cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2720
Views
0
Helpful
32
Replies

IOS 2801 QoS and VPN

Deepseadata
Level 1
Level 1

Hey there,

Sorry. I've been reading and reading but I guess I'm doing an uncommon scenario.

I have a slow (256k) wan link. I need to push all WAN users aside when I dial in with my VPN client to do maint.

Can anyone give me some QoS options?

The other QoS needs I have are that I have a few vLAN's but I need to give one vlan all/most of the WAN bandwidth and push aside the other vlan traffic.

Have any tricks up your sleeve?

32 Replies 32

Joseph W. Doherty
Hall of Fame
Hall of Fame

CBWFQ would likely support your needs, outbound. Inbound is a problem unless you also control the other side of the link's outbound.

Although CBWFQ would support some flows to push aside others (again outbound), if you're using FIFO now, you might try WFQ first. If default WFQ doesn't perform as you require, you might try increasing the IP Precedence of the more important traffic (which will bias per flow bandwidth allocation).

The reason I even suggest WFQ, CBWFQ is very powerful, so much so, it's easy to obtain "unintended results".

OK. I'm going on a CBWFQ reading mission.

So I can turn use CBWFQ to take bandwidth from a range of IP's when another range of IP's need it?

Thanks for the quick reply BTW!

Yes.

e.g.

ip access-list extended importantIPaddrs

permit ip ...

.

.

ip access-list extended notimportantIPaddrs

permit ip ...

.

.

class-map match-axx importantIPaddrs

match access-group name importantIPaddrs

class-map match-axx notimportantIPaddrs

match access-group name notimportantIPaddrs

service-policy cbwfq

class importantIPaddrs

bandwidth remaining 99 percent

class notimportantIPaddrs

bandwidth remaining 1 percent

interface . . .

service-policy output cbwfq

Whoa! That's some good stuff, Joseph. I better ask some questions before I plop that into my config. Lets say the important range is 192.168.51.0 and all the rest aren't.

Please pardon my syntax

Can I enter:

ip access-list extended importantVLAN

permit ip 192.168.51.0 0.0.0.255 any

ip access-list extended notimportantVLAN

permit ip 192.168.0.0 0.0.255.255 any

class-map match-access-list importantVLAN

match access-group name importantVLAN

class-map match-access-list notimportantVLAN

match access-group name notimportantVLAN

service-policy cbwfq

class importantVLAN

bandwidth remaining 99 percent

class notimportantVLAN

bandwidth remaining 1 percent

interface Fa0/1 (my WAN interface)

service-policy output cbwfq

When the important people aren't using the link will the notsoimportantVLAN get 100?

Once I turn this on, will if effect my voice traffic coming from my FXS ports to my Fa0/1?

Thanks, Joe!

"When the important people aren't using the link will the notsoimportantVLAN get 100?"

Yes. What happen when both VLANs compete for bandwidth, they will get it in the ratio of 99:1. However, any bandwidth not needed by one is available to the other.

"Once I turn this on, will if effect my voice traffic coming from my FXS ports to my Fa0/1?"

Never worked with an FXS, so don't know without some research. If its traffic will transit your WAN link as VoIP, then we would likely want to define a LLQ (priority) class for it as part of the policy. If the traffic transits your WAN link as analog voice, channel separation should protect it.

I think I better post my config because I didn't configure the voice. I want to make sure that 99% doesn't steal voice'sbandwidth needs.

interface Loopback0

ip address

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/1

description Starboard VSAT $FW_OUTSIDE$

ip address 10.20.46.20 255.255.255.0

ip nat outside

ip virtual-reassembly

no ip mroute-cache

speed 100

full-duplex

!

interface FastEthernet0/3/0

!

interface FastEthernet0/3/1

!

interface FastEthernet0/3/2

!

interface FastEthernet0/3/3

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

interface Vlan1

description $FW_INSIDE$

ip address 192.168.49.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

router eigrp 1

network 192.168.0.0

network 192.168.49.0

auto-summary

!

ip local pool SDM_POOL_1 192.168.254.160 192.168.254.170

ip default-gateway 10.20.46.1

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.20.46.1

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat pool MADNATPOOL 10.20.46.20 10.20.46.20 netmask 255.255.255.0

ip nat inside source list 1 pool MADNATPOOL overload

!

access-list 1 permit 192.168.0.0 0.0.255.255

!

!

control-plane

!

!

voice-port 0/2/0

echo-cancel coverage 32

no comfort-noise

cptone GB

timeouts interdigit 3

music-threshold -70

!

voice-port 0/2/1

echo-cancel coverage 32

no comfort-noise

cptone GB

timeouts interdigit 3

music-threshold -70

!

ccm-manager mgcp

!

mgcp

mgcp call-agent 10.129.48.11 service-type mgcp version 0.1

mgcp dtmf-relay voip codec all mode nse

mgcp codec g729r8 packetization-period 60

mgcp playout adaptive 100 50 200

mgcp playout fax 500

no mgcp timer receive-rtcp

mgcp timer net-cont-test 1000

mgcp timer nse-response t38 1000

mgcp sdp simple

no mgcp fax t38 ecm

mgcp fax t38 nsf 000000

!

mgcp profile default

!

!

dial-peer cor custom

!

!

dial-peer voice 1 pots

service mgcpapp

port 0/2/0

!

dial-peer voice 2 pots

service mgcpapp

port 0/2/1

!

gateway

timer receive-rtp 1200

!

call-manager-fallback

max-conferences 4 gain -6

ip source-address 10.20.46.20 port 2000

max-ephones 24

max-dn 24

One more thing.

If there was some other QoS stuff in place, is it possible that it could take the overall bandwidth or just the remaining bandwidth that the voice entries might have set aside for themselves?

Back to the books.... thanks for hanging in there with me, Joseph.

If voice is placed into a LLQ (priority) class, it can get its defined bandwidth regardless of other traffic. It also goes first. It, however, will be limited to just its defined amount of bandwidth if there's congestion. This differs from other classes that can obtain more bandwidth then they are defined for assuming other classes are not using their allocations.

For other traffic, you need to juggle how you allocate bandwidth. I haven't mentioned it, by there's a default-class for traffic you've haven't matched. Also, CBWFQ, by default, reserves 25% for other undefined traffic including an implicit default-class (class can also be defined explicitly). The default-class and default other bandwidth reservation are related but not the same. Also, like other classes, bandwidth not being used is available to other traffic.

For example how this all interplays, your importantVLAN or nonimportantVLAN traffic can use 100% of the link if there's no other traffic, but if the router needed to send a routing packet (e.g. OSPF LSA) or you needed to telnet to the router, assuming neither matches an explicit class, both could, by default, in combination use up to 25% of your link's bandwidth assuming your defined classes traffic want 100%. (Actually, what bandwidth the implicit class-default could obtain is likely more than 25% unless all the other 75% was being used by LLQ classes.)

PS:

As you're perhaps starting to realize, this can be very powerful stuff, but like fire, you can easily burn yourself. I often suggest starting with fair-queue. If some traffic needs just a little more priority than other traffic, then set IP Precedence values since fair-queue on Cisco is often weighted fair-queue. If there's real-time traffic, add a LLQ class for it. Beyond this, you should really understand what you want to accomplish and what may happen.

e.g. CBWFQ simple policy

class-map match-axx real-time

.

.

policy-map generalCBWFQ

class realtime

bandwidth priority percent 33

The above has an implicit class-default, but if you want to explicitly define it, add:

class class-default

fair-queue

[edit]

PPS:

Just realized, your using ethernet but have 256 K downsteam. You'll likely need to shape.

e.g.

service-policy shape256K

!less about 10% to account for Ethernet L2 overhead

shape average 225000

service-policy generalCBWFQ

interface FastEthernet0/1

service-policy output shape256K

Joseph, you really are good.

The more I read about CBWFQ the more I see your name pop up. Thanks for helping all of us.

It's starting to look like QoS inbound is a tough task. I guess it would be hard to police inbound traffic by vlan or ip range because incomming traffic changes ip address depending on where you're downloading from.. eh?

Hmmm.... It seems pretty common to do QoS by what "type" of traffic, but giving inbound bandwidth on my outside WAN interface looks like it's not going to happen.

It sounds like I can do inbound stuff on my L3 3560 switch but it seems like it will be too late because my router's WAN int will be choking on the internet inbound traffic and slowing everyone down anyway.

Before I pull the plug on this plan. Is there any hope?

For inbound, although there are many Internet addresses, you can still identify the VLANs by internal source addresses. In other words, for outbound you match to source address, for inbound you match to destination addresses.

Yes, you've got it. When you try to manage traffic downstream of the bottleneck with a policer, the bottleneck can still be congested with traffic. If the inbound traffic is TCP, it should slow if it sees drops caused by the policer, so a downstream policier can have some impact regulating inbound upstream traffic. Problem is, TCP bursts first, sees the drops, then slows. In my experience, you need to police much slower than you really want to keep the bursts from choking the link which tends to drop the average inbound rate of that traffic. (It can be a useful technique, though, to target bulk background data transfers.) Some traffic, like UDP applications, may not slow their rate at all when they see policer drops, but those drops will often adversely impact the application.

