Basic QOS

Arthur Kant · ‎09-04-2008

Our entire office is made up of l2l vpn connections, and now some dmvpn connections. Our branch's are typically a 2811 router with an internet connection back to corp.

I understand the limitations to point of QoS and using the Internet. I understand that Qos is usually done on the outbound.

What is avaiable via Cisco Routers to "protect" my pristine internet conncection from file leechers ..et which in turn degrades my tunnel.

All branch sites are set to "surf" out their local isp default gateway. What happens is people play games ..etc which nails my vpn :) I want to make sure my vpn always has priority, which I can do on the outbound.. but not on the in bound.

How do all of you mitgate branch site / vpn branch site Internet traffic so that it does not congest your links? Is the only option to tunnel ALL traffic and qos on both ends, short of begging my ISP to put Qos on their link facing me?

Joseph W. Doherty · ‎09-04-2008

Ideally, you want QoS, outbound on both ends, but even begging your ISP isn't always effective to obtain QoS. (They usually will sell you more bandwidth, even when you can't buy from them QoS.)

There are two techniques that can be used to control, to some extent, non-VPN inbound TCP traffic from flooding your link.

One technique is to rate-limit, or police, the non-VPN inbound TCP traffic. TCP attempts to increase its speed during large transfers, but slows down when it detects packet drops.

Another tecnique is to shape outbound ACKs for the non-VPN inbound TCP traffic. TCP will only send so many packets until waiting for return ACKs.

For non-TCP traffic, the rate-limit techique might work, or it might not.

PS:

If a "cheap" business class ADSL or cable service is available, you might want to split off non-critical traffic to a separate Internet link. (If you're clever, you can use each link to provide failover for the other.)