Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Inbound WAN Congestion & QoS

I don't believe there is a solution to this but you all may have something to say.

Scenario: small branch office with a full duplex T1 access circuit to a frame relay provider. The frame relay provider provides Internet access. Addressing on the serial subinterface is a public address. Frame Relay CIR is 1.5Mbps. Solarwinds monitoring of the serial interface shows that more traffic is inbound than outbound. Inbound traffic comes from Internet services as well as data from HQ site, accessible via a GRE/IPSec tunnel. Therefore, multiple inbound sources.

I want to know if there is something I can do to provide better service from the branch office LAN to the HQ LAN with reference to specific source/destination addresses and ports. It seems that branch site users are losing connections to HQ resources due to sudden inbound congestion on the WAN interface. I.E.: Outbound packets for the tunnel get to the HQ but a server at the HQ can't reliably connect back to a branch site host (via the GRE tunnel) because of inbound T1 congestion (users downloading stuff from the Internet, suspicious port 80 traffic, etc.).

What QoS tools (if any) can be used to resolve this?

Derek

1 REPLY
Gold

Re: Inbound WAN Congestion & QoS

You are correct there is no true solution you can implement on your end since the droping of the packets is occurring as the provider attempts to queue them to your remote site.

For TCP traffic you to a point can use the tcp stack fallbacks for retransmission to help you. This of course only work for TCP if you drop UDP traffic it either doesn't help or can make it worse depending on the application.

Really all you can do is police the traffic as it enters your router. You need to pick a point that you want to reserve for your tunnel traffic to/from the remote site. Say you want to reserve 500k for this you would police the other traffic to 1m. Sorta a trade off. Now your remote site tunnel will work but if it is not using the bandwidth it will be wasted. Unlike queuing methods policing has few options.

You may want to just limit certain types of traffic that are causing the biggest issues but if all else fails you can build a class that matches not ipsec

277
Views
0
Helpful
1
Replies