11-04-2009 09:41 PM - edited 03-06-2019 08:27 AM
Hi to all,
Forgive me if this is the wrong section, but I am just practically clueless where I will place my question.
I am puzzled on an issue which I've just stumbled upon recently. I have this client, a university here in the Philippines and they are having some trouble regarding their website. They have a cisco 1841 router with 12.4(3i) IOS
You see, from their intranet, they can go anywhere from browsing sites all over the internet and of course accessing their own internal servers. The problem is when they are accessing the server, their website over the internet.
They have a 4mbps connection, and they claim it is 4mbps on both the upload and the download. I've looked into their router's running config, yes they have NAT-ed port 80, 81 and 443 of the said server so that users over the internet can browse through their website. I also noticed a QoS Mapping for the server and the protocols required to run it.
This one is for the protocols like dns, http, pop3, shttp, smtp and ssh
class Priority_protocol1
bandwidth percent 20
police cir 2000000
and this one's for the server itself
class high
police cir 3000000
exceed-action drop
Our problem here is that, many users on the internet are complaining that they cannot access the webpage, worse their browser pops up the "Page Cannot be displayed" message. But they can access the webpage on their intranet. I have also checked the CPU and memory utilization, and it is nowhere near 25%.
I have also tried to ping the server's public address for one whole day and fair enough, it generated just about 7% loss. But on that same day, I'm trying to access their website but there are times when I can view their webpage and sometimes I can't. It's just so random...
I don't know where to look. I am not even sure if it is the router's fault, the configuration, the server itself, the number of users, or are they exceeding the 3mbps limit that the router drops exceeding traffic? Please help
11-05-2009 06:11 AM
Hello Paul,
post the whole policy-map config.
be aware that order of operations counts like in an ACL
if class Priority_protocol1 is invoked first also packets to/from the server can be matched here and not on the other class-map.
I would consider to remove police commands and to use hierarchical QoS with a parent policy-map that shapes at 4 Mbps all traffic and invokes the child policy where the classes with bandwidth commands are placed.
Hope to help
Giuseppe
11-05-2009 06:14 AM
I'd also check any utilization on the internet connection to the server itself. If there is serious congestion then you might see this kind of behaviour as well.
Is the internet connection shared with others?
Good luck.
James
11-05-2009 06:18 AM
Could be lots of causes, however, I'm not too keen on their QoS configuration. They might try something simple like:
policy-map simple
class class-default
fair-queue
interface ?
service-policy output simple
Of course, ideally you want to manage both ends of the WAN link. If they don't manage the WAN ingress direction (ISP egress), often the only effective solution is purchase of additional bandwidth.
[edit]
Giuseppe mention of shaping is good. I forgot to inquire how the 4 Mbps is provided (I assumed somethink like MLPPP dual E1, but if not, shaping can be critically important.)
11-05-2009 06:18 PM
Hi all,
Thanks for all your replies. They have a 4mbps DSL Connection if I'm not mistaken.
Here is the complete class-map and policy mapping. Actually this was configured before by another person. I'm not really a QoS expert so please bear with me. I am only interpreting the lines based on my understanding and simple knowledge of Cisco QoS
class-map match-any high
description This policy is limited to 2.5mbps connection for server/s that need priority.
match access-group name server14
match access-group name server15
match access-group name server12
match access-group name server20
class-map match-any medium
description This policy is limited to 1mbps for server/s that need isolation.
match access-group name server13
class-map match-any SDM-Transactional-1
match protocol citrix
match protocol finger
match protocol notes
match protocol novadigm
match protocol pcanywhere
match protocol secure-telnet
match protocol sqlnet
match protocol sqlserver
match protocol ssh
match protocol telnet
match protocol xwindows
class-map match-all pol-out
class-map match-any SDM-Signaling-1
match protocol h323
match protocol rtcp
match protocol sip
class-map match-any SDM-Routing-1
match protocol bgp
match protocol egp
match protocol eigrp
match protocol ospf
match protocol rip
match protocol rsvp
class-map match-any SDM-Voice-1
match protocol rtp audio
class-map match-any Priority_protocol1
match protocol dns
match protocol http
match protocol pop3
match protocol secure-http
match protocol smtp
match protocol ssh
class-map match-any SDM-Management-1
match protocol dhcp
match protocol dns
match protocol imap
match protocol kerberos
match protocol ldap
match protocol secure-imap
match protocol secure-ldap
match protocol snmp
match protocol socks
match protocol syslog
class-map match-any low
description This policy is limited to 4kbps for server/s does not need high bandwidth.
match access-group name server10
match access-group name server11
!
!
policy-map SDM-QoS-Policy-1
class SDM-Voice-1
set dscp ef
priority percent 7
class SDM-Signaling-1
set dscp cs3
bandwidth percent 1
class SDM-Routing-1
set dscp cs6
bandwidth percent 5
class SDM-Management-1
set dscp cs2
bandwidth percent 5
class SDM-Transactional-1
set dscp af21
bandwidth percent 5
class Priority_protocol1
bandwidth percent 20
police cir 2000000
conform-action transmit
exceed-action drop
class class-default
fair-queue
random-detect
police cir 1000000
conform-action transmit
exceed-action drop
policy-map for_sdm_discovery_of_shape_limit
class class-default
policy-map pol-out
class low
police cir 400000
exceed-action drop
class medium
police cir 1000000
exceed-action drop
class high
police cir 2500000
exceed-action drop
class class-default
police cir 1000000
exceed-action drop
interface FastEthernet0/0
ip address INTERNAL
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly max-fragments 64
speed 100
full-duplex
service-policy input pol-out
service-policy output SDM-QoS-Policy-1
!
interface FastEthernet0/1
ip address EXTERNAL
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet0/1.2019
encapsulation dot1Q 2019
ip address EXTERNAL
ip ips sdm_ips_rule in
ip nat outside
ip virtual-reassembly
no snmp trap link-status
11-05-2009 07:30 PM
Ah, looks like a tool (SDM) generated QoS config with some manual changes.
If you have 4 Mbps DSL with a FastEthernet handoff, an outbound shaper might help much. Again, unlikely you need more than FQ.
With DSL if you have PPoE, your MTU might not support the normal default maximum of 1500. If not, using the TCP adjust-mss command might also help improve performance.
Some of the QoS looks like it might be trying to regulate inbound bandwith utilization, but downstream of the bottleneck is often not very effective especially with the QoS features typically found on a Cisco router.
11-06-2009 03:31 PM
Ah, pardon me but what's an FQ?
I'll try the TCP adjust-mss when I get to our client.
I've studied the QoS script and I don't really see anything critically wrong there except that the police command is a pretty harsh command. They should have put in there a shaping command IMHO.
So, in this issue, is it the router, the router's configurations, or the ISP's fault? I need to justify this.
11-06-2009 04:52 PM
"Ah, pardon me but what's an FQ?"
Fair-Queue
"So, in this issue, is it the router, the router's configurations, or the ISP's fault"
There's not enough information to be sure, but I consider the QoS configuration less than optimal.
11-06-2009 10:11 PM
Once again, thank you for your replies and patience on me.
What could be your suggestion for me/us to avoid or fix this issue?
Would it be alright if I erase the whole QoS policy and observe the whole traffic patterns from square 1 and then rewrite it again based on the traffic patterns?
As I understand from your previous posts, you mentioned about a bandwidth manager on our WAN or internet interface? Please correct me if I'm wrong but is that a separate appliance?
I also noticed that the QoS policies for this instance are applied on the LAN interface. Is this correct?
I contradict my ideas because from my simple understanding of QoS, One shouldn't place QoS policies on the WAN/Internet Interface because we are at the mercy of our ISPs. But at the same time, I am also debating within myself that I'm limiting myself to receive only at the most, 4mbps from the outside rather than using the 100mbps speed on the router's physical interface.
11-07-2009 05:00 AM
"What could be your suggestion for me/us to avoid or fix this issue? "
For outbound, suggest you shape egress rate at 4 Mbps and use FQ. This might be done with just a traffic-shape command (which I believe also implements FQ) or with a CBWFQ policy that uses both a 4 Mbps shaper and FQ within the class-default.
Inbound is best managed on the other side of the link's outbound. Assuming this is the ISP side and they won't implement QoS, your effective options are very limited in managing bandwidth. Certainly you can implement policers that limit bandwidth, but for TCP traffic, it often bursts above the rate limit (and congests the link) before it gets to the policer. Non-TCP traffic often doesn't slow its rate when it's being policed.
"Would it be alright if I erase the whole QoS policy and observe the whole traffic patterns from square 1 and then rewrite it again based on the traffic patterns? "
I believe the existing policy is overly complex and offers little benefit. Erase it and next try what I suggest.
"As I understand from your previous posts, you mentioned about a bandwidth manager on our WAN or internet interface? Please correct me if I'm wrong but is that a separate appliance? "
For outbound, no, your router's QoS features should be sufficient.
For inbound, there are some 3rd party packet shaping devices that can spoof TCP traffic and better regulate their inbound bandwidth usage. Cisco routers don't have this capability. They (the 3rd party devices) sit instream, they don't need to sit on the WAN link, but since yours is an Ethernet interface, it could (I believe). (Such devices, of course, can also provide outbound features negating much or all the need of QoS on the router.)
"I also noticed that the QoS policies for this instance are applied on the LAN interface. Is this correct? "
Is it correct that it's applied to the LAN interface or do you mean is this the correct place to implement the QoS policies? To the former, that what it appears to me too. To the latter, depends on what you're trying to accomplish. Policer's can often been placed on ingress or egress although if often makes sense to police on ingress (to keep traffic you're going to discard from transiting the device). Queuing features, though, need to be placed on egress.
"I contradict my ideas because from my simple understanding of QoS, One shouldn't place QoS policies on the WAN/Internet Interface because we are at the mercy of our ISPs. But at the same time, I am also debating within myself that I'm limiting myself to receive only at the most, 4mbps from the outside rather than using the 100mbps speed on the router's physical interface."
As you note, perhaps your understanding is simple. You usually very much want to place QoS policies on WAN interfaces since that's often a major point of congestion. The problem is ISP and Internet are: for the former, often lack of providing any QoS, for the latter, the Internet generally doesn't honor QoS (although also usually the primary congested links are the connections to/from the Internet). If your provider is only going to provide 4 Mbps, 100 Mbps hand-off interfaces can cause more harm than benefit.
11-07-2009 08:50 AM
Wow, thanks joseph. This is by far, the most detailed explanation I've ever seen.
Damn, I wish I was as good as you...
This would really be of great help. I'll keep those in mind. I will be in a technical meeting come monday and the information that you've given me will really help me in one way or another. Hopefully, I'll be able to digest the stuff above by tomorrow.
And maybe next week, I'm going to rewrite a new QoS policy for them with the things you mentioned.
Hopefully too that I'd be able to close this discussion maybe soon as this is very informative.
Once again, you have my utmost appreciation joseph. Maybe I should really start studying about QoS too lol.
11-06-2009 10:52 PM
Oops, Double post
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: