WRVS4400N - IPS and 50Mbps Broadband

Unanswered Question
Apr 1st, 2009

Hi,

Just been upgraded to 50Mbps Broadband, but I can only achieve 22Mbps with IPS enabled.

Is this a know problem?

Is there a work around, instead of just disabling IPS?

Clearly if I cant get this fixed I'll be going elsewhere for my router :(

Regards.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (1 ratings)
Loading.
cactusdesigns Fri, 04/03/2009 - 01:19

OK, so let me get this straight, a guy in his home office (i.e. me!) has determined that the throuput with IPS is approx 20 Mbps... Shouldn't this be the other way round? That is, Cisco (a multinational company with more resource and understanding) be informing its customers (in the spec/data sheet) of the throughput?!

Anyway, since it looks like I'm going to be stuck with this router for a while longer (until I determine the throughput of a competitor product), can someone let me know what are the actual benefits of IPS and possibly a scenario where the IPS comes into effect?

After reading such articles as: http://www.networkworld.com/columnists/2003/0804snyder.html I'm none the wiser to why I need IPS, but the "fear factor" is the selling point as ever!

If I disable the IPS is there a software/hardware alternative that I can use that will not have the same performance penalty?

Regards

Steven DiStefano Fri, 04/03/2009 - 03:51

While IPS in the WRVS4400N uses signature files you update periodically to the router to provide decection (and prevention) against an anomaly, there is a network (in the cloud) service this router is eligible for which prevents sites with bad reputation (known to distribute worms, spybots and viruses) from connecting to any client behind the router.  It also has URL Fiultering by category (66 categories so you dont have to manuallly type URLs) and Email SPAM prevention.   Its called Trend Micro's Protect Link Gateway (in the cloud) service (since WRVS4400N FW version 1.1.13 and later)

http://www.cisco.com/cisco/web/solutions/small_business/products/securit...

The cisco.com WRVS4400N FAQ found here has the following information:

http://www.cisco.com/en/US/products/ps9923/products_qanda_item09186a0080...

ProtectLink
1. What is Trend Micro Web Protection used for?
Use Web Protection to manage and protect employee Internet use by blocking access to non-work-related and malicious Web sites.

2. What is Trend Micro InterScan Messaging Hosted Security (IMHS)?
Trend Micro InterScan Messaging Hosted Security is a hosted email security service that can benefit any size organization. We provide the hardware, software, and messaging expertise to cleanse your email of spam, viruses, worms, Trojans, and phishing (identity theft) attacks. The cleaned mail stream is sent directly to your mail server for final delivery to your end users. To use this service you must manage and have administrative access to your own SMTP server. Please have the domain/IP information ready during the registration process.

3. Who do I get the ProtectLink Service?
First you must have a Supported Linksys Router that works with this service (Currently this is only the RV042 but will soon include many of our Business Class Routers, keep checking the Linksys website for firmware updates if you have a router not currently included on the list), then purchase a Registration key from a Linksys approved retailer. After you have a Registration key you can log into your router's interface, got to the Security Protection tab and you should have a link from there to sign up for the service.

4. How much does the Trend Micro service cost?
Trend Micro InterScan Messaging Hosted Security is sold in 5 seat and 25 seat increments on an annual payment plan. Please contact Sales or a Local/Online Retail for exact pricing.

5. How long does the initial setup of the Trend Micro service take?
If just registering for the Web Protection service, it can take up to 24 hours to activate your account through Trend Micro. You should receive an email containing your account information and instructions on managing your account.
Once this portion is active, if you chose to sign up for the IMHS Service during Registration it can take up to another 24-48 hours to receive your account information and instructions on managing this service as well. Once your IMHS account is active it may take an additional 24 hours to update your MX record.

6. My Router is listed but I do not have the Security Protection Tab within the Web UI?
Please go towww.linksys.com/download and upgrade to the latest firmware.

7. I already signed up for the Web Protection service but now I want to use the IMHS service as well. How do I add it?
In order to activate the IMHS Service after initial registration please contacts Trend Micro Support at [email protected] with your SMTP server domain/IP information.

8. How do I begin using the IMHS service> Do I need to install, configure, or maintain anything?
A simple redirection of your Mail exchange (MX) record is all that is needed to start the service. Your email is processed by the Trend Micro InterScan Messaging Hosted Security to remove spam, viruses, worms, Trojans, and Phishing attacks; the clean messages are then sent directly to your mail server. This can be process can be activated either through the Initial Trend Micro Registration or through contacting [email protected] if you have already activated the Web Protection Portion of the service.

9. What level of Web Reputation should I choose?
Security Level: The higher the security level, the more URLs that are known or suspected to be a Web threat will be blocked.
a. High - Blocks a greater number of Web threats but increases the risk of false positives.
b. Medium - Blocks most Web threats and does not create too many false positives. This is the recommended setting.
c. Low - Blocks fewer Web threats but reduces the risk of false positives.



plawer123 Thu, 04/09/2009 - 09:41

So basically the router has a feature that sucks 97,5% of the throughput capacity out of the router (that's ninetyseven-and-a-half percent)? Doesn't it sound like this IPS feature needs some performance attention from the developers? I mean now that 50Mb and 100Mb broadband connections are becoming more and more common, the feature should at least be able to support those kinds of connections.

I've disabled my IPS for now.

cactusdesigns Thu, 04/09/2009 - 10:00

Yep, that pretty much sums it up.

I've got IPS enabled most of the time, unless I need to do a big download and need the extra bandwidth.

Totally concur, the cisco devs need to rethink this, especially as since 100Mbps is on the horizon for my area too... Its rather hilarious that they have posted the figure of throughput with IPS disabled, but fail to mention what it is with IPS enabled...

plawer123 Fri, 05/08/2009 - 01:06

Have you heard anything from the Product Manager?

I'm mainly interested in if it's considered to be working as designed or if there's any chance of performance improvements in later firmware releases.

cactusdesigns Fri, 05/08/2009 - 01:23

I've not heard anything new regarding this, but I'm kinda assuming that it won't be fixed and instead looking for a replacement, which is pretty sad.

Anyone from cisco care to comment?

Thanks,

raulznjmps Fri, 01/07/2011 - 20:34

Hi Steven,

Could you check for us if URL blocking affects bandwidth. We updated our unit with firmware 2.0.1.3 and our contract bandwith with ISP is 100Mbps.

The scenario that we are experiencing now are as follows:

1. Enable IPS and URL blocking, we'll get 22Mbps.

2. Disable IPS and enable URL blocking, we'll get 39Mbps.

3. Disable both IPS and URL blocking, we'll get 100+Mbps.

Thanks in advance.

Rgds,

Raul

Te-Kai Liu Sun, 05/10/2009 - 17:03

Although 20Mbps of throughput when IPS is enabled does not meet the requirement of the 50Mbps internet pipe, the price/performance ratio of $130/20Mbps should be very competitive in the market.

matt172001 Mon, 05/18/2009 - 06:16

It appears if you do the above procedure and turn OFF the IPS - it will break firewall port forwarding.  Now if you don't use any custom ports to port forward, this isn't an issue.  BUT, if you do (as we often do) - it will break them and won't work.  Again - this only effects CUSTOM FIREWALL PORTS (ie: non standard ports, like mapping a port to 15000 or similar) and turning off IPS.  You could leave ON IPS and this is a non-issue.

Steven DiStefano Mon, 05/18/2009 - 06:20

I am sorry to hear about the problem you found and thanks for sharing it with everyone.

I do think you should report the problem with a formal TAC case so it can be resolved.

1-866-606-1866

Michael Stacks Wed, 05/20/2009 - 08:32

You know honestly, I don't see that as much of an issue for it's price point.  Competitive products from Sonicwall, Watchguard, Fortinet etc, cost more than this box, and have equivalent or lower throughput when enabling the full UTM capabilities.  I think if you're looking for something that can handle 50Mbps, then you're probably looking at something more enterprise class such as an ASA or ISR Router.  I haven't seen anything from any vendor that can push that bandwidth for this price point.

nealrfildes Mon, 02/15/2010 - 17:06

given the appearance of wrvs4400n V2 and its latest firmware, is there any improvement in this dimension of quality?

And curiously, why is this fact buried in this forum? I went through the site section on this product, tried the chat and 8xx # with  no

success but eventually slogged through to find this post. Such a significant performance number ought not to be buried unless

it is a "dirty little secret".

Steven DiStefano Mon, 02/15/2010 - 19:44

Hello,

The fact that signature analysis impacts performance is one which all vendors face with IPS implementation and we Cisco, do advertise this in the data sheet (reduced performance when IPS is enabled).

As you probably know, the operational profile of any unit under test will impact performance and it is difficult to narrow in on any one profile that we could assume everyone would use, but in the case of IPS, it is a BIG impact.

Hope this helps a little.

I think the fact that we have this forum and are willing to discus virtually everything with our Partners should show everyone that we dont keep secrets, or at least we dont try to bu any stretch.

Steve DiStefano

SE in Sales

cactusdesigns Tue, 02/16/2010 - 00:11

I see this thread still gets the odd response and similar reaction to what I first had.

I'm still using the WRVS4400N as I still believe it is a good router and I still disable IPS when I need the extra download speed for gigbyte downloads etc., but it would be good to know if the V2 model still has the same 30 Mbps degredation as the V1 model.

Can any one (Cisco) confirm the actual numbers for IPS enabled/disabled on the version 2 WRVS4400N?

nealrfildes Tue, 02/16/2010 - 03:22

this is a simple question - given the answer above for earlier version of the hardware, could you please provide the corresponding result for v2? feel free to use the same scenario so it is apples to apples.

of course IPS reduces throughput! computers are not infinitely fast etc. but we want to know the true cost. is the new hardware any better?

until I saw the number above, the closest thing I had to a number was from phn's review of a rvs4000, giving upstream 530mbps, downstream 15.9 mbps, total 525.6 mbps.Those numbers made me think this was wireless router totally designed for web servers (which sounds really odd as a web server would not need wireless abilities!)

you are close to making a sale, why be squirrely about this? the best customer is the one who can make an informed decision up front instead of being angry afterward.

Steven DiStefano Tue, 02/16/2010 - 04:41

Well I am happy we are close to a sale, cause I am a Systems Engineer in Sales :-)   If you know me, you know I aint 'squirly' either.

Let me ask the BU for the numbers for V2.

I thought you were asking why there was a reduced bandwidth capability, which I know the answer too, so answered :-)  Sorry if I misunderstood you.

The actual numbers, I will ask for.   Stay tuned.   As soon as I get them I will post back here....or ask them too.

Steve DiStefano

nealrfildes Tue, 02/16/2010 - 05:05

thanks. I look forward to the answer. I've reviewed the v2 user guide and will be posting some comments/questions in another thread.

Steven DiStefano Tue, 02/16/2010 - 08:58

OK, I am back with some data.

With IPS & Firewall enabled, it looks like we can see between 18 - 24mbps (TCP - UDP respectively).

PPPoE,,PPTP, and L2TP client traffic will be less.

Without IPS this same number goes to around 900mbps

Steve

nealrfildes Tue, 02/16/2010 - 11:05

thanks, I really appreciate getting a straight answer! :) :) It appears the v2 hardware is more efficient, so I want to be sure to get v2. I also will assume that whether or not I subscribe to the extra service, this overhead will be about the same.

For your sales hat, I will say that I am still waiting on another thread regarding the documentation -vs- bandwidth rules, but if it is anything like the rvl200 I think this is a "Go".

For your SE hat, I would like to say that based on my research at the cisco site, it appears like the wrvs4400n-v2 has been significantly groomed and improved, having perhaps 1 or 2 known problems, whereas the latest rvs4000 firmware still shows lots of issues that would keep me away from it in spite of the low price. Right now I am using a dgl4300 wireless router with two netgear gs108t switches behind it. I use the 'game fuel' rules in the 4300, outbound bandwidth limiting in the nearest switch egress, and QOS in both switches to favor my voip traffic (2 SIP "lines"). the advantage of the 4400 over my existing setup is several-fold:

1) 802.1p QOS support extends into the router rather than stopping at the switch's uplink queue

2) reduce # of boxes to power and administer (get rid of one switch)

3) compatible with wireless N standard if I choose to adopt it (2 of 3 wireless clients are capable already)

4) supports ipv6 should I choose to enable it (not sure of a benefit yet)

5) provides potential for higher throughput should it become available in my area (assuming the bug with port forwarding requiring IPS gets fixed)

so, thanks again and have a great day!

nrf

Steven DiStefano Tue, 02/16/2010 - 11:32

Neal,

Thanks.

I know that the Business Unit Engineers are also watching this thread too, and we do care about what partners say, suggest, recommend, think here.

I was told that WRVS4400Nv2 has the same issues/limitations as RVS4000, e.g. Bandwidth Management is not working when IPS is disabled, just to clarify that question for you.

Steve.

nealrfildes Tue, 02/16/2010 - 11:51

I had assumed that as fact (related to point #5) but with something like a fiber service maybe I wouldn't care about bandwidth management so much,

There are many more issues in the 4000's latest firmware release notes compared to the 4400v2. (I see today that a new set came out but it still has a way to go to be at par with the 4400)

the other thread basically asks where you apply the bandwidth profiles as it was not visible in the manual. in the rvl200 manual, you can see bandwidth profiles as part of port map (inbound) rules, and oubound rules.

nrf

alissitz Tue, 02/16/2010 - 12:20

Hello team,

I hope I am not too far off the topic here ... but if you need higher speeds w/ IPS enabled, then the ASA product line is probably your best bet.  You can also use an ISR, but the speeds will not be as great as with the ASA models. The ISR ofcourse offers a lot as well, single platform with many services, applications, modules etc ...

Here is a link to the ASA models and the AIP module that can be installed with it:

http://www.cisco.com.az/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/data_sheet_c78-459036_ps6120_Products_Data_Sheet.html

As you can see, you can look at a ASA 5505 w/ an AIP module.

HTH,

Andrew Lissitz

nealrfildes Tue, 02/16/2010 - 13:02

interesting product set, reminds me of what AT&T does for its (big) customers pro-actively. in terms of cost and complexity, I would lump even the low end of the series in with the 800 series products as more than I can absorb at this time.

but I like your approach and attention to the thread! maybe it will get someone else thinking - once you have a real need for that kind of bandwidth, one can expect to pay a bit more for the toys...

nrf

alissitz Tue, 02/16/2010 - 13:19

Understood and agreed.

Glad you did not mind me changing the products or focus on you ... I did not want to distract from the original intent of this good posting.

Yes, the requirement for high speeds certainly demands a lot from the hardware, a lot from the ASICs, memory, chipsets, etc ... and thus we easily move into a the traditional Cisco product sets.

We appreciate you Neal, many thanks. 

Andrew Lissitz

nealrfildes Wed, 02/17/2010 - 11:14

my other post didn't catch any replies, can anyone with one of these 4400's tell me where the bandwidth profiles get applied? is it just like with the rvl200?

also, will qos be applied downstream for use on the lan? 802.1p qos or dscp doesn't help if one part of the path ignores it...

thanks!

nrf

alissitz Wed, 02/17/2010 - 12:06

Sorry that your other post did not get a response ... I will look for it after this one.

Here is a link to the admin guide:

http://www.cisco.com/en/US/docs/routers/csbr/wrvs4400n/administration/guide/WVRS4400N_Admin_Guide_v2.pdf

You can trust the COS if you like, but probably more likely you will want to simply set the QoS policy based on DSCP values.   See page 129 for more in the above admin guide link.

Does your LAN remark DSCP?  If so, then the marking coming into the router would be fine.  If not, then you might choose to define the services and provide them a priority.

Are you experiencing problems with drops or delays for traffic / traffic types?

The WRVS assumes that there is plenty of bandwidth on the LAN, so the configs you are making here apply to upstream / towards the SP.

Does this help?

Andrew Lissitz

nealrfildes Wed, 02/17/2010 - 12:23

it seems like my other thread might have prompted release of the revised admin guide (new look and feel etc), so I got at least one answer - what happens to the bandwidth settings.

on the other hand, let me explain my view of the world and maybe you can advise....

on my network I have a mix of 'slow' (500kb/20mb) internet traffic and multiple video streaming clients and servers that handle HD material. I have a two-'line' sip adapter in the mix which I am trying to serve as close to flawlessly as I can. my switches can use either dscp or qos marking, right now I am using qos out of simplicity, and mark the incoming stream from the Telephone Adapter. when it gets to my non-qos router, it applies its rules to prioritize upstream into the internet. on the downstream path, all downstream data from the internet gets tagged by the switch with the same priority since all come through the same ingress port.

what I am hoping to accomplish with this project is to maintain my existing prioritization of my voip upstream traffic and enhance the situation by further distinguishing between the different types of downstream traffic from the internet. the ideal case would be that any service priorities I apply upstream also get reflected in qos or dscp bits downstream so there is a continuous high-priority path for the voice.

My current setup is pretty good as people rarely/almost never lose my voice, but sometimes when I click on a browser link I get a hiccup in the downstream audio. perhaps I am being too much of a perfectionist, Bottom line, it may not be possible to do the 'ideal' as I hoped, but I would not want to change my setup unless I could at least get closer to the ideal. If downstream bandwidth control at least gets it into the rest of my switch network in an expedited fashion, the fact that the LAN is gigabit will probably achieve the desired result.

man, I love these forums!

nrf

alissitz Thu, 02/18/2010 - 14:48

Good afternoon,

A couple of thoughts, and I hope these are helpful:

- Getting visibility into the actual queues is not really possible with the small business gear, you need traditional Cisco equipment for this.  With Cisco you can see per queue stats / drops, or even estimate the amount of bandwidth needed given a QoS target such as delay, acceptable drops, etc ... (called bandwidth estimation).  You can also run Netflow and IPSLA get a lot of visibility / network testing.

So with this said ...

VoIP is predictable, so it is not hard to engineer for.  Each call will have a certain amount of BW required for each call.  Example including protocol and media overhead is:

G729 requires about 24Kbps  per call

G711 requies about 82 Kbps  per call

Voice requires a constant level of delay.  To keep things simple, many people will place voice in the priority queue and / or assign it a bandwidth value that will allow for the max numbers of calls.

In your case, when you click on a web link you may hear a blip in the conversation.  This is either a couple of a dropped packets or a couple of packets delayed beyond what the de-jitter buffer can handle.  Not to mention that the voip codec cannot recover the lost packets ... meaning it is more than one lost packet.  Without some visibility and or 3rd party tool, it is hard to track down the cause of this problem.

Does your VoIP provider have any stats?

What kind of phone are you using?  Cisco phones will allow you to see the jitter, MOS scores, packet loss, etc ... this can be found right on the phone under the call statistics menu.  This might help you some by seeing how much jitter there is.

Web traffic is typically larger packets ... I wonder if you are experiencing tail drop for when the voip packets are waiting to get sent.  Serialization causes queue build up because smaller packets have to wait behind larger packets, and tail drop occurs ...

This can happen on slower links.

Video traffic is very bursty, harder to predict ... and demanding.  Real time video streaming has similar demands from the network as voip.  A rule of thumb is to engineer your network for the real time video plus 20% for overhead and for bursts.  So take your video streams and add 20% to ensure you have enough bandwidth per queue or available.

Does this help you?  I hope so ... but we still have a lack of visibility here ... humm 

If we trace your traffic up and downstream, we know that you have given priority to the traffic going into the cloud / upstream. Is this strict prioritization?  I think you may have mentioned this ...

Normally traffic coming from the provider's network will have the proper markings.  Most providers preserve the L3 markings when the traffic egress their network.

When the traffic comes into your switch, can your switch re-mark the packets so that the markings are set according to your policy?  This would help you implement a uniform policy across your LAN and give voip a priority.   You could also create policies to give RTP media priority everywhere and give these priority.

A small note ... as you know changes to QoS policies will usually cause the queue to flush and or the interface to be reset.  So doing this during production times is not suggested ...

Also, if other traffic types are using DSCP or are using RTP media ... then you might engineer the QoS incorrectly if you do not account for it.

In addition, some malicious programs might try and DOS the network by sending excessive amounts of traffic with DSCP markings of EF or other high values.

It is for this reason that most folks that role out QoS, will by default overwrite all the markings and re-mark the packets according to their own polices.  This is easy with Cisco with auto-qos and smart port macros ...

Sorry to keep going back to Cisco products, I am not keeping the focus of this thread and posting ... with Cisco we have some tools to help us, but the tool set is limited with small business products.

HTH,

Andrew

nealrfildes Thu, 02/18/2010 - 19:10

wow! I appreciate the effort you put into your post.

I was mostly looking for an answer about this specific product.  Since none of the video goes into the router, 3 hd streams at 25mbit each worst case are handled ok within the switches with their own queue. I'm also assuming that an ISP will most likely not trust any upstream marking, so I am trying to focus more on where I have some control. I can have the switch mark the upstream sip traffic easily enough, and many decent consumer routers including my existing one can sort out what it sends into the internet so some traffic gets ahead of others. I was hoping this product in particular could be used to mark or at least prioritize the downstream leg of the journey.

I can see how RV042 or RVL200 might do that, but would like to know specifically about the 4400nv2. Some (most?) gigabit routers handle qos upward but don't bother to include qos in the embedded (LAN) switch. Given that this one has qos trust settings, it seems to be more complete with its switch abilities. It makes logical sense that the same kind of rule which allows marking of the upstream flow could do the same on the downstream side, especially since it is co-resident with a switch chip that could actually do something with the markings.

On the other hand, reserving 2x100kb bandwidth out of a gigabit path seems rather trivial, or even un-necessary. So I want to know what kind of control I may have with this product between the arrival from the ISP and when my next switch sees it, and if it can possibly be marked separately from the other traffic it is traveling with.

I guess if there is a smarter router capable of doing such marking that is 'affordable' and 'approachable' by someone not embedded into the Cisco way of life, that would be good to know. But the 800W series routers are already kind of daunting (and expensive) to me at this point. My alternative to the product being discussed in this thread might be a RV042 or RVL200, but I would then have a 3 box solution instead of my current 2 box solution.

alissitz Thu, 02/18/2010 - 19:25

Good to hear the video traffic stays local.  As long as this is only using multiple ports on the local switch then you are fine.  If the traffic traverses multiple switches and or shared uplinks, then you will want to give the voice priority.

It sounds like all is well on your lan.

As for the markings to the ISP, yes they most likely ignore your markings and re-mark and queue according to the SLA they have set with you.  They might also police inbound traffic to enforce the SLA.  Someting to check with them on.

The RV042 is rather weak in it's QoS ... I would not consider this when voip is present.

The RVL200 is a nice router, but a little step back IMO from the WRVS4400.  It has SSL VPNs, so this is nice.  I do not have one of these routers to test with, so I cannot help much. 

Perhaps someone on this community has tested QoS towards the LAN?  I welcome any input.

You are right, the router can perform QoS on COS (layer 2) or DSCP (layer 3), ... or ... you can create the queues based on the application.  In your case, it sounds like only rtp media needs high priority.  You might also give SIP high priority for call setup.  

Hummm ... hope this has been helpful, sorry I do not have an exact answer for you.  I will also check internally if we have any QoS testing data I can share.

Andrew Lissitz

nealrfildes Thu, 02/18/2010 - 19:34

Maybe someone else will chime in. Or perhaps I should start digging through the source code distribution. Given that my switches are minimally smart, not enterprise horsepower, and the fact that I haven't dug into getting per-application marking on the servers, I am pretty much stuck with marking by switch port.  As a result, if I make all the incoming internet traffic higher priority in hopes that it will help the voip, it is all still mixed together (20mbit max).I guess I'm trying to introduce just enough extra power into the network to make that traffic distinction for marking the downstream data.

(Someday I may get more sophisticated.)

have a great evening!

nrf

Te-Kai Liu Thu, 02/18/2010 - 19:29

Small Business routers such as RV042, RVL200, and WRVS4400Nv2 do not mark DSCP or 802.1p bits. The built-in switch of RVL200 and WRVS4400Nv2 can prioritize the traffic according to the DSCP/802.1p field of the ingress packets. The QoS Rate Control feature of WRVS4400Nv2 works the same way as the Bandwidth Management feature RVL200/RV042. However there is a caveat that IPS of WRVS4400Nv2 has to be enabled in order for the feature (Rate Control) to work.

Note: QoS Priority, i.e. 60% for High priority, 30% for Medium, and 10% for Low, works regardless whether IPS is enabled or disabled. 

nealrfildes Fri, 02/19/2010 - 03:40

ok, too bad the switch's tagging can't be taken advantage of downstream. I think I am at least close to getting my answer. Suppose I use either downstream priority or downstream rate control, and tell the devices that I have 20mbit of downstream bandwidth. Will either of those provide better luck for my voip data than if no such rule was turned on?

and for completeness, what small-business Cisco product could apply marking as we have discussed in the downward direction?

thanks for your patience and open-mindedness!

nrf

alissitz Fri, 02/19/2010 - 07:37

I do not think so.

VoIP does not care about the rate limiting and downstream ... and into your LAN is probably not the problem since you have 20Mb.  Voip will attempt to use what it needs.  If it cannot, call setup will fail, calls dropped, or even one-way audio can occur. You mentioned that you have a 'blip' in the call every once in a while.  See my earlier post for comments on this ...

Just making sure that voip has priority everywhere in your network is the best thing to do.

As for the downstream speeds, your clients and servers figure this out via TCP and attempt to get the most that they can / fill the link.  Nothing to do there ...

Perhaps the community can 'learn-me' here ... but I do not think any of our small business products can mark / re-mark packets on egress; they simply pass the headers as-is.  I think the 'closest' product would be the SR520 series.

You might also do well to use a Cisco switch in the core and then mark / re-mark packets.  I understand this is not an option ... just throwing it out there for your next design.

Concerning the SR520 - most likely you would need some CLI for completeness ... but you can do much via CCA gui tool.  With the FE and ADSL models, you can configure most of the router w/ CCA and then call Cisco TAC for any help with QoS or CLI.

For the T1 model which is small biz pro, CLI is not officially supported.  It is my opinion that you should have some basic CLI for this product too ... again, for completeness and in order to work-in and work-around any environment you come across.

HTH,

Andrew Lissitz

nealrfildes Fri, 02/19/2010 - 07:53

Andrew, "Just making sure that voip has priority everywhere in your network" is exactly what I would like to do (1st choice).


second choice would be to use some priority or bandwidth downstream rule to let the voip packets jump ahead of others as much as possible.

so if this product can do neither, I am open to any other suggestions that I might find manageable.

nrf

alissitz Fri, 02/19/2010 - 10:50

Yes ... I suppose I should have said "make sure voip is priority everywhere that we can / possible"

Can you confirm your upstream bw is limited to 512Kbps?    Hmm ... once a large web packet begins to be sent, the packets in the queue will need to wait till the larger packet is sent before being sent themselves.

This would cause upstream jitter when you have large web packets in the queue and in front of the time sensitive voip packets.  Strict priority for upstream is needed, but there may be some delay every once in a while if a large web packet had started being sent at the same time a voip packet came into the egress queue.

A discussion of this serialization delays can be found at the below links.  Cisco also has numerous docs, but I thought this one was laid out nicely:

http://www.networkworld.com/community/node/39221

Do you know how much delay already exists from your network to the voip provider?  I am still thinking about why you have an occasional problem with you are on the phone and you surf the web.

Downstream is fine if I understood you have a 20Mbps downstream link.  This would come into the router and then out to the lan via a 100/1000 link, should not be any congestion and queuing.  I would not worry about this.

As for products, I would prfeer to hear from the great people of this community as I have made some suggestions already.

A great thread, many thanks thus far!

Andrew Lissitz

nealrfildes Fri, 02/19/2010 - 14:14

first, I wouldn't call this really a 'problem' so much as trying to polish the apple. A slight hiccup doesn't really constitute a problem but it indicates I could do better.

my thought on the scenario is that the voip packets got behind a surge of web traffic, and since everything downward is tagged the same and goes sequentially through my lan there is little recourse. If at some point the voip packets could escape into a higher priority queue, they might 'pass' the other traffic. With my setup, the only way this could happen is if they get distinguished along the way. the switch can't do that so it would be up to the router if anything. We don't seem to be converging on an answer here so maybe I just live with it. It's not even a frequent occurrence.

thanks for the lively discussion!

nrf

alissitz Fri, 02/19/2010 - 16:18

Hello and good evening,

Sorry I have not helped much to bring this to a quicker answer ... but a great topic and conversation this has been.  

The IPS discussions earlier in the thread were great too.  Some great posts from Steve and the gang.

You can set up priority queuing, so the high priority queues always come first before lower priority queues.  This you can do, for sure.

The challenge comes if a packet has been sent out of the software queues and onto the hardware queue (tx-ring).  The other packets will have to wait for this larger packet to be fully sent before themselves being placed onto the hardware queue (tx-ring). This can cause some varying delay, and I hope that other link that showed delay stats was relevant and informative.

So with this said, prioritization is a must, but there can always be cases when a voip packet arrives in the priority queue, and then has to wait behind a lower priority packet to be sent by the hardware queue.   

For lower speed links, this becomes most important since the delays and variable delays will be greater due to slower interface speeds.

On traditional Cisco routers, fragmentation and even interleaving can be configured so that there are no large packets.  In this case, the delays will be predictable since all packets are relatively the same size.

Also on Cisco routers, you can even spoof the TCP 3-way handshake / setup and configure a lower MSS size (maximum segment size).  This will also keep packets to a lower size ... you can configure the MSS when fragmentation and interleaving packets is not an option ....

Wow ... a fun topic this has been.  We could probably go on and on ... ;-)

Best wishes for a great weekend everyone!

Andrew Lissitz

nealrfildes Fri, 02/19/2010 - 16:52

given packets are small, I'm not worried about a packet that is in-progress getting in the way. I would expect to pay quite a bit of money for 'perfection' and in the case of a gigabit lan, a lot less perfection is required. Lots of really complicated and powerful equipment out there (not to mention expensive) is dedicated to squeezing the last drop out scarce bandwidth. The simple act of increasing the speed makes the whole process so much less demanding! Better the horsepower be spent on redundancy and reliability ala level 3 switching.

kind of brainstorming here, suppose I stuck a router between my existing one and my switch, but used it only as a 'marking device' ? the downstream traffic would come through from the original router in the same order as it arrived from the internet, so this new one could examine the traffic and apply marking to the 'wan' port which would then be honored by the switch. I could also use a simpler router that didn't have IPS, and it could be a 10/100 device. granted, a static delay would be added. (my 3com 5231 might be good for experimenting with this idea.I don't really like command line but it could be interesting.)

I guess I'm going to have to go back through all the router docs to see which ones actually mark the wan side traffic.

have a great weekend, all!

nrf

(I got the 3com 'new' for $29+shipping to experiment with SNMP. worth every penny, but too noisy for anywhere but a closet.)

alissitz Fri, 02/19/2010 - 17:13

LOL ... true!  Perfection does cost a lot!  ;-)

A myth about over subscription - is that it is always a 'work-able' answer, but in fact it is not. Just a myth ...

Many applications, especially TCP ones will find the max throughput and attempt to send at this rate.  So no matter how much bw you have, your apps will attempt to use it all. FTP is famous for filling the link with large packets and taking all the bw away!

Furthermore and even more importantly ... what happens with a device begins to DOS your network?  This can be from a virus or even from something simple as a hp jet direct card going bad ... when this device sends too much, it does not matter how much speed you have, or the over subscription you paid for ... you are done. Time to update the resume.

Network fails and apps fail ;-(

I think you are dead on in your questions and approach to QoS, you are quite the engineer!  That is what makes this posting thread so much fun to participate in ...way cool.

With a little speed or a lot, you need QoS to ensure application delivery.

BTW - the need for fragmentation goes away when the links are above 768Kbps or when you are running data only.

As for adding additional devices, I would probably pass on this.  Are you receiving packets with the markings?  Probably are ... but you may need to get a sniffer file to be sure.

Make a voip call, and snif a few seconds of the link.

In the future, I would suggest using gear with more flexibility for voip installs.  Voip is a bit more tricky to get 'perfect' and for many shops it is directly related to the income of that biz.

Have you looked over our smart designs? 

https://www.myciscocommunity.com/docs/DOC-1404

These are created to provide cookie-cutter install guides.  Hopefully these can cut down the amount of time needed to sell and install gear ...

Andrew Lissitz

nealrfildes Sat, 02/20/2010 - 03:20

I came up with a better approach 'in my sleep'. Even though I have a gigabit lan, it can do VLAN. So with a vlan-capable router, I could arrange for my voip traffic to enter the router through a second port on its switch. this separates out the downstream voice packets from the rest of the traffic, then they can be marked as intended on the second switch port!

Update: Essentially, plumbing a vlan from the TA (which tags upstream already with prio 5) to a separate port into the router, exclusively for the SIP traffic. then the downstream flow gets tagged (if not already) with prio 5, and the 'other' downstream traffic through the other port gets a lower priority. And since the two

vlans use different ports on the switch, no need to extend the vlan into the router! So I am trying with my current router.

So far, so good with this. I will wait and see how well it works before "shopping".

I have proven to my self that one can have a dual-vlan configuration without having dual subnets, and subsequently no need for dual dhcp ranges. I think that only comes into play if a given PC needs to access multiple vlans. So, this is my 'cheap' solution and if I still have trouble I'll get fancier.

thanks for all your participation!

nrf

Message was edited by: Neal Fildes  Updated with status and details of actual experiment.

nealrfildes Wed, 02/24/2010 - 20:02

Still soaking, but an interesting finding. given the router is 'simple', it seems to route between vlans automagically. I think this works as follows: on one vlan, send to the router MAC with the ip address of the TA. the router knows how to reach that IP through a different port, and voila, I can configure the TA from any pc.

I'm sure the cisco guidelines provide some ways to prevent this (like having a real vlan compatible router) but for me it is superb, and cheap!

nrf

alissitz Thu, 02/25/2010 - 15:32

Still soaking?  All good?

BTW - good thinking on your part!

Andrew Lissitz

sacha.labourey Mon, 03/08/2010 - 04:19

I am not trying to be sarcastic here but why so many people care about this IPS functionality? This is clearly a "toy" feature of an otherwise well designed router.

If you are really looking for an IPS behavior, get a dedicated "serious" box for this, but how can you accept to reduce your traffic to 20mbit/s in exchange of a feature that Cisco doesn't maintain up-to-date? The latests IPS signature file is ... 6 months old! (RVS4000).

Are you confident that your IPS is working fine with a 6 months old signature file? Even the RVS4000 itself keeps sending regular automatic e-mails complaining about how out-dated this file is. This IPS signature file might be good enough to make you feel good, but certainly not good enough to protect you.

Regards,

nealrfildes Mon, 03/08/2010 - 12:05

Regarding my voip setup - I am calling it a success! no disruptions have occurred since my changes.

I am patting myself on the back for figuring out how to do more with less and for having seen the usefulness of

smart-switches while they were reasonably priced.

I will be keeping my eye out for further firmware upgrades for the small business routers so I hope you continue to

work on their reliability.

thanks for the great discussion.

nrf

Actions

This Discussion

Related Content