3845 and T1 QoS

Unanswered Question

I am hoping that someone could help me out with a rather simple QoS config for a Cisco 3845 with a single T1/CSU card in it.

I have no VoIP running through this interface. I was hoping to put some limits on how much web and other traffic is used on the inbound side of the interface. I would like it so that the interface drops any HTTP(or HTTPS) packets when it has reached >90% capacity.

My problem is that akamai technologies servers aren't closing sessions properly and they keep hammering my T1 (even after my client is disconnected). So that has resulted in me adding a lot of deny xxxxx in my Inbound ACL. If I could just QoS that interface and say that no more than 90% of my bandwidth can be HTTP(S) traffic shouldn't that prevent me from adding all of these servers to my ACL? At least a little bit?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
royalblues Tue, 01/08/2008 - 13:14

Ypu can basically try to achive this using policing.

What are the other traffic types that you trying to protect from the http/https traffic?

eg to restrict

class-map match-all QoS

match protocol http

match protocol https

policy-map QoS

class QoS

police CIR ------ 90% of the bandwidth

interface serial 0/0

ip nbar protocol-discovery

service-policy output QoS

We should know what other traffic types that need to be protected so that they can be prioritised during congestion rather than just dropping the above traffic



a.cruea1980 Wed, 01/09/2008 - 06:49

Depending on your IOS version, you may be able to implement this command to keep akamai from holding connections open indefinitely.



There's also syn and fin wait times you might want to check out. Just a thought.

If you have a firewall instead, you could also apply these commands there instead.

mheusing Wed, 01/09/2008 - 09:15


You are talking about "inbound bandwidth". Are the servers at the other end of your T1? Then the harm is already done, when the packet arrives at your router, as the bandwidth to transport the packets across the T1 is already taken. I would rather suggest in this case to have an outbound policy to prevent the packets from being transmitted.

As such a simple queueing configuration should be sufficient, like

class-map match-any noWeb

match not protocol http

match not protocol https

policy-map Queueing

class noWeb

bandwidth percent 10

interface "T1"

policy-map output Queueing

This will guarantee at least 10% of the interface bandwidth to the rest of the traffic. You may want to adjust the percentage setting for optimum results.

Regards, Martin


This Discussion