cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2958
Views
4
Helpful
4
Replies

QOS on file share traffic

braninl29
Level 1
Level 1

My company has a 3Mb pipe to the Internet coming into a telco-managed router. There is then a Fast Ethernet connection from the telco router to our Cisco 2851 (going through a PIX). We have a site-to-site VPN tunnel setup on the PIX for accessing certain servers. The routing and everything works fine.

The issue is that we upload data onto the servers on the other side of the tunnel through Windows File Sharing. However, if the basic connection is completely saturated due to someone in the company downloading a large file (for example), access to the file shares on the other side of the VPN tunnel becomes unusably slow. I want to set up QOS on the 2851 router to prioritize traffic to/from the network on the other side of the VPN tunnel. Is this doable (prioritizing traffic both to and from the network on the other side of the VPN tunnel)?

I am very, very new to Cisco networking.

Thank you in advance.

1 Accepted Solution

Accepted Solutions

mheusing
Cisco Employee
Cisco Employee

Hi,

Based on your topology, the 2851 could use a nested policy to control outbound traffic (to pix and beyond) to

a) shape the traffic destined for the internet and the VPN down to 3 Mbps (or somewhat below to account for layer 2 encapsulation overhead)

b) give priority to traffic going to the VPN over traffic to anywhere else in the internet.

For technical details and configuration have a look at

http://www.cisco.com/en/US/docs/ios/12_4/qos/configuration/guide/qsbcbts.html#wp1046398

In principle the configs could look like this:

policy-map Shape3M

class class-default

shape average 2900000

!make sure you do not overload your internet connection and control bandwidth access locally

service-policy Prio4VPN

! controls, which app gets what amount of your 3 Mbps

class-map match-any VPNtraffic

match ip address 100

access-list 100 permit

! use the PIX description on what to encrypt in the tunnel

policy-map Prio4VPN

class VPNtraffic

bandwidth percent 80

! here 80% is for VPN 20% for internet. adjust to your requirements

class class-default

fair-queue

random-detect

! the "rest" of traffic is fair-queued with WRED turned on, which is best practice

interface FastEthernet1/0

service-policy output Shape3M

!applies the üpolicy to the interface connecting the 2851 to the PIX

To control the return traffic from the internet is more tricky, but you could try the same approach, by applying a similar policy with adjusted traffic descriptions (replace ACL 100 in a new class-map) for the return traffic.

Hope this helps! Please use the rating system.

Regards, Martin

View solution in original post

4 Replies 4

Joseph W. Doherty
Hall of Fame
Hall of Fame

Depending what traffic the 2851 sees, and when it sees it (not clear what side of the PIX it's on), you could limit total bandwidth consumption of some traffic or set usage ratios between competing traffic. This works best for outbound traffic. For inbound traffic, the link is often saturated before your QoS takes effect. (Ideally, inbound is managed on the far sides outbound. Perhaps you can manage the far side's VPN usage to you.)

The order is -> <2851> -> -> -> . The VPN traffic is what I want to prioritize over traffic from anybody else. With QoS delaying and dropping ACK packets back to everybody on the Internet while prioritizing traffic, would that give me functionally what I'm after (basically, using TCP/IP congestion avoidance algorithims built into the protocol instead of QoS directly)?

Thanks.

Yes, ACK shaping (for TCP) does work to "clock" inbound traffic. (I've used it on DS3.) A little goes a long way. You still get some inbound bursting as the TCP window opens. Not certain you'l be able to get the ACK rate low enough to be effective across only 3 Mbps. Haven't tried dropping the ACKs. One problem with either, hard to allow low priority inbound traffic to use the link when bandwidth available.

Martin's post has a good example for outbound. Two cautions: first, FQ within class-default tends to distort bandwidth to other classes on many platforms. Second, random-detect, with default settings, doesn't help much with non-TCP traffic.

mheusing
Cisco Employee
Cisco Employee

Hi,

Based on your topology, the 2851 could use a nested policy to control outbound traffic (to pix and beyond) to

a) shape the traffic destined for the internet and the VPN down to 3 Mbps (or somewhat below to account for layer 2 encapsulation overhead)

b) give priority to traffic going to the VPN over traffic to anywhere else in the internet.

For technical details and configuration have a look at

http://www.cisco.com/en/US/docs/ios/12_4/qos/configuration/guide/qsbcbts.html#wp1046398

In principle the configs could look like this:

policy-map Shape3M

class class-default

shape average 2900000

!make sure you do not overload your internet connection and control bandwidth access locally

service-policy Prio4VPN

! controls, which app gets what amount of your 3 Mbps

class-map match-any VPNtraffic

match ip address 100

access-list 100 permit

! use the PIX description on what to encrypt in the tunnel

policy-map Prio4VPN

class VPNtraffic

bandwidth percent 80

! here 80% is for VPN 20% for internet. adjust to your requirements

class class-default

fair-queue

random-detect

! the "rest" of traffic is fair-queued with WRED turned on, which is best practice

interface FastEthernet1/0

service-policy output Shape3M

!applies the üpolicy to the interface connecting the 2851 to the PIX

To control the return traffic from the internet is more tricky, but you could try the same approach, by applying a similar policy with adjusted traffic descriptions (replace ACL 100 in a new class-map) for the return traffic.

Hope this helps! Please use the rating system.

Regards, Martin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco