03-13-2008 02:15 PM - edited 03-05-2019 09:44 PM
My company has a 3Mb pipe to the Internet coming into a telco-managed router. There is then a Fast Ethernet connection from the telco router to our Cisco 2851 (going through a PIX). We have a site-to-site VPN tunnel setup on the PIX for accessing certain servers. The routing and everything works fine.
The issue is that we upload data onto the servers on the other side of the tunnel through Windows File Sharing. However, if the basic connection is completely saturated due to someone in the company downloading a large file (for example), access to the file shares on the other side of the VPN tunnel becomes unusably slow. I want to set up QOS on the 2851 router to prioritize traffic to/from the network on the other side of the VPN tunnel. Is this doable (prioritizing traffic both to and from the network on the other side of the VPN tunnel)?
I am very, very new to Cisco networking.
Thank you in advance.
Solved! Go to Solution.
03-14-2008 07:39 AM
Hi,
Based on your topology, the 2851 could use a nested policy to control outbound traffic (to pix and beyond) to
a) shape the traffic destined for the internet and the VPN down to 3 Mbps (or somewhat below to account for layer 2 encapsulation overhead)
b) give priority to traffic going to the VPN over traffic to anywhere else in the internet.
For technical details and configuration have a look at
http://www.cisco.com/en/US/docs/ios/12_4/qos/configuration/guide/qsbcbts.html#wp1046398
In principle the configs could look like this:
policy-map Shape3M
class class-default
shape average 2900000
!make sure you do not overload your internet connection and control bandwidth access locally
service-policy Prio4VPN
! controls, which app gets what amount of your 3 Mbps
class-map match-any VPNtraffic
match ip address 100
access-list 100 permit
! use the PIX description on what to encrypt in the tunnel
policy-map Prio4VPN
class VPNtraffic
bandwidth percent 80
! here 80% is for VPN 20% for internet. adjust to your requirements
class class-default
fair-queue
random-detect
! the "rest" of traffic is fair-queued with WRED turned on, which is best practice
interface FastEthernet1/0
service-policy output Shape3M
!applies the üpolicy to the interface connecting the 2851 to the PIX
To control the return traffic from the internet is more tricky, but you could try the same approach, by applying a similar policy with adjusted traffic descriptions (replace ACL 100 in a new class-map) for the return traffic.
Hope this helps! Please use the rating system.
Regards, Martin
03-13-2008 06:41 PM
Depending what traffic the 2851 sees, and when it sees it (not clear what side of the PIX it's on), you could limit total bandwidth consumption of some traffic or set usage ratios between competing traffic. This works best for outbound traffic. For inbound traffic, the link is often saturated before your QoS takes effect. (Ideally, inbound is managed on the far sides outbound. Perhaps you can manage the far side's VPN usage to you.)
03-14-2008 07:06 AM
The order is
Thanks.
03-14-2008 08:06 AM
Yes, ACK shaping (for TCP) does work to "clock" inbound traffic. (I've used it on DS3.) A little goes a long way. You still get some inbound bursting as the TCP window opens. Not certain you'l be able to get the ACK rate low enough to be effective across only 3 Mbps. Haven't tried dropping the ACKs. One problem with either, hard to allow low priority inbound traffic to use the link when bandwidth available.
Martin's post has a good example for outbound. Two cautions: first, FQ within class-default tends to distort bandwidth to other classes on many platforms. Second, random-detect, with default settings, doesn't help much with non-TCP traffic.
03-14-2008 07:39 AM
Hi,
Based on your topology, the 2851 could use a nested policy to control outbound traffic (to pix and beyond) to
a) shape the traffic destined for the internet and the VPN down to 3 Mbps (or somewhat below to account for layer 2 encapsulation overhead)
b) give priority to traffic going to the VPN over traffic to anywhere else in the internet.
For technical details and configuration have a look at
http://www.cisco.com/en/US/docs/ios/12_4/qos/configuration/guide/qsbcbts.html#wp1046398
In principle the configs could look like this:
policy-map Shape3M
class class-default
shape average 2900000
!make sure you do not overload your internet connection and control bandwidth access locally
service-policy Prio4VPN
! controls, which app gets what amount of your 3 Mbps
class-map match-any VPNtraffic
match ip address 100
access-list 100 permit
! use the PIX description on what to encrypt in the tunnel
policy-map Prio4VPN
class VPNtraffic
bandwidth percent 80
! here 80% is for VPN 20% for internet. adjust to your requirements
class class-default
fair-queue
random-detect
! the "rest" of traffic is fair-queued with WRED turned on, which is best practice
interface FastEthernet1/0
service-policy output Shape3M
!applies the üpolicy to the interface connecting the 2851 to the PIX
To control the return traffic from the internet is more tricky, but you could try the same approach, by applying a similar policy with adjusted traffic descriptions (replace ACL 100 in a new class-map) for the return traffic.
Hope this helps! Please use the rating system.
Regards, Martin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: