Hi Jody,

Thank you for the response.

One more question, if I want to prioritize the traffic FROM that specific IP coming in the LAN as well; will assigning the policy, service-policy input Citrix_Prioritization, to the inside interface suffice?

Many thanks again.

/Regards

That one's more complicated.

You can prioritize outbound traffic because you have control of the transmission process. You don't have any real control over the inbound traffic in this sense and can only decide what you will accept and what you will drop. If you want to make sure that non-voice traffic is limited inbound, policing is your only real option.

That said, many connections these days are asymmetric and have much more inbound bandwidth than outbound, so it may not be as much of an issue. It depends on what kind of connection you have.

Hello again,

We have a dedicated symmetric 2Mbps up and 2Mbps down. 

This traffic is all non-voice, going to (and from) Citrix.

/Regards

In that case, you can do something similar with an inbound service policy. Instead of assigning bandwidth to the Citrix class in the policy, you assign it with no options and then police the default class down to whatever bandwidth you want to give to scavenger traffic.

policy-map Citrix_Prioritization_in
 class Citrix
 class class-default
  police 256000 conform-action transmit exceed-action drop
!
service-policy input Citrix_Prioritization_in

Ah ok, so what we are saying is to police all other data (that is not Citrix) to a lower download speed on the inbound interface?

Sorry for all these questions, trying to learn this along the way.

That's exactly it. Allow the inbound Citrix traffic full use of the link and restrict anything else to a much lower level.

I did make one mistake on the previous post. If you're going to be using the same ACL to cover both inbound and outbound traffic, you need to make sure the following is added to your Citrix ACL:

permit ip host <public IP> any

Ok.  Will now just have to explain to the non-Citrix staff that their traffic coming in might get slowed down a bit.  =)

Lastly, is there a major difference between the commands bandwidth percent x and priority percent x when configuring the different policy options?

/regards

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Keep in mind when you police the non-Citrix traffic, its bandwidth will be limited all the time, including when unused by Citrix.  Also, depending on the nature of the non-Citrix traffix, policing it won't guarantee Cixtrix the bandwidth it needs because the policing is upstream of the link.  Ideally, what you want to do is deal with egress QoS on both sides of the link.

Yes, there's a huge difference between bandwidth percent and priority percent.

Good observation.

If at all possible, QoS at the egress is preferable. I was running under the (perhaps false) assumption that there is no ability to control the remote router's QoS policy.

If percent is going to be used (whether with priority or bandwidth) it is important to set the bandwidth of the WAN interface manually so that the policy is referencing the correct total. If a 2Mb symmetric connection is being used and percent is going to be used in the policy, a "bandwidth 2000" statement should be added to the interface. If this isn't done, the router will assume that the total bandwidth is the negotiated link speed.

Jody and Joseph, thank you for all the advice here.

Joseph are you saying that I should change my outbound policy to "priority" instead of "bandwidth".

We just want to ensure that when the outbound interface is saturated, requests going out to Citrix, go out first over all other traffic.   And...

Citrix-only traffic coming in, has priority over all other traffic.

Ofcourse, if no one is using Citrix, we want all users to have the full bandwidth available equally for all other traffic.

This is my first time implementing something like this, so I really appreciate all this help.

Priority is for traffic that is time-sensitive (like voice payloads) and is used to ensure that these packets get to the front of the queue as quickly as possible. For something like Citrix, there's no need to use priority.

Inbound traffic can't be prioritized the way you're describing, so the only real way to handle it in an inbound direction is to police non-Citrix traffic down to a low rate. The downside is that non-Citrix traffic will not ever be allowed to exceed this rate.

If you control both ends of the connection, it is far better to implement an outbound policy on both ends and leave the inbound policy alone.

Unfortunately, we have no control of the remote end.  Only our local router.

Thank you again.

If you want the full bandwidth of the connection to be available when Citrix is not in use, you'll want to avoid the inbound policing then. If you can't get an acceptable connection without doing that, then it's still an option.