Our company Intranet consists of 2 regional networks, each of which is a DMVPN network with regional center (regional hub, Cisco 1811) and small branches (spokes, Cisco 871). The hubs of the regional centers are also connected with each other by 2 encrypted tunnels (GRE + IPSec).
All spoke routers connect to their regional hub via 2 external lines, OSPF is used.
So, topology is 2 stars with connected centers.
The target was: to consolidate servers of each region in the respective regional center, provide reachability of all branches networks between each other (for VoIP primarily), plus regional centers to provide Internet connection for spokes of its own region (only).
Now, I want to deploy CBWFQ QoS. More precisely, I want to divide the whole traffic between offices onto 4 classes:
I: High priority traffic (back office application traffic (Oracle) - TCP 1521),
II: VoIP traffic (we have not implement VoIP yet, so I don't know will it be SIP or anything else),
III: Normal priority traffic (any non-specified traffic)
IV: Low priority traffic (FTP - TCP 20, 21; file sharing (SMB) - TCP 445, UDP445; Lotus - TCP 1352).
Then I wish to divide available bandwidth this way:
Here is my draft config:
ip access-list extended QoS-HighPT
remark Traffic to regional center 1 Oracle servers and reverse
permit tcp 192.168.0.0 0.0.63.255 192.168.0.0 0.0.0.255 eq 1521
permit tcp 192.168.0.0 0.0.0.255 eq 1521 192.168.0.0 0.0.63.255
remark Traffic to regional center 2 Oracle servers and reverse
permit tcp 192.168.0.0 0.0.63.255 192.168.30.0 0.0.0.255 eq 1521
permit tcp 192.168.30.0 0.0.0.255 eq 1521 192.168.0.0 0.0.63.255
deny any any
ip access-list extended QoS-VoIP
remark VoIP Traffic
permit tcp any eq 5060 any eq 5060
permit udp any eq 5060 any eq 5060
deny any any
ip access-list extended QoS-LowPT
remark SMB Traffic (direct and reverse)
permit tcp any any eq 445
permit tcp any eq 445 any
permit udp any any eq 445
permit udp any eq 445 any
remark Lotus Notes Traffic (direct and reverse)
permit tcp any any eq 1352
permit tcp any eq 1352 any
remark e-mail Traffic (direct and reverse)
permit tcp any any eq smtp
permit tcp any eq smtp any
permit tcp any any eq pop3
permit tcp any eq pop3 any
deny any any
match access-group name QoS-HighPT
match access-group name QoS-VoIP
match access-group name QoS-LowPT
bandwidth percent 20
bandwidth percent 40
bandwidth percent 10
bandwidth percent 30
Applying policy map to external interfaces
service-policy output MyQoS
service-policy output MyQoS
Can anyone answer at least my "conceptual" questions?
1. Is it reasonable to define policy map and bandwidth for the default class?
2. How do Flow-Based WFQ and CB WFQ work? I mean what happens inside each separate queue of the respective class? Let's say 10 users are copiing files from a share, and that is a traffic of a separate class, how will the bandwidth been shared among these 10 users in case of FBWFQ and in case of CBWFQ?
if you are using GRE over IPSec the packets that are sent out WAN interface(s) have the following encapsulation:
As a result of this the scheduler appled on the outbound direction cannot see the original packets but just the IPSec header (AH or ESP)
The only property that we can take advantage of is the fact that both GRE and IPSec put in the TOS byte a copy of the TOS byte of the transported packet:
original packet TOS byte is copied into TOS byte of GRE
TOS byte of GRE is copied into TOS byte of the most external IPv4 header.
To accomodate few traffic classes you can use IP Prec or DifferServ DSCP (6 bits wide more values).
In order to make this to work you need to mark on the LAN interfaces.
So all your configuration should be used to define class-maps to be used on other policy-maps used for marking
set ip prec 5
set ip prec 1
and so on
the policy map has to be applied inbound on LAN interface(s)
service-policy mark-lan-traffic input
once all traffic is marked the class-maps to be used on the scheduler will use a match of the marking value
match ip prec 5
match ip prec 1
and so on
assigning bandwidth to default class is not needed as it takes what is left by other traffic classes
Also be aware that most low end routers use a concept of max usable bandwidth that by default is 75% of link bandwidth.
Another aspect is that traffic is sent using a logical outbound interface.
In any case the physical interface may be a 100Mbps full interface but the circuit provides only 20 Mbps: it may be subrate
To deal with this you need hierarchical QoS with a parent policy shape-all-20Mbps that invokes a child policy that is the scheduler
shape average 20000000
for voip-wan class consider the use of LLQ with priority command instead of bandwidth command to provide better treatment to VOIP small packets.
>> How do Flow-Based WFQ and CB WFQ work? I mean what happens inside each separate queue of the respective class? Let's say 10 users are copiing files from a share, and that is a traffic of a separate class, how will the bandwidth been shared among these 10 users in case of FBWFQ and in case of CBWFQ?
Flow based WFQ is now legacy, WFQ works by assigning a weight to each packet that takes care of IP precedence value and packet size
To decide what packet to be sent first the scheduler compares the weights of two packets.
small packets and packets with high values of IP precedence are preferred.
so WFQ is "fair " because it helps low volume traffic flows and packets with a marking
CB WFQ uses modular QoS to define different queues, each queue is a WFQ, for class default the queue is FIFO by default
ten users in same class will be ten flows in the same traffic class and they will use what the traffic class can use
CBWFQ is elastic that is if any bandwidth is left free by one traffic class it can be used by other traffic classes
the bandwidth settings are the mininum rates assured when link is full for each class.
Hope to help
Giuseppe, thank you for your help and I am sorry for my absence - had some high priority work to do. Now I am back again. I am reading the same docs again, but still can't fully understand your post.
Can you please explain me what to do more detailed and step by step.
After reading some more resources I understood the following:
- In our case it is better to do not configure default class (as when it is not configured it is working by FB-FWQ method, and when configured using bandwidth command - FIFO. Besides by default we can distribute only 75% of the total bandwidth, 25% is reserved for L2 overhead and some other things plus default class traffic. 25% for default class + overhead is ok for us).
- I'll need 32kbps bandwidth for each voice connection, when using G729 (8kbps).
- It is better to configure voice class using "priority" command with bandwidth parameter (this will make strict priority for voice traffic and will allow to go out the limit if not all available bandwidth is used).
Am I right?
Dear Giuseppe, I have read a lot, and finally (I think) I understand your advice.
Below is my configuration. My idea was in the following:
1. Mark traffic incoming into LAN interface of the routers (and for that I have to create respective classes, create marking policy to mark traffic using DSCP values, then create parent shaping policy and apply the policy to LAN interface on input).
2. Make QoS (and for that I need to create class maps using given DSCP values, then create QoS child policy, then create parent shaping policy and apply it on Tunnel on output (not sure in this)).
Is this correct?
P.S. While reading I understood, that I have to create additional shaping parent policy, as policies can not be applied directly on the Tunnel and any logical interfaces (obviously, including VLAN Ethernet subinterfaces)!?
Besides, I also found a way to create policy for DM-VPN (multi)tunnel interfaces using NHRP groups.
Oh, still have many questions, but let's look at the config first:!First step: mark traffic incoming to LAN interface!ACLs for traffic classes, 4 types of traffic: Voice, High, Low and Normal priority traffic:ip access-list extended VoIPT
Some comments and questions:
1. I was going to use nBAR for voice packets recognition (“match protocol rtp audio”), but was awared of doing it, because of high CPU time consumption (I remind you we have Cisco 1811 as hubs and Cisco 870 series as spokes, all with IOS 12.4.24T2).
For now hubs are handling 2x11 VPN (DM-VPN) channels with AES256 encryption (half of channels have higher OSPF cost, so only 11 are transferring real traffic), all with 1mbps bandwidth connections with branches, plus there are also 2x GRE over IPSec VPN channels between hubs working with 2mbps connections. Thus the total bandwidth for all (2x) 12 VPN channels is (2x) 13mbit/sec, two times growth is planned (to 26mbit/sec).
What can you advice in this situation?
2. Am I doing right when applying marking policy to the LAN subinterface via intermediary shape-policy?
3. Is everything correct with QoS policies applied on the Tunnel interfaces?
4. I met recommendations to set bandwidth on the outgoing interface for QoS to work properly, but I don’t know where to set it (Tunnels vs WAN Ethernet subinterface) and what value to mention in both cases (for DM-VPN Tunnel interfaces, which service many tunnels, and for Ethernet subinterfaces, which service DM-VPN + VPN between hubs)? Per tunnel bandwidth or total bandwidth, and what consequenses I would have?
IMHO, I need not to mention any bandwidth, because I have shaping policies, where I set real bandwidth of the tunnel, plus in case of DM-VPN tunnels interfaces, it was written, that when applying via NHRP group, IOS understands it is mentioned per tunnel! Is this correct?
With hopes on your help.