Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CBWFQ - Antivirus Traffic


We are currently running CBWFQ with the below policy in place. One of the goals behind the policy was to try and create a less-than best-effort (BULK-DATA) class to put AV traffic into. The AV traffic is being marked appropriately and is hitting the below policy, however it does not appear to be working as effectively as I had hoped. The issue is, when a client at a remote site gets a full AV update (50-70MB) it uses up the whole link and users complain that the network is slow.  I understand this is a big BW discrepency and large file, but was hoping that CBWFQ could help this situation out by giving it only 5% and enabling WRED.

The AV updates comes from our Data Center (100MB connection to the WAN) and goes to remote sites (mostly T1).

We tested this out in the lab by transffering (2) 50MB files, one unmarked (DSCP 0 - Default Class) the other marked AF11 - BULK-DATA class. In the testing the defualt traffic always completed much faster, my reasoning was because default-class has 25% of the BW (5:1 ratio). However, this does not seem to be working like this in the real world, in other words once the AV update starts everything else slows to a halt and BE traffic does not appear to transmitted at 5:1. Also, there are only 2 classes being marked/matched at this time DEFAULT and BULK-DATA.

I guess my first question is, am I expecting too much out of QoS for this situation since we have a large access-rate discrepency between our DC's and remote sites (100Mb-> 1.5Mb) along with transferring a large file.

The second one is, how are others handling this? We have thought about just policing the traffic, but there are some challenges with that due to the amount of sites and MPLS connectivity.

Lastly, what am I missing? Based on the testing I would expect the 5:1 transfer for BE traffic over AV traffic. Is this not occuring becuase the input queues are overwhelmed for that interface, etc...?


policy-map Outbound-To-WAN
  bandwidth percent 40
  random-detect dscp-based
  bandwidth percent 5
  random-detect dscp-based
  bandwidth percent 2
  bandwidth percent 2
  bandwidth percent 1
  bandwidth percent 25
  random-detect dscp-based
class class-default
  set dscp default

Everyone's tags (3)

Re: CBWFQ - Antivirus Traffic


The big problem here is, when will the policy-map kick in. The answer of that is, when the output interface is congested.

This will not happens when You have the speed discrepancy. You have to get it to kick-in via another way.

Nestled policy-maps is the way to go forward. Create a class-map for each remote-side.

shape the traffic to the actual speed. Be aware of that any layer2 information will not be calculated, so make room for the layer2 headers.

This way, when traffic exceeds 1,4M your original policy-map is called

access-list 101 permit < something unique to office 1 >

access-list 102 permit < something unique to office 2 >

class-map  remote-office1

match access-list 101

class-map  remote-office2

match access-list 102

policy-map remote-officies

class remote-office1
shape average 1400000

service-policy policy-map Outbound-To-WAN
class remote-office2
shape average 1400000

service-policy policy-map Outbound-To-WAN

You maybe have to tweak a little on the 1400000 to make it work.

This example is from my memory so syntax can be wrong


New Member

CBWFQ - Antivirus Traffic

Hi j.shrewsbury or anyone

Did you ever fix this? Curious to know what you did.