08-06-2012 02:16 AM - edited 03-04-2019 05:10 PM
Hi Guys,
I need some advise pertaining QOS with Site to Site VPN.
Our company just acquire another company and we have implement site to site VPN. The site to site VPN is working ok. We can access their network and they can access ours.
Issue we are facing is that when users access the internet or use applications which utilize the internet, the site to site VPN get clogged up as those applications are consuming bandwidth. I have applied QOS on our Linux firewall which reflect on our internal services such as email, browsing, etc.... (see attached diagram)
I was thinking of applying QOS on the edge router which will help mitigate the bandwidth issue.
our bandwidth from ISP is 3Mbps Download and 2Mbps Upload
grateful if you guys could send me some example or guide me on the way forward.
Thanks & Regards,
Terence
08-06-2012 05:20 AM
Hi there
this is very handy link that you can use as a guide
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html
hope this help
if helpful rate
08-06-2012 05:23 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Ideally, you want to configure QoS policies on bottleneck egress. In you case, this would most likely be the link between your ISP and your ISP edge router. Most common issue in this situation, your ISP is unlikely to be willing to configure QoS on their egress side of the link. (NB: Normally ISPs would prefer to sell you more bandwidth.) Assuming this is the case, often the best thing you might do is obtain a link for general Internet access and one dedicated for VPN. When this is done, you can shape the outbound of the latter to correspond to the bandwidth between VPN sites.
Another option is to police inbound traffic, but the two major issues doing this, available bandwidth can go unused and inbound traffic must be rate adaptive. Even if it is, it will tend to burst above your bandwidth caps.
08-06-2012 06:48 AM
Hi Joseph,
Thanks for your reply.
Let me explain a bit more on our toplogy.
All NATTINg is being done on the main FW i.e. the linux FW. there's nothing fancy configured on the edge, it is there mainly as a "bridge". We have two interfaces on the edge router, fa0/1 facing our ISP using private ip address 10.10.10.0/30 P2P link and on the fa0/0 we have our pool of public IP addresses configured.
Please advise if this explanation is helpful.
Thanks again,
Terence
08-06-2012 09:31 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Yes it's helpful, but doesn't change anything as VPN and Internet traffic both flow through your Edge router and its bandwidth to the ISP is still 3/2 down/up Mbps, correct?
08-06-2012 09:55 PM
Hi Joseph,
Yes both flow through the edge router.
Isn't there a way we can identify the traffic flowing through the edge so that we can distinguish between VPN and internet. Internet Services will be pretty easy to adentify but what about the VPN itself?
I've put your ideas in front of management. the one about buying additional bandwidth and adding an additional line.
But this will take some time to process.
I wanted a quick and cost effecting solution.
If you have anymore ideas, please feel free to share.
Thanks again & regards,
Terence
08-07-2012 02:13 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
The issue isn't identification of the two types of traffic, the issue is what are your options to manage your congestion. You can effectively and relatively easily manage congestion outbound but inbound is a problem to effectively manage.
08-07-2012 02:23 AM
Hi Joseph,
Thanks.
So the simplest solutions is to have a dedicated line only for Site to Site VPN or increasing our bandwidth?
Regards,
Terence
08-07-2012 02:45 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Perhaps not the simplest solution, but perhaps the most effective. With a link dedicated to VPN you can shape output to correspond to other side's input bandwidth.
The simplest solution, besides managing outbout congestion, might be to rate limit inbound non-VPN traffic. That's easy to try and you might be lucky and find it satisfactory. If not, the you can pursue placing the two traffic types on two different links.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide