cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1082
Views
0
Helpful
7
Replies

Head Office QOS Design Concern

Ladies & Gentlemen:

Can you please review the proposed attached QOS design file, and please provide your comment.  I got two WAN Core Router, dedicated for each Serivce Provider and I also got two dedicated VPN termination router. For braches connectivity to Head Office vice versa I am using IPSec transport mode with encrypted GRE Tunnel (using EIGRP). Below is my QOS plan.

WAN Core Router  - Apply "service-policy output" into physical interface or sub.interface (facing to PE)

VPN Termination Router - Apply "qos pre-classify" on Interface Tunnel Interface & Crypto map.

Hope to receive your comment and suggestion soon.

Thanks very much,

Arnold

7 Replies 7

Gregory Camp
Cisco Employee
Cisco Employee

Arnold,

The design seems sound.  The only thing I am curious about is why are you configurating QoS pre-classify on the tunnel interface on the VPN router if you have no egress service-policy on that router?

Thanks,


Greg

Hi George,

Thanks for prompt reply, here's my plan, please make any suggestion on this

Data Center Swtich  - Traffic classification & marking for server traffic based on IP Address, then set its DSCP to the following:

                                   High Priority Application = AF31

                                   Low Priority Application = AF21 or AF11

                                    Unclassified Traffic = Best Effort

                                                                    

Access Switches -  Traffic classification & marking for RTP & Call/Controll signaliing traffic

                                 RTP = EF

                                 Call/Control Signalling = CS3

Core Switch - DSCP to Queue mapping

VPN Terminaton Router - Since classification and marking is not done here (done before entering the router) so no need to put a "qos pre-classify" on the tunnel interface and crypto map? is this correct?

WAN Core Router = Service policy will be apply on the physical interface facing PE Router

                                 Note: by matching traffic from Data Center Switch & Access Switch based on its DSCP value

Any comment or suggesiton on the above plan will be appreciated.

Regards,

Hi Gregory,

Hope you're doing well,

The reason why I am considering applying it on the VPN router Tunnel interface is that I want to have full controll of the traffic going to remote branch. Like for instance.

Head Office Classification.

RTP (Voice ) = 5mb/s

Critical Application = 5mb/s

Less Critical Application = 5mb/s

Best Effort = 5mb/s

Remote Office 1

RTP (Voice) = 256kb/s

Critical Application = 256kb/s

Less Critical Application = 256kb/s

Best Effort = 256kb/s

Remote Office 2

RTP (Voice) = 500kb/s

Critical Application = 500kb/s

Less Critical Application = 500kb/s

Unclassified = 500kb/s

If I will apply "service-policy output" to the WAN Edge Router (HO) interface (facing PE), the Router in Head Office might send morethan 1mb of RTP traffic say for example to Remote Office 1 as per example above I allocate 5mb/s for RTP in HO, which if this happen can cause huge amount of inbound traffic to Remote Office 1. Unlike in VPN tunnel interface I have a full controll on what amount of bandwidth I will assign to a particular class going to its peer tunnel (remote office).

Regards,

Mohamed Sobair
Level 7
Level 7

Your QoS design is Ok, except that you dont (QoS pre-classify) because your IP packet is already classified before entering this router.

HTH

Mohamed

what's the best approach to apply "service-policy"? is it in VPN Termination Router Tunnel Interface or in WAN Core Router?

Mohamed Sobair
Level 7
Level 7

Arnold,

you should apply your QoS policy outbound direction on the Network Edge wher your WAN link is terminated.

In this situation, it should be applied on the WAN routers not the VPN router.

HTH

Mohamed

Hi Mohamed,

The reason why I am considering applying it on the VPN router Tunnel interface is that I want to have full controll the traffic going to remote branch.

Head Office Classification.

RTP (Voice ) = 5mb/s

Critical Application = 5mb/s

Less Critical Application = 5mb/s

Best Effort = 5mb/s

Remote Office 1

RTP (Voice) = 256kb/s

Critical Application = 256kb/s

Less Critical Application = 256kb/s

Best Effort = 256kb/s

Remote Office 2

RTP (Voice) = 500kb/s

Critical Application = 500kb/s

Less Critical Application = 500kb/s

Unclassified = 500kb/s

If I will apply "service-policy output" to the WAN Edge Router interface (facing PE), the Router in Head Office might send moretan 1mb of RTP traffic say for example to Remote Office 1 as per example above I allocate 5mb/s for RTP in HO, which if its happen can cause inbound traffic to Remote Office 1 saturated. Unlike in VPN tunnel interface I have a full controll on what amount of bandwidth I will assign to a particular class going to its peer tunnel (remote office).

Regards,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco