QOS on file share traffic

Answered Question
Mar 13th, 2008

My company has a 3Mb pipe to the Internet coming into a telco-managed router. There is then a Fast Ethernet connection from the telco router to our Cisco 2851 (going through a PIX). We have a site-to-site VPN tunnel setup on the PIX for accessing certain servers. The routing and everything works fine.


The issue is that we upload data onto the servers on the other side of the tunnel through Windows File Sharing. However, if the basic connection is completely saturated due to someone in the company downloading a large file (for example), access to the file shares on the other side of the VPN tunnel becomes unusably slow. I want to set up QOS on the 2851 router to prioritize traffic to/from the network on the other side of the VPN tunnel. Is this doable (prioritizing traffic both to and from the network on the other side of the VPN tunnel)?


I am very, very new to Cisco networking.


Thank you in advance.

Correct Answer by mheusing about 8 years 11 months ago

Hi,


Based on your topology, the 2851 could use a nested policy to control outbound traffic (to pix and beyond) to

a) shape the traffic destined for the internet and the VPN down to 3 Mbps (or somewhat below to account for layer 2 encapsulation overhead)

b) give priority to traffic going to the VPN over traffic to anywhere else in the internet.

For technical details and configuration have a look at

http://www.cisco.com/en/US/docs/ios/12_4/qos/configuration/guide/qsbcbts.html#wp1046398


In principle the configs could look like this:


policy-map Shape3M

class class-default

shape average 2900000

!make sure you do not overload your internet connection and control bandwidth access locally

service-policy Prio4VPN

! controls, which app gets what amount of your 3 Mbps


class-map match-any VPNtraffic

match ip address 100


access-list 100 permit

! use the PIX description on what to encrypt in the tunnel


policy-map Prio4VPN

class VPNtraffic

bandwidth percent 80

! here 80% is for VPN 20% for internet. adjust to your requirements

class class-default

fair-queue

random-detect

! the "rest" of traffic is fair-queued with WRED turned on, which is best practice


interface FastEthernet1/0

service-policy output Shape3M

!applies the üpolicy to the interface connecting the 2851 to the PIX


To control the return traffic from the internet is more tricky, but you could try the same approach, by applying a similar policy with adjusted traffic descriptions (replace ACL 100 in a new class-map) for the return traffic.


Hope this helps! Please use the rating system.


Regards, Martin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Joseph W. Doherty Thu, 03/13/2008 - 18:41

Depending what traffic the 2851 sees, and when it sees it (not clear what side of the PIX it's on), you could limit total bandwidth consumption of some traffic or set usage ratios between competing traffic. This works best for outbound traffic. For inbound traffic, the link is often saturated before your QoS takes effect. (Ideally, inbound is managed on the far sides outbound. Perhaps you can manage the far side's VPN usage to you.)

braninl29 Fri, 03/14/2008 - 07:06

The order is -> <2851> -> -> -> . The VPN traffic is what I want to prioritize over traffic from anybody else. With QoS delaying and dropping ACK packets back to everybody on the Internet while prioritizing traffic, would that give me functionally what I'm after (basically, using TCP/IP congestion avoidance algorithims built into the protocol instead of QoS directly)?


Thanks.

Joseph W. Doherty Fri, 03/14/2008 - 08:06

Yes, ACK shaping (for TCP) does work to "clock" inbound traffic. (I've used it on DS3.) A little goes a long way. You still get some inbound bursting as the TCP window opens. Not certain you'l be able to get the ACK rate low enough to be effective across only 3 Mbps. Haven't tried dropping the ACKs. One problem with either, hard to allow low priority inbound traffic to use the link when bandwidth available.


Martin's post has a good example for outbound. Two cautions: first, FQ within class-default tends to distort bandwidth to other classes on many platforms. Second, random-detect, with default settings, doesn't help much with non-TCP traffic.

Correct Answer
mheusing Fri, 03/14/2008 - 07:39

Hi,


Based on your topology, the 2851 could use a nested policy to control outbound traffic (to pix and beyond) to

a) shape the traffic destined for the internet and the VPN down to 3 Mbps (or somewhat below to account for layer 2 encapsulation overhead)

b) give priority to traffic going to the VPN over traffic to anywhere else in the internet.

For technical details and configuration have a look at

http://www.cisco.com/en/US/docs/ios/12_4/qos/configuration/guide/qsbcbts.html#wp1046398


In principle the configs could look like this:


policy-map Shape3M

class class-default

shape average 2900000

!make sure you do not overload your internet connection and control bandwidth access locally

service-policy Prio4VPN

! controls, which app gets what amount of your 3 Mbps


class-map match-any VPNtraffic

match ip address 100


access-list 100 permit

! use the PIX description on what to encrypt in the tunnel


policy-map Prio4VPN

class VPNtraffic

bandwidth percent 80

! here 80% is for VPN 20% for internet. adjust to your requirements

class class-default

fair-queue

random-detect

! the "rest" of traffic is fair-queued with WRED turned on, which is best practice


interface FastEthernet1/0

service-policy output Shape3M

!applies the üpolicy to the interface connecting the 2851 to the PIX


To control the return traffic from the internet is more tricky, but you could try the same approach, by applying a similar policy with adjusted traffic descriptions (replace ACL 100 in a new class-map) for the return traffic.


Hope this helps! Please use the rating system.


Regards, Martin

Actions

This Discussion