cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
700
Views
5
Helpful
8
Replies

Routing HTTP, HTTPS & FTP traffic over one link.

l-durocher
Level 1
Level 1

I have two routers at one site. I want to route all Web traffic (Http, Https & FTP) over one link while sending all my corporate (All other traffic) over the other link. What is the best way to route this traffic?

Thank you

8 Replies 8

Hi Leo,

Policy Base routing is what you are looking for. Which device is behind those 2 wan routers? Let's check at it first. It can support PBR or not. If not, You may send all traffic to just one primary router and do PBR on it to send only all your corporate traffic to the another router.

Let's understand what PBR does for us first!

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html

HTH,

Toshi

Joseph W. Doherty
Hall of Fame
Hall of Fame

Another totally different approach, rather than direct certain traffic to certain links, might be to manage traffic bandwidth allocations on both links. This approach is especially nice if one link fails, and the remaining link is required to carry all traffic.

l-durocher
Level 1
Level 1

OK. I have two routers 2811 and they are doing HSRP. Router 1 is the primary router connected to my WAN Router 2 is the backup router connected to my HQ via IPVPN and we are paying for this backup link. And my WAN link is heavily utilized. So we want to move all the Internet traffic (Web and FTP)over the Router 2. This will leave my WAN bandwidth available to my business applications. Router 1 is the sites default gateway.

Again thank you for all your help

Yes, understand, but besides using both links, it's possible to configure your business applications to obtain priority over your non-critical traffic (again on both links). Besides your corporate traffic not being degraded by your non-critical traffic, it would have both links bandwidth availalble to it. I.e., it might perform even better than dedicating links to specific traffic.

NB: managing your traffic bandwidth reservations, may also permit an immediate performance boost to your business applications before you utilize your backup VPN:

e.g.

class-map match-any nonbusiness

!don't recall whether http also matches https

match protocol http

match protocol ftp

policy-map managebandwidth

class nonbusiness

!non-critical applications obtain "available bandwidth" from minimum allocaton

bandwidth percent 1

class class-default

fair-queue

interface x

service-policy output managebandwidth

As to the HSRP issue, easiest solution might be, if you want to utilize both links for all traffic, might be to utilize GLBP, which the 2811s should support. (If the links offer different bandwidths, GLBP can weight their usage.)

Joseph,

In the scenario that you gave above, would this configuration change if he was using NAT?

Thanks,

John

HTH, John *** Please rate all useful posts ***

John, for just IP address NAT, probably not. If something like PAT is involved, perhaps yes.

Joseph,

This falls back into what I had asked last week, and I realized that PAT/NAT was done before QoS on outgoing traffic. So the return traffic in that case would need to reference the public address, which in turn would affect everything and not just the certain classes for that policy map, right?

That's where I get confused.

Thanks,

John

HTH, John *** Please rate all useful posts ***

John, yes if you're doing some inbound analysis of packets that relied on IP addresses, and those addresses had been NAT'ed, then you would have a problem, if you're "outside".

However, similar to ACLs, that can be placed in or out on an interface, some QoS can perform the same function in a different location. For instance, we might rate limit on interface ingress, but we might also be able to accomplish the same by rate limiting on interface egress. If we have such a choice, we can target analysis before/after NAT/PAT. (Similar issues often arises when working with VPN traffic.)

With QoS, we also have the option to limit analysis to ToS, which often isn't impacted by NAT/PAT/VPN, etc. One of the reasons for the ToS, is a label, or tag, that helps us avoid every hop performing packet inspection to determine its QoS treatment. I.e., ideally we want to replace is it FTP or VoIP, with is it CS1 or EF.

Putting this together, we might classify and mark traffic as close to the source as possible, but generally classication would be on the "inside" of NAT/PAT/VPN. We then treat the traffic based on its ToS, which can be independent of "inside" or "outside".

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco