cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1381
Views
0
Helpful
5
Replies

Need help with CBWFQ QoS setup

Alen Danielyan
Level 1
Level 1

Hi!

Our company Intranet consists of 2 regional networks, each of which is a DMVPN network with regional center (regional hub, Cisco 1811) and small branches (spokes, Cisco 871). The hubs of the regional centers are also connected with each other by 2 encrypted tunnels (GRE + IPSec).

All spoke routers connect to their regional hub via 2 external lines, OSPF is  used.

So, topology is 2 stars with connected centers.

The target was: to consolidate servers of each region in the respective regional center, provide reachability of all branches networks between each other (for VoIP primarily), plus regional centers to provide Internet connection for spokes of its own region (only).

Now, I want to deploy CBWFQ QoS. More precisely, I want to divide the whole traffic between offices onto 4 classes:

I:   High priority traffic (back office application traffic (Oracle) - TCP 1521),

II:  VoIP traffic (we have not implement VoIP yet, so I don't know will it be SIP or anything else),

III: Normal priority traffic (any non-specified traffic)

IV: Low priority traffic (FTP - TCP 20, 21; file sharing (SMB) - TCP 445, UDP445; Lotus - TCP 1352).

Then I wish to divide available bandwidth this way:

I:   20%

II:  40%

III: 30%

IV: 10%.

Here is my draft config:

QoS ACLs

ip access-list extended QoS-HighPT

remark Traffic to regional center 1 Oracle servers and reverse

permit tcp 192.168.0.0 0.0.63.255 192.168.0.0 0.0.0.255 eq 1521

permit tcp 192.168.0.0 0.0.0.255 eq 1521 192.168.0.0 0.0.63.255

remark Traffic to regional center 2 Oracle servers and reverse

permit tcp 192.168.0.0 0.0.63.255 192.168.30.0 0.0.0.255 eq 1521

permit tcp 192.168.30.0 0.0.0.255 eq 1521 192.168.0.0 0.0.63.255

      deny any any

ip access-list extended QoS-VoIP

remark VoIP Traffic

permit tcp any eq 5060 any eq 5060

permit udp any eq 5060 any eq 5060

deny any any

ip access-list extended QoS-LowPT

remark SMB Traffic (direct and reverse)

permit tcp any any eq 445

permit tcp any eq 445 any

permit udp any any eq 445

permit udp any eq 445 any

remark Lotus Notes Traffic (direct and reverse)

permit tcp any any eq 1352

permit tcp any eq 1352 any

remark e-mail Traffic (direct and reverse)

permit tcp any any eq smtp

permit tcp any eq smtp any

permit tcp any any eq pop3

permit tcp any eq pop3 any

deny any any

QoS classes

class-map QoS-HighPT

match access-group name QoS-HighPT

exit

class-map QoS-VoIP

match access-group name QoS-VoIP

exit

class-map QoS-LowPT

match access-group name QoS-LowPT

exit

Policy maps

policy-map MyQoS

class QoS-HighPT

bandwidth percent 20

exit

class QoS-VoIP

bandwidth percent 40

exit

class QoS-LowPT

bandwidth percent 10

exit

class class-default

bandwidth percent 30

exit

Applying policy map to external interfaces

interface fa4

service-policy output MyQoS

interface vlan20

service-policy output MyQoS

Questions:

  1. Is it reasonable to define policy map and bandwidth for the default class?
  2. In the initial topic I was told that I need to mark traffic incoming to the routers LAN interfaces and I need to use hierarchical QoS. Can you explain, what does all it mean and how to do that?

Thank you.

5 Replies 5

Alen Danielyan
Level 1
Level 1

Can anyone answer at least my "conceptual" questions?

1. Is it reasonable to define policy map and bandwidth for the default  class?

2. How do Flow-Based WFQ and CB WFQ work? I mean what happens inside each separate queue of the respective class? Let's say 10 users are copiing files from a share, and that is a traffic of a separate class, how will the bandwidth been shared among these 10 users in case of FBWFQ and in case of CBWFQ?

Hello Alen,

>> Questions:

  1. Is it reasonable to define policy map and bandwidth for the default class?
  2. In the initial topic I was told that I need to mark traffic incoming to the routers LAN interfaces and I need to use hierarchical QoS. Can you explain, what does all it mean and how to do that?

if you are using GRE over IPSec the packets that are sent out WAN interface(s) have the following encapsulation:

IPSec|GRE|original packet

As a result of this the scheduler appled on the outbound direction cannot see the original packets but just the IPSec header (AH or ESP)

The only property that we can take advantage of is the fact that both GRE and IPSec put in the TOS byte a copy of the TOS byte of the transported packet:

original packet TOS byte is copied into TOS byte of GRE

TOS byte of GRE is copied into TOS byte of the most external IPv4 header.

To accomodate few traffic classes you can use IP Prec or DifferServ DSCP (6 bits wide more values).

In order to make this to work you need to mark on the LAN interfaces.

So all your configuration should be used to define class-maps to be used on other policy-maps used for marking

policy-map mark-lan-traffic

class-voip

set ip prec 5

class datapus

set ip prec 1

and so on

the policy map has to be applied inbound on LAN interface(s)

int fas0/0

service-policy mark-lan-traffic input

once all traffic is marked the class-maps to be used on the scheduler will use a match of the marking value

class voip-wan

match ip prec 5

class datiplus-wan

match ip prec 1

and so on

assigning bandwidth to default class is not needed as it takes what is left by other traffic classes

Also be aware that most low end routers use a concept of max usable bandwidth that by default is 75% of link bandwidth.

Another aspect is that traffic is sent using a logical outbound interface.

In any case the physical interface may be a 100Mbps full interface but the circuit provides only 20 Mbps: it may be subrate

To deal with this you need hierarchical QoS with a parent policy shape-all-20Mbps that invokes a child policy that is the scheduler

example

policy-map shape-all-Circuit1

class class-default

shape average 20000000

service WAN-scheduler

Edit:

for voip-wan class consider the use of LLQ with priority command instead of bandwidth command to provide better treatment to VOIP small packets.

Edit2:

>> How do Flow-Based WFQ and CB WFQ work? I mean what happens inside each separate queue of the respective class? Let's say 10 users are copiing files from a share, and that is a traffic of a separate class, how will the bandwidth been shared among these 10 users in case of FBWFQ and in case of CBWFQ?

Flow based WFQ is now legacy, WFQ works by assigning a weight to each packet that takes care of IP precedence value and packet size

To decide what packet to be sent first the scheduler compares the weights of two packets.

small packets and packets with high values of IP precedence are preferred.

so WFQ is "fair " because it helps low volume traffic flows and packets with  a marking

CB WFQ uses modular QoS to define different queues, each queue is a WFQ, for class default the queue is FIFO by default

ten users in same class will be ten flows in the same traffic class and they will use what the traffic class can use

CBWFQ is elastic that is if any bandwidth is left free by one traffic class it can be used by other traffic classes

the bandwidth settings are the mininum rates assured when link is full for each class.

see

http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/congstion_mgmt_oview.html#wp1001120

Hope to help

Giuseppe

Giuseppe, thank you for your help and I am sorry for my absence - had some high priority work to do. Now I am back again. I am reading the same docs again, but still can't fully understand your post.

Can you please explain me what to do more detailed and step by step.

Thank you.

After reading some more resources I understood the following:

-  In our case it is better to do not configure default class (as when it  is not configured it is working by FB-FWQ method, and when configured  using bandwidth command - FIFO. Besides by default we can distribute  only 75% of the total bandwidth, 25% is reserved for L2 overhead and  some other things plus default class traffic. 25% for default class +  overhead is ok for us).

- I'll need 32kbps bandwidth for each voice connection, when using G729 (8kbps).

-  It is better to configure voice class using "priority" command with  bandwidth parameter (this will make strict priority for voice traffic  and will allow to go out the limit if not all available bandwidth is  used).

Am I right?

Dear Giuseppe, I have read a lot, and finally (I think) I understand your advice.

Below is my configuration. My idea was in the following:

1. Mark traffic incoming into LAN interface of the routers (and for that I have to create respective classes, create marking policy to mark traffic using DSCP values, then create parent shaping policy and apply the policy to LAN interface on input).

2. Make QoS (and for that I need to create class maps using given DSCP values, then create QoS child policy, then create parent shaping policy and apply it on Tunnel on output (not sure in this)).

Is this correct?

P.S. While reading I understood, that I have to create additional shaping parent policy, as policies can not be applied directly on the Tunnel and any logical interfaces (obviously, including VLAN Ethernet subinterfaces)!?

Besides, I also found a way to create policy for DM-VPN (multi)tunnel interfaces using NHRP groups.

Oh, still have many questions, but let's look at the config first:

!First step: mark traffic incoming to LAN interface

!ACLs for traffic classes, 4 types of traffic: Voice, High, Low and Normal priority traffic:

ip access-list extended VoIPT
remark VoIP Traffic
permit udp {Asterisk server ip} any
permit udp any {Asterisk server ip}
deny any any

ip access-list extended HighPT
remark Traffic to regional center 1 Oracle servers (subnet 192.168.0.0) and reverse
permit tcp 192.168.0.0 0.0.63.255 192.168.0.0 0.0.0.255 eq 1521
permit tcp 192.168.0.0 0.0.0.255 eq 1521 192.168.0.0 0.0.63.255
remark Traffic to regional center 2 Oracle servers (subnet 192.168.30.0) and reverse
permit tcp 192.168.0.0 0.0.63.255 192.168.30.0 0.0.0.255 eq 1521
permit tcp 192.168.30.0 0.0.0.255 eq 1521 192.168.0.0 0.0.63.255
deny any any

ip access-list extended LowPT
remark SMB Traffic (direct and reverse)
permit tcp any any eq 445
permit tcp any eq 445 any
permit udp any any eq 445
permit udp any eq 445 any
remark Lotus Notes Traffic (direct and reverse)
permit tcp any any eq 1352
permit tcp any eq 1352 any
remark e-mail Traffic (direct and reverse)
permit tcp any any eq smtp
permit tcp any eq smtp any
permit tcp any any eq pop3
permit tcp any eq pop3 any
deny any any


!Class-maps for DSCP:
class-map DSCP-VoIPT
match access-group name VoIPT
exit
class-map DSCP-HighPT
match access-group name HighPT
exit
class-map DSCP-LowPT
match access-group name LowPT
exit


!Policy-maps for marking by DSCP:
policy-map MyDSCP
class DSCP-VoIPT
set DSCP ef
exit
class DSCP-HighPT
set DSCP af31
exit
class DSCP-LowPT
set DSCP default
exit

policy-map ParentDSCP
class class-default
shape average 100000000
service-policy MyDSCP
exit


!Applying on LAN interfaces on the spokes and hubs
interface VLAN1
service-policy input ParentDSCP


!Second step: create and apply QoS rules to Tunnel interfaces

!Class-maps for QoS:
class-map QoS-VoIPT
match ip dscp ef
exit
class-map QoS-HighPT
match ip dscp af31
exit
class-map QoS-LowPT
match ip dscp default
exit


!Policy-maps for QoS:
policy-map MyQoS
class QoS-VoIPT
priority percent 38
exit
class QoS-HighPT
bandwidth percent 25
exit
class QoS-LowPT
bandwidth percent 10
exit

policy-map ParentQoS4DMVPN
class class-default
shape average 2000000
service-policy MyQoS
exit

policy-map ParentQoS4Hub2HubVPN
class class-default
shape average 4000000
service-policy MyQoS
exit

qos pre-classify


!Applying on tunnel interfaces on the spokes
interface tunnel0
ip nhrp group NHRP4QoS
service-policy output ParentQoS4DMVPN
interface tunnel1
ip nhrp group NHRP4QoS
service-policy output ParentQoS4DMVPN


!Applying on tunnel interfaces on the hubs (Tunnel 0 and 1 are DMVPN tunnels, 2 and 3 are tunnels between hubs)

interface tunnel0
ip nhrp map group NHRP4QoS service-policy output ParentQoS4DMVPN
interface tunnel1
ip nhrp map group NHRP4QoS service-policy output ParentQoS4DMVPN
interface tunnel2
service-policy output ParentQoS4Hub2HubVPN
interface tunnel3
service-policy output ParentQoS4Hub2HubVPN

Some comments and questions:

1. I was going to use nBAR for voice packets recognition (“match protocol rtp audio”), but was awared of doing it, because of high CPU time consumption (I remind you we have Cisco 1811 as hubs and Cisco 870 series as spokes, all with IOS 12.4.24T2).

For now hubs are handling 2x11 VPN (DM-VPN) channels with AES256 encryption (half of channels have higher OSPF cost, so only 11 are transferring real traffic), all with 1mbps bandwidth connections with branches, plus there are also 2x GRE over IPSec VPN channels between hubs working with 2mbps connections. Thus the total bandwidth for all (2x) 12 VPN channels is (2x) 13mbit/sec, two times growth is planned (to 26mbit/sec).

What can you advice in this situation?

2. Am I doing right when applying marking policy to the LAN subinterface via intermediary shape-policy?

3. Is everything correct with QoS policies applied on the Tunnel interfaces?

4. I met recommendations to set bandwidth on the outgoing interface for QoS to work properly, but I don’t know where to set it (Tunnels vs WAN Ethernet subinterface) and what value to mention in both cases (for DM-VPN Tunnel interfaces, which service many tunnels, and for Ethernet subinterfaces, which service DM-VPN + VPN between hubs)? Per tunnel bandwidth or total bandwidth, and what consequenses I would have?

IMHO, I need not to mention any bandwidth, because I have shaping policies, where I set real bandwidth of the tunnel, plus in case of DM-VPN tunnels interfaces, it was written, that when applying via NHRP group, IOS understands it is mentioned per tunnel! Is this correct?

With hopes on your help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: