Solved: 1800 QoS for webhosting

polofalltrades · ‎03-22-2010

Hi netpros here at CSC. Good day to all of us.

I am a neophyte in the networking field and I live in the Philippines, where networking isn't as intense as in other countries, so please bear with me for my lack of knowledge and experience. I have a question 'ere regarding routing and webhosting.

Well, I usually get side jobs regarding networking, cisco, hp and stuff. And I have this one client of mine, who I'm really havin trouble with. They are a medium-sized college here. They are hosting multiple services like their webpage, email and their enrollment system, which I do believe mostly runs on http.

I usually try to access their webpage fromt the outside, and serious problems come up. There are times when you'd browse on their main page, it comes up fast, but the moment you refresh the page, it quickly displays "The Page Cannot be displayed" on firefox. There are times when I browse through the main page, I click on a link, another "Page cannot be displayed" error, or oftentimes, most items are not displayed, mostly images, although the page launches. I've been thinking of rewriting their QoS policy, which is done by another person. I dunno if what I'll be doing is correct. Their topology somehow looks like this.

Alright, of course the router interface facing the huawei modem/router does have a public IP. The http server also has a NAT-ed public IP, which is connected via gigabit interface. Their internet connection, as I can recall is a 4mbps link, which is handed off to the router by the huawei modem/router via a fastethernet interface.

I don't know exactly where to point at, I am not sure if the router's at fault, if it's the http server which is at fault, could it be because they have low bandwidth and stuff? I'm pretty lost here, I don't know where to look for help but here, any help would be very much appreciated.

This is the old QoS that Imma be replacing.

class-map match-any high
description This policy is limited to 2.5mbps connection for server/s that need priority.
match access-group name server14
match access-group name server15
match access-group name server12
match access-group name server20
class-map match-any medium
description This policy is limited to 1mbps for server/s that need isolation.
match access-group name server13
class-map match-any SDM-Transactional-1
match protocol citrix
match protocol finger
match protocol notes
match protocol novadigm
match protocol pcanywhere
match protocol secure-telnet
match protocol sqlnet
match protocol sqlserver
match protocol ssh
match protocol telnet
match protocol xwindows
class-map match-all pol-out
class-map match-any SDM-Signaling-1
match protocol h323
match protocol rtcp
match protocol sip
class-map match-any SDM-Routing-1
match protocol bgp
match protocol egp
match protocol eigrp
match protocol ospf
match protocol rip
match protocol rsvp
class-map match-any SDM-Voice-1
match protocol rtp audio
class-map match-any Priority_protocol1
match protocol dns
match protocol http
match protocol pop3
match protocol secure-http
match protocol smtp
match protocol ssh
class-map match-any SDM-Management-1
match protocol dhcp
match protocol dns
match protocol imap
match protocol kerberos
match protocol ldap
match protocol secure-imap
match protocol secure-ldap
match protocol snmp
match protocol socks
match protocol syslog
class-map match-any low
description This policy is limited to 4kbps for server/s does not need high bandwidth.
match access-group name server10
match access-group name server11
!
!
policy-map SDM-QoS-Policy-1
class SDM-Voice-1
set dscp ef
priority percent 7
class SDM-Signaling-1
set dscp cs3
bandwidth percent 1
class SDM-Routing-1
set dscp cs6
bandwidth percent 5
class SDM-Management-1
set dscp cs2
bandwidth percent 5
class SDM-Transactional-1
set dscp af21
bandwidth percent 5
class Priority_protocol1
bandwidth percent 20
police cir 2000000
    conform-action transmit
    exceed-action drop
class class-default
fair-queue
random-detect
police cir 1000000
    conform-action transmit
    exceed-action drop
policy-map for_sdm_discovery_of_shape_limit
class class-default
policy-map pol-out
class low
police cir 400000
    exceed-action drop
class medium
police cir 1000000
    exceed-action drop
class high
police cir 2500000
    exceed-action drop
class class-default
police cir 1000000
    exceed-action drop
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.9 255.255.255.0
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly max-fragments 64
speed 100
full-duplex
service-policy input pol-out
service-policy output SDM-QoS-Policy-1
!
interface FastEthernet0/1
ip address 122.x.x.x 255.255.255.240
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet0/1.2019
encapsulation dot1Q 2019
ip address 124.x.x.x 255.255.255.252
ip ips sdm_ips_rule in
ip nat outside
ip virtual-reassembly
no snmp trap link-status

and this is the QoS that I wrote, which is by the way, hasn't been implemented yet because I'm not so sure if this would work out quite well.

class-map match-all OUT_MEDIUM
match ip precedence 1
class-map match-any HIGH
description 50% of total bandwidth req for servers
match protocol dns
match protocol http
match protocol pop3
match protocol secure-http
match protocol smtp
match protocol ssh
match access-group name server14
match access-group name server15
match access-group name server12
match access-group name server20
class-map match-any MEDIUM
description 1mbps req for servers
match access-group name server13
class-map match-all OUT_HIGH
match ip precedence 5
class-map match-any SDM-Transactional-1
description remote access policies
match protocol citrix
match protocol finger
match protocol notes
match protocol novadigm
match protocol pcanywhere
match protocol secure-telnet
match protocol sqlnet
match protocol sqlserver
match protocol ssh
match protocol telnet
match protocol xwindows
class-map match-all OUT_SDM_Transactional-1
match ip precedence 0
class-map match-all OUT_LOW
match ip precedence 2
class-map match-any LOW
description 4kbps requirement servers
match access-group name server10
match access-group name server11
!
!
policy-map HIGH_NA_HIGH
class HIGH
set ip precedence 5
class MEDIUM
set ip precedence 1
class SDM-Transactional-1
set ip precedence 0
class LOW
set ip precedence 2
policy-map OUT_NA_OUT
class OUT_HIGH
priority percent 50
class OUT_MEDIUM
priority percent 15
class OUT_LOW
bandwidth percent 5
class OUT_SDM_Transactional-1
bandwidth percent 5
policy-map OUTSIDE_TRAFFIC
description OUT_NA_OUT QoS on subinterfaces
class class-default
shape peak 8000
service-policy OUT_NA_OUT
!
interface FastEthernet0/0
ip address 10.0.0.9 255.255.255.0
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly max-fragments 64
speed 100
full-duplex
service-policy input HIGH_NA_HIGH
!
!
interface FastEthernet0/1
ip address 122.x.x.x 255.255.255.240
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
service-policy output OUT_NA_OUT

if needed, use the OUTSIDE_TRAFFIC QoS map on the subinterface

int fa0/1.2019
encapsulation dot1q 2019
ip address 124.x.x.x 255.255.255.252
ip ips sdm_ips_rule in
ip nat outside
ip virtual-reassembly
no snmp trap link-status
service-policy out OUTSIDE_TRAFFIC

I know this is a pretty lengthy post, and an eyesore to read, but please I am seeking the help of every network pros, gurus out there, because this has been bothering me for the past few months. Any help would be very much appreciated.

sean_evershed · ‎03-25-2010

Hi,

Here are my suggestions / thoughts:

- Find out from the ISP if they shape or police traffic once it breaches the bandwidth being paid for.

- Check with the ISP if their router will honour the IP prec markings from your router.

- Configure the bandwidth on the Internet facing router to match what is being paid for. Then issue the show interface command to check how many packets are being dropped.

- Issue the show process CPU history command. This will show you how the CPU has been performing over the last 72 hours. The show process CPU command will only show you a moment in time. This will help to eliminate whether the router is a bottleneck.

- Find one of the free bandwidth tools on the Internet to measure bandwidth utilisation on the link. Obtain a baseline over a couple of days, apply your new policy and check what difference it has made.

- In the following class map are all these protocols actually in use by your company? If not remove them for the sake of simplicity.

class-map match-any SDM-Transactional-1
description remote access policies
match protocol citrix
match protocol finger
match protocol notes
match protocol novadigm
match protocol pcanywhere
match protocol secure-telnet
match protocol sqlnet
match protocol sqlserver
match protocol ssh
match protocol telnet
match protocol xwindows

- It appears that you want to give different servers different priorities. Have the business owners signed off on the servers getting the highest priority?

- What are the access-lists you are using to identify the servers? Is it by IP address?

Thanks

Please rate post if helpful.

View solution in original post

sean_evershed · ‎03-23-2010

Hi,

Can you also post the output of the following command to check where traffic is being dropped?

show policy-map intreface FastEthernet0/0

- What's the CPU use like on the 1841?

- How many people access the web site during peak periods?

- What's the CPU use like on the HTTP server?

- Is the Internet link used for anything else that is conuming bandwidth?

polofalltrades · ‎03-23-2010

@sean,

Thanks for the reply. I'll be posting the results for the "sh policy-map interface fa0/0" on a notepad as it is quite lengthy.

I also included the results of the "sho ip nbar protocol-discovery top-n 10" command. I hope this helps too.

The CPU utilization is

CPU utilization for five seconds: 41%/34%; one minute: 42%; five minutes: 42%

I am not pretty sure how many people access the website during peak hours. I guess there are tons of people connecting to it.

I think, the internet is usually used for webhosting and their mail server for our case.

polofalltrades · ‎03-24-2010

Bumping this thread(Am I even allowed to do this?)

sean_evershed · ‎03-25-2010