tool when you’re constrained and must classify your critical traffic, but it’s not a substitute of getting enough capacity to offices.

Depends -- I'd note that the OP said "How can we mark the trafic while
keeping the security..." -- some people use the COS / DSCP bits to
annotate packets with security information, and use that to make
*security decisions* instead of using it to prioritize traffic. Now,
I'm not saying that this is why the OP is asking (or that I think it
is a good idea, because, well, I don't think it is!), but it *is* a
practice worth knowing about.

One enterprise I've seen does:
firewall {
    family inet {
       filter Egress {
            term allow {
                from {
                    prefix-list {
                        TrustedSubnets;
                    }
                    dscp af42;
                }
                then accept;
            }
            term default {
                then {
                    encapsulate CaptiveGarden;
                }
            }
        }
  }
}

They have some shim thingie on corporate machines which tags
"approved" traffic with AF42 (and also mark on switches from other
devices which should have Internet access), and everyone else gets
bumped to a captive portal / logging / scrubbing firewall thingie.
This is remarkably bletcherous, but (because?) you can do 'iptables -t
mangle -A FORWARD -j dscp --set-dscp-class AF42' to tag all
packets...

W

Assuming we are discussing such packets traversing the public Internet,
a little tricky to expect IPP/DSCP values to remain intact in the life
of an Internet packet.

Mark.

I took the OP’s request as for doing QoS at the edge of their network and not necessarily the entire path.

As another person stated, the real answer is to add more bandwidth if you are having to QoS to Office365 because it is affecting other internet based services.

Robert

> Depends -- I'd note that the OP said "How can we mark the trafic while
> keeping the security..." -- some people use the COS / DSCP bits to
> annotate packets with security information, and use that to make
> *security decisions* instead of using it to prioritize traffic. Now,
> I'm not saying that this is why the OP is asking (or that I think it
> is a good idea, because, well, I don't think it is!), but it *is* a
> practice worth knowing about.

Assuming we are discussing such packets traversing the public Internet,
a little tricky to expect IPP/DSCP values to remain intact in the life
of an Internet packet.

Goodness no -- I've only ever seen this done within a single network
(including inside some tunnels); expecting this to work across the Big
I-internet is crazypants time. I personally think that the idea itself
is stupid, but, well, their network, their rules, and it "works" for
them.

W

Warren Kumari
Sent: Monday, July 8, 2019 8:06 PM

>
>
>
>
> > Depends -- I'd note that the OP said "How can we mark the trafic
> > while keeping the security..." -- some people use the COS / DSCP
> > bits to annotate packets with security information, and use that to
> > make *security decisions* instead of using it to prioritize traffic.
> > Now, I'm not saying that this is why the OP is asking (or that I
> > think it is a good idea, because, well, I don't think it is!), but
> > it *is* a practice worth knowing about.
>
> Assuming we are discussing such packets traversing the public
> Internet, a little tricky to expect IPP/DSCP values to remain intact
> in the life of an Internet packet.

Goodness no -- I've only ever seen this done within a single network
(including inside some tunnels); expecting this to work across the Big I-
internet is crazypants time. I personally think that the idea itself is stupid,
but, well, their network, their rules, and it "works" for them.

And yet the SD-WAN promising MPLS experience over the internet and other BS sells like crazy :wink:

adam

I took the OP's request as for doing QoS at the edge of their network
and not necessarily the entire path.

Indeed, but even then, you could be handing off the traffic to a
downstream customer, and can't guarantee what they do to those ToS fields.

As another person stated, the real answer is to add more bandwidth if
you are having to QoS to Office365 because it is affecting other
internet based services.

Yes and no.

More bandwidth never hurt anyone, but packet loss in the remote network
toward the cloud will hurt you.

Mark.

Where have we seen that before...

Still waiting for the ATM port on my laptop :-).

Mark.

> I took the OP's request as for doing QoS at the edge of their network
> and not necessarily the entire path.

Indeed, but even then, you could be handing off the traffic to a
downstream customer, and can't guarantee what they do to those ToS fields.

I disagree -- you *can* guarantee what someone else will do with your
ToS fields....... they will A: ignore them and / or B: scribble all
over them.

At a previous employer (AOL, doing VoIP for customer service / call
centers, ~2004) we had a number of contractual agreements with
multiple providers to honor our QoS markings -- as far as I could tell
(marking test traffic under congestion events) only one of about seven
did anything at all with the marking, and that wasn't enough to make
any difference... I briefly toyed with the idea of asking for some
money back / trying to enforce the terms of the agreements, but
figured that there wasn't much point - expecting QoS to work in
someone else's network based upon your markings seems like a fool's
errand.

W

I disagree -- you *can* guarantee what someone else will do with your
ToS fields....... they will A: ignore them and / or B: scribble all
over them.

I'll rephrase... you can't guarantee that a remote network will handle
your packets the way you intend.

At a previous employer (AOL, doing VoIP for customer service / call
centers, ~2004) we had a number of contractual agreements with
multiple providers to honor our QoS markings -- as far as I could tell
(marking test traffic under congestion events) only one of about seven
did anything at all with the marking, and that wasn't enough to make
any difference... I briefly toyed with the idea of asking for some
money back / trying to enforce the terms of the agreements, but
figured that there wasn't much point - expecting QoS to work in
someone else's network based upon your markings seems like a fool's
errand.

Agreed.

I would, though, say that I admire that you went as far as ringing up
contracts on the back of this.

Mark.

Using Orifice 342 will hurt you.

Packet loss (the more the better) will only help you.

Implement Quality of Service in Microsoft Teams
[

Implement Quality of Service in Microsoft Teams

Prepare your organization’s network for Quality of Service (QoS) in Microsoft Teams.

](https://docs.microsoft.com/en-us/microsoftteams/qos-in-teams)

For "Classic QoS" : you don't. At best you tell the customer it's done without actually doing anything (it very often works). If it doesn't, see previous answers (those reccomending bandwidth upgrade and correct capacity provisioning a.k.a. "Modern QoS").

Can't choose what my customers like :-).

Mark.

To quote from that URL:

QoS only works as expected when implemented on all links between callers. If you use QoS
on an internal network and a user signs in from a remote location, you can only prioritize within
your internal, managed network.

Mark.

At a previous employer (AOL, doing VoIP for customer service / call
centers, ~2004) we had a number of contractual agreements with
multiple providers to honor our QoS markings – as far as I could tell
(marking test traffic under congestion events) only one of about seven
did anything at all with the marking, and that wasn’t enough to make
any difference… I briefly toyed with the idea of asking for some
money back / trying to enforce the terms of the agreements, but
figured that there wasn’t much point - expecting QoS to work in
someone else’s network based upon your markings seems like a fool’s
errand.

Generally speaking, I agree that making QoS features work consistently on an external network you do not control is a fool’s errand.

But if that language was inserted into the contracts, and you can demonstrably prove it’s not being done, enforcing contract terms should always be done. Depending on the strength of the remedy, could have been a lot of free service, enough financial incentive for them to MAKE it work correctly, or leverage to open renegotiations for more favorable terms for you.

You know that in reverse they would have done the same to you. :slight_smile:

Perhaps plenty of service credits. Anything else would just burn too
much time on either end for no practical outcome.

Mark.