Your're also correct, 3560 can do inbound stuff, but it can do some port based outbound stuff too, including, I believe, bandwidth idleing of a port. For the inbound stuff, you often can control both direction by doing inbound (or outbound) on both "sides" of the switch, i.e. inbound on both LAN facing and WAN facing ports.

Your best hope on something like a 3560 would be to configure the output port bandwidth usage to match the upstream available bandwidth and then separate traffic into one of the four queues. You would detmine the bandwidth allowance for each of the four queues. (No fancy CBWFQ for output supported on that platform.)

For inbound, if you find there's one type of TCP traffic that tends to use most of the bandwidth of the inbound link, you can police that down to a low value of the link's bandwidth, perhaps under 10% or more. (TCP should still manage to forward the traffic.)

Beyond that, you could obtain a small WAN router for between the 3560 and the WAN. This would allow you to implement better QoS outbound, but it wouldn't really help much with inbound, although another technique is to shape outbound TCP ACKs, but that's very trickly to get to work well too.

Lastly, there are 3rd party traffic appliances (e.g. Packeteer) that can really help in this situation since they often muck around with not only per flow shaping but can sometimes adjust certain TCP packet fields like what a receiving TCP host's receive window size is.

PS:

Yes, guess I do pop up alot on CBWFQ (or QoS in general). Perhaps a subspecially of mine is obtaining optimal performance with computer systems or the most "bang for the buck". Cisco's QoS features, such as CBWFQ, are often very useful, or even critical, in getting the best performance and/or to accomplish your business performance goals at minimal cost.

I'm learning. You're making it pretty easy to understand. The Cisco Docs leave me more confused evertime I go back and look at them.

You said:

For inbound, although there are many Internet addresses, you can still identify the VLANs by internal source addresses. In other words, for outbound you match to source address, for inbound you match to destination addresses.

Can you please let me know what this would look like in a config?

So let me get this straight - I CAN control bandwidth from the internet by using the source IP of my user's pc? Can I make it so the source is a range of IP's?

You're giving me hope again, Joe.

"So let me get this straight - I CAN control bandwidth from the internet by using the source IP of my user's pc? Can I make it so the source is a range of IP's? "

Yes, yes; but it's not very precise and often only effective with TCP.

"Can you please let me know what this would look like in a config? "

Assuming vlan1 critical was 192.168.1.0/24, you might configure ACL like this: (assuming my syntax is correct)

ip access-list extended criticalVLANs

remark match VLANs source subnet addresses

ip permit ip 192.168.1.0 0.0.0.255 any

remark match VLANs destination subnet addresses

ip permit ip any 192.168.1.0 0.0.0.255

The above ACL should match traffic to/from the VLAN(s) of interest. Since it matches traffic to/from, it could be used for either inbound or outbound purposes.

Ok I'll try to attach it to my router's WAN int Fa0/1

My vlan that is most important is 192.168.51.0

My vlan that I want to push aside is 192.168.54.0

Quick question - I actually have a 192.168.53.0 vlan that issemi important... I want to be able to push them if 192.168.51.0 wants internet. But I want to have either of those two vlans to be able to push 192.168.54.0... whew!

That said - Here's what I'm going to plug into my router config.

ip access-list extended ownerdata

remark match ownerdata source subnet addresses

ip permit ip 192.168.51.0 0.0.0.255 any

remark match ownderdata destination subnet addresses

ip permit ip any 192.168.51.0 0.0.0.255

ip access-list extended crewdata

remark match crewdata source subnet addresses

ip permit ip 192.168.54.0 0.0.0.255 any

remark match crewdata destination subnet addresses

ip permit ip any 192.168.54.0 0.0.0.255

class-map match-access-list ownerdata

match access-group name ownerdata

class-map match-access-list crewdata

match access-group name crewdata

service-policy cbwfq

Class ownerdata

bandwidth remaining 99 percent

Class crewdata

bandwidth remaining 1 percent

interface fa0/1

service-policy input cbwfq

Did I forget anything? :)

If that's correct. Can you help me slap that third vlan "officerdata" into this? They are more important than crew but less important than owners of the yacht.

Can't wait to hear what you have to say!

Crap!

Here's a rookie question.

If I don't include all my other vlans in this stuff... they're not going to be denied/filtered from getting on the internet are they? I just remember reading that there's an implicit deny any at the end of ACL's

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco