Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
412
Views
0
Helpful
4
Replies

3845 and T1 QoS

bryan.lofland
Level 1
Level 1

‎01-08-2008 01:05 PM - edited ‎03-03-2019 08:11 PM

I am hoping that someone could help me out with a rather simple QoS config for a Cisco 3845 with a single T1/CSU card in it.

I have no VoIP running through this interface. I was hoping to put some limits on how much web and other traffic is used on the inbound side of the interface. I would like it so that the interface drops any HTTP(or HTTPS) packets when it has reached >90% capacity.

My problem is that akamai technologies servers aren't closing sessions properly and they keep hammering my T1 (even after my client is disconnected). So that has resulted in me adding a lot of deny xxxxx in my Inbound ACL. If I could just QoS that interface and say that no more than 90% of my bandwidth can be HTTP(S) traffic shouldn't that prevent me from adding all of these servers to my ACL? At least a little bit?

Labels:
0 Helpful
4 Replies 4

royalblues
Level 10
Level 10

‎01-08-2008 01:14 PM

Ypu can basically try to achive this using policing.

What are the other traffic types that you trying to protect from the http/https traffic?

eg to restrict

class-map match-all QoS

match protocol http

match protocol https

policy-map QoS

class QoS

police CIR ------ 90% of the bandwidth

interface serial 0/0

ip nbar protocol-discovery

service-policy output QoS

We should know what other traffic types that need to be protected so that they can be prioritised during congestion rather than just dropping the above traffic

HTH

Narayan

0 Helpful

bryan.lofland
Level 1
Level 1
In response to royalblues

‎01-08-2008 01:20 PM

I really am just trying to prevent one or two IPs taking up all of my inbound bandwidth. There really aren't too many other protocols on that line that I should be worried about other than UDP 53(DNS) and VPN traffic (VPN 3005 using IPSec is behind that router).

Thanks for the help.

0 Helpful

a.cruea1980
Level 3
Level 3

‎01-09-2008 06:49 AM

Depending on your IOS version, you may be able to implement this command to keep akamai from holding connections open indefinitely.

http://www.cisco.com/en/US/products/ps6350/products_command_reference_chapter09186a0080444bc0.html#wp1145301

http://www.cisco.com/en/US/products/ps6350/products_command_reference_chapter09186a0080443b45.html#wp1185648

There's also syn and fin wait times you might want to check out. Just a thought.

If you have a firewall instead, you could also apply these commands there instead.

0 Helpful

mheusing
Cisco Employee
Cisco Employee

‎01-09-2008 09:15 AM

Hi,

You are talking about "inbound bandwidth". Are the servers at the other end of your T1? Then the harm is already done, when the packet arrives at your router, as the bandwidth to transport the packets across the T1 is already taken. I would rather suggest in this case to have an outbound policy to prevent the packets from being transmitted.

As such a simple queueing configuration should be sufficient, like

class-map match-any noWeb

match not protocol http

match not protocol https

policy-map Queueing

class noWeb

bandwidth percent 10

interface "T1"

policy-map output Queueing

This will guarantee at least 10% of the interface bandwidth to the rest of the traffic. You may want to adjust the percentage setting for optimum results.

Regards, Martin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card