I've attached a diagram for this question.
The 2800 series is our primary router, and the Netgate appliance is a cellular-based appliance. When the 2800 serial interface goes down, I have a floating route that kicks in a moves traffic to the Netgate. We have external devices that connect to this site and transmits traffic. This traffic would need to be prioritized over everything else, but management doesn't want to block any traffic outbound. I've thought about using eem and qos, but I'm not sure where to apply a policy-map for qos. Would a stand qos policy work outbound on the inside interface of the 2811, or would I need to do something different?
Priority Queuing needs to be configured outbound towards the internet cloud as that's where congestion may occur.
You won't have congestion on the switch facing internal interface.
In this situation, the serial side would be down. The traffic would enter from the cloud-side on the Netgate to the 2800 and then to the LAN. The return traffic would hit the 2800, see that the serial side is down which the router would send back out the ethernet interface to the Netgate and back out. The netgate is only used when the link to the ISP is down on the 2800. That's why I'm wondering if I should place a policy outbound on the ethernet side.
*** Edit ***
I reread what you said.....so, here's what I need:
What's the best way of prioritizing traffic on the ethernet side that would give very high priority to these mobile devices even when congestion doesn't occur? Shaping could be an option if I could get management's approval for shaping outbound from the site by placing inbound on the LAN side. The VPN devices would be on a definitive subnet, so I could shape everything that doesn't match the VPN or the server that they go to. Is that the best option?
Your diagram does not show the 2800 in the traffic path going towards the NetGate device. It shows both devices in parallel.
If you want to prioritize traffic from the 2800 to the NetGate, then you can do so.
However, as you stated, if there isn't any congestion - what the point?
The congestion will most likely occur at the NetGate so the priority configuration on the 2800 will buy you nothing.
Is this QoS towards the internet or private lines?
I only want to prioritze because the cell signal can't handle 200 users at a site. I'm not allowed to block the traffic, but I should be able to throttle the non-essential traffic. I've attached another diagram giving a little more detail. We peer with our ISP using BGP. The Netgate device doesn't run BGP, but the ISP injects the static routes into our BGP table to the Netgate device. When our 2800 goes down, the Netgate starts routing for the inside traffic. The remote users use handheld devices that vpn into the network and transmit data to their servers. These devices need to have %99.9999 uptime. If the 2800 circuit dies, the router starts forwarding all outbound traffic to the Netgate via floating static.
Okay, so in essence, the Netgate becomes my router, but I can't control anything through it. So, let's say I have an eem policy that runs and applies a policy-map to the inside interface when the serial side goes down. I would *assume* that I would put it outbound on the inside interface since the traffic will still hit the ethernet side, but it's also going to come out the ethernet interface and toward the Netgate. If I had a policy-map that shaped all default traffic to 512Kb, and then prioritized the handhelds to have a minimum amount of the bandwidth, would that work or do I also need to do something inbound on the ethernet side with a policy too?
I still don't see the router in the traffic path towards the NetGate but I see you have included some routing information.
The router will send an ICMP redirect to the hosts when the serial is down and the hosts will send subsequent packets to the NetGate
More information can be found on this URL http://en.wikipedia.org/wiki/ICMP_Redirect_Message
Applying QoS on the router will buy you nothing. The NetGate needs the QoS information to handle the exceeded traffic.
"I still don't see the router in the traffic path towards the NetGate"
The Netgate and router connect to the same switch. The traffic only goes to the netgate when the router serial side is down, so the path (after serial is down from the router) is:
PC -> Switch -> Router -> send traffic to Netgate -> Out
Maybe I'm not understanding what you're looking for in particular? I have redirects disabled on the router, so it would route everytime. Would QoS still do no good? The only other thing that I could think of is to allow all traffic and chance it when the netgate goes down.
Congestion Avoidance features should be applied whenever you have a point of congestion.
Your point of congestion is not the ethernet interface on the 2800 facing your LAN.
Your point of congestion is the NetGate cellular interface.
If management is demanding quality of service, you must get a device that provide you such service.
I don't see how applying PQ on egress in the 2800 will get you PQ when it gets to the NetGate.
You may shape down all flows when the serial goes down but this definitely is a very ugly solution.
What type of switch do you have connecting the NetGate?
You can enable QoS on the switch and PQ on egress towards the NetGate.
Make sure you classify the intended PQ traffic and you can use SRR or WRR for the remaining traffic and shape accordingly.
But again, PQ at the switch won't buy you much since the congestion will occur at the NetGate not the switch.
I recommend limiting the egress bandwidth from the switch to the NetGate to the speed the NetGate supports.
Is the other interface on the 2800 being used? Connect the Cellular appliance to the other interface and apply QoS outbound there. Set the interface bandwidth to a lower value. It's not the perfect solution, but it could work. Idealy, the Netgate could do the QoS, but that may not be possible. By setting the bandwidth value on the 2800, you could theoretically make the router THINK there's congestion at the router and make the router do the QoS to throttle the traffic going to the Netgate.
Could look somthing like this:
ip address 192.168.1.1 255.255.255.0
description connection to cellular appliance
ip address 192.168.2.1 255.255.255.252
service-policy output qos
ip route 0.0.0.0 0.0.0.0 192.168.2.2 254
priority percent 50
shape average percent 20
Hope to Help!
The bandwidth interface command won't cause the router to think there is congestion if it goes after the preset value.
The bandwidth interface command is used for routing protocols to compute their metrics and for QoS when using percentage calculations.