QOS help

Unanswered Question
Aug 6th, 2012

Hi Guys,

I need some advise pertaining QOS with Site to Site VPN.

Our company just acquire another company and we have implement site to site VPN. The site to site VPN is working ok. We can access their network and they can access ours.

Issue we are facing is that when users access the internet or use applications which utilize the internet, the site to site VPN get clogged up as those applications are consuming bandwidth. I have applied QOS on our Linux firewall which reflect on our internal services such as email, browsing, etc.... (see attached diagram)

I was thinking of applying QOS on the edge router which will help mitigate the bandwidth issue.

our bandwidth from ISP is 3Mbps Download and 2Mbps Upload

grateful if you guys could send me some example or guide me on the way forward.

Thanks & Regards,

Terence

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 3 (1 ratings)
JosephDoherty Mon, 08/06/2012 - 05:23

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

Ideally, you want to configure QoS policies on bottleneck egress.  In you case, this would most likely be the link between your ISP and your ISP edge router.  Most common issue in this situation, your ISP is unlikely to be willing to configure QoS on their egress side of the link.  (NB: Normally ISPs would prefer to sell you more bandwidth.)  Assuming this is the case, often the best thing you might do is obtain a link for general Internet access and one dedicated for VPN.  When this is done, you can shape the outbound of the latter to correspond to the bandwidth between VPN sites.

Another option is to police inbound traffic, but the two major issues doing this, available bandwidth can go unused and inbound traffic must be rate adaptive.  Even if it is, it will tend to burst above your bandwidth caps.

terrencepayet Mon, 08/06/2012 - 06:48

Hi Joseph,

Thanks for your reply.

Let me explain a bit more on our toplogy.

All NATTINg is being done on the main FW i.e. the linux FW. there's nothing fancy configured on the edge, it is there mainly as a "bridge". We have two interfaces on the edge router, fa0/1 facing our ISP using private ip address 10.10.10.0/30 P2P link and on the fa0/0 we have our pool of public IP addresses configured.

Please advise if this explanation is helpful.

Thanks again,

Terence

JosephDoherty Mon, 08/06/2012 - 09:31

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

Yes it's helpful, but doesn't change anything as VPN and Internet traffic both flow through your Edge router and its bandwidth to the ISP is still 3/2 down/up Mbps, correct?

terrencepayet Mon, 08/06/2012 - 21:55

Hi Joseph,

Yes both flow through the edge router.

Isn't there a way we can identify the traffic flowing through the edge so that we can distinguish between VPN and internet. Internet Services will be pretty easy to adentify but what about the VPN itself?

I've put your ideas in front of management. the one about buying additional bandwidth and adding an additional line.

But this will take some time to process.

I wanted a quick and cost effecting solution.

If you have anymore ideas, please feel free to share.

Thanks again & regards,

Terence

JosephDoherty Tue, 08/07/2012 - 02:13

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

The issue isn't identification of the two types of traffic, the issue is what are your options to manage your congestion. You can effectively and relatively easily manage congestion outbound but inbound is a problem to effectively manage.

terrencepayet Tue, 08/07/2012 - 02:23

Hi Joseph,

Thanks.

So the simplest solutions is to have a dedicated line only for Site to Site VPN or increasing our bandwidth?

Regards,

Terence

JosephDoherty Tue, 08/07/2012 - 02:45

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

Perhaps not the simplest solution, but perhaps the most effective.  With a link dedicated to VPN you can shape output to correspond to other side's input bandwidth.

The simplest solution, besides managing outbout congestion, might be to rate limit inbound non-VPN traffic.  That's easy to try and you might be lucky and find it satisfactory.  If not, the you can pursue placing the two traffic types on two different links.

Actions

Login or Register to take actions

This Discussion

Posted August 6, 2012 at 2:16 AM
Stats:
Replies:8 Avg. Rating:3
Views:275 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard