I have been tasked with implementing QoS over some GRE tunnels that a client has in place.
To give a general idea of the setup,
Central (hub) Site - Cisco 2811 connected to a 2048kbps Internet leased line - This holds down three GRE IPSec Tunnels to three seperate sites (spokes).
Each site is configured with a Cisco 1801 connected to an ADSL (estimated 8mb down, 800k up) links which are obviously the endpoints for each of the three GRE IPSec tunnels
2 of the sites mainly use Citrix traffic over the link back to the central site, whilst the third site is a larger branch office with their own Exchange Server, domain controller etc....
Most things performance wise are fine - However there is a UNIX based terminal app hosted at the central site which performs very poorly to the larger branch office (there arent enough Citrix Licenses to allow the branch office to use the Terminal based app over Citrix - So they are Telneting in directly to the server at the central site).
The larger branch office also sends the following over their Tunnel - smtp email, AD Replication, AD DNS etc....
So - I need to look at implementing some form of QoS on the network to hopefully improve the performance of the telnet based app in the first instance whilst not negatively impacting on the perfomance of all other apps.
I have some vague idea's about how to achieve this - but I just need some pointers to assist in achieveing my goal
For info the Tunnels are laid out in the following logical Interfaces
Serial0/0/0 - Connected to the 2mb leased Line
Tunnel0 - Goes to the large Branch Office
Tunnel1 - Goes to small citrix based site
Tunnel2 - Goes to the second small citrix based site
All remote sites use logical interface Tunnel0 back to their respective Tunnel at the central site
I have enabled qos pre-classify on the GRE tunnels and crypto maps, from what I have read it would be the best starting point
I will try and post some config snippets from the devices if this info is needed.
As you can probably guess - Im quite new to QoS!! (the books are on order ;-)
First thing you want to identify is where your bottlenecks are. From your description, for outbound from hub to spokes, your bottleneck is the hub's physical 2 Mbps interface, since each spoke can accept 8 Mbps. I.e. so you'll want QoS there.
For inbound, each spoke will bottleneck at the 800 Kbps. (NB: you have a second possible bottleneck, the hub's 2 Mbps inbound, since the aggregate of 3 sites at 800 Kbps could be up to 2.4 Mbps. Assuming typical asymmetric hub/spoke traffic, and the small oversubscription of 400 Kbps, I doubt it will be an issue. But if it is, shape the aggregate of your 3 sites not to exceed 2 Mbps.) Also for your spokes, assuming the ADSL is an Ethernet interface, we'll need to shape to the uplink speed.
Although we could make a very advanced QoS policy, simple is nice if it works. In this case, if we can implement FQ and/or WFQ, we may be able to avoid complex QoS.
For the spokes, see if you can implement a shaper for 800 Kbps on the outbound tunnel. Something like:
interface tunnel #
!shape for 800 Kbps
For the hub, since there are multiple tunnels, we need to do something at the physical interface. Try this:
interface tunnel 0
interface tunnel 1
interface tunnel 2
or for the serial, instead of fair-queue, try
service-policy output CBWFQ
Assuming the above works, but we want even better treatment for Citrix and/or Telnet, you might next (additionally) try something like.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :