The Class of Service (CoS) feature within the VPN Gateway includes traffic shaping and marking of packets with Differential Services Code Points (DSCP) values based upon filter rules configured within the AT&T Administration Server.

The need for Class of Service arises when the amount of customer LAN traffic that must be forwarded through the VPN Gateway exceeds the amount of upstream WAN bandwidth available. In this situation the VPN Gateway CoS Configuration will determine which traffic requires higher priority, mark the traffic with the appropriate DSCP value, and send the packet out of the VPN Gateway before sending a lower priority packet. The VPN Gateway will also rate-limit each class of traffic to ensure the overall transmission rate onto the WAN is always less than the available bandwidth.

The VPN Gateway accomplishes this prioritization using internal class-based queues and filters. The filters are applied to the packets as they are received by the VPN Gateway and are used to determine into which priority queue the traffic should be placed. The packets are marked with the appropriate DSCP bits when doing so. The VPN Gateway applies the configured bandwidth rates when de-queuing traffic from each queue as to not send packets too quickly, thus mitigating the risk of queuing traffic within the network.

If the packets are sent at a quicker rate than the network can process, then the network will queue the packets resulting in a delay for the high priority packets. This is referred to as “owning the queue”. If the VPN Gateway owns the queue then it will be able to determine which packets have a higher priority, ensuring a smaller delay for those packets. By owning the queue, when the VPN Gateway determines that it is time to send a lower priority packet, that packet should not be delayed in the network, therefore it will not delay the high priority packet being sent behind it.

The following 2 options are available to the administrator when enabling the CoS feature:

1. Classify the traffic based on the packet’s existing DSCP marking before applying the classification filter rules, skipping the filter rules if a DSCP marking matches the configured classes. This is useful when IP devices like SIP phones have already marked VoIP traffic as high priority.
2. Ignore the existing DSCP packet marking and only use filter rules to classify the packet (remarking the packet solely based on the filter rules configured for all packets).

The VPN Gateway CoS support includes traffic shaping in both directions, outbound and inbound. Traffic shaping can also be configured for only one direction. For example, shaping is applied to outbound traffic but not inbound traffic. Inbound traffic shaping is accomplished by shaping the traffic received on the Internet interface (including VPN traffic) before it is forwarded on to the LAN interface. This is only effective for TCP traffic, which is much of the traffic sent.

As part of the TCP protocol, a windowing algorithm is implemented to keep a sending application from flooding a receiving application's queue. When the VPN Gateway slows the delivery of lower priority inbound traffic the TCP window for that session will shrink and the sending application will slow its rate of transmission. This limits the amount of traffic that is sent to the VPN Gateway from the network. By controlling the downstream traffic rate (owning the queue), the VPN Gateway will reduce delay and jitter caused within the network.

UDP and ICMP protocols are connectionless protocols and do not include the windowing algorithm included in the TCP protocol. Therefore the inbound traffic shaping has no effect on an ill-behaved UDP or ICMP application.

The CoS feature was initially developed in support of the Voice Over IP (VoIP) application. VoIP requires a very small amount of latency and low jitter and packet loss to produce good voice quality. The VPN Gateway CoS feature helps manage the priority of the packets being sent and received, therefore ensuring that the VoIP packet latency and jitter is as small as possible.

The VPN Gateway does follow the AT&T’s CoS Convergence architecture with regards to defining the CoS configuration values. This architecture defines up to 4 data classes and 2 management traffic classes as well as a means to define the percentage of bandwidth assigned to each of these classes. Each Class and all the shaping and traffic classifications are completely configurable within the AT&T Administration Server and VPN Gateway code changes are not required if scenarios arise where more complex traffic classification or prioritization is required. The VPN Gateway does provide the flexibility and support for more (or fewer) classes than the AT&T’s CoS Convergence Architecture.