QoS question about input/output policy

Unanswered Question
Apr 19th, 2012
User Badges:


Our client has MPLS connected all sites. Each site has a router connected to MPLS via serial interface,

and connected to the switch (6500) via ethernet interface. There is QoS applied on the serial interface

for outbound.

Q1: It appears there are lots of inbound traffic coming to the site, and the client applied QoS on outbound

What I learned that after the packet are marked by the CPE, the ingree Provider Edge Router (PER)

uses these marking to map flows to various Label Switched Paths (LSPs) providing differentiated treatment

accross the network. Then at egree, the PER applies queuing policying based on the CPEs orginal DSCP markings

to properly allocate bandwidth on the egrees link during congestion. My guess we really don't need to have

inbound policy applied in the serial interface on the router, am I correct?

Q2: The serial interface has 1.5 MB, and the goal is we want to have 1 MB for cirtical apps, and 0.5 MB for download/upload

internet access. If we apply this policy on the switch, A) should I apply it on the VLAN interface or the port connected to the router?

B) Should I apply output or input? Any suggestion?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
John Blakley Thu, 04/19/2012 - 13:46
User Badges:
  • Purple, 4500 points or more


I personally use inbound policy maps for policing traffic. I don't know what type of service that you have from your ISP, but mine doesn't create policies to help us out. They only allow us to pass tags that they tell us they'll support and I have policies based around those. Policing inbound allows me to drop excess traffic. For example, I have SEP servers that sometimes users will come across the wan to get updates, but downloading those can take up a lot of the link. I have a policy that matches on my SEP servers source addresses and only allows them 10% of the link before it starts dropping traffic. Outbound on both ends of the link is fine for two-way communication in most scenarios.

In your scenario, your routed port is your egress port, so you could apply outbound there. Where is the current policy? Is it on your switch or router? I'd put it on my router and mark there if you're not doing an L2 markings.


Joe Lee Thu, 04/19/2012 - 14:33
User Badges:

Thank you John for looking at my issue.

My QoS policy is apply on the routed port on the router for outbound. My major problem is the user downloads the file and take up lots of bandwidth. My policy is allowed 15% of the link. Is it a good idea to apply the same outbound policy for the inbound in the same serial interface on the router? I just want the users to have under 15% bandwidth when they download and I can live with other inbound traffic. Any better way to implement? Any sample configuration is appriciated.

John Blakley Thu, 04/19/2012 - 16:25
User Badges:
  • Purple, 4500 points or more


It's going to be very hard to implement a downloading control policy unless you know what addresses users are downloading from. Are they downloading from the internet or from a server that you own?


Joe Lee Thu, 04/19/2012 - 18:40
User Badges:


I have address from the LAN (, but don't have address coming from. So assuming any IP to the LAN address via 80 and 443 that I want to restrict.



John Blakley Fri, 04/20/2012 - 04:36
User Badges:
  • Purple, 4500 points or more

It's going to be very difficult to do what you're wanting if you don't know the source addresses. What happens is that once you go out to the internet, you'll be natting somewhere. You'll need to control what comes back into your public side and not to the private addresses. For example, if you nat to, outbound you can control, but inbound you'll have to control what comes into And not knowing the source address means that you can't differentiate downloads from normal web browsing.

Edison Ortiz Fri, 04/20/2012 - 06:55
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Additionally, placing an inbound policy in your router is fruitless as the flows have consumed your precious bandwidth anyway.

The best way of controlling internet traffic is by using proxy servers along with web cache engines.




This Discussion