I'm hoping someone can help sharing feeback in relation to choosing the apropriate QoS feature to apply to traffic in our internet link.
I need to make sure that at any one time during congestion there is enough capacity, say about 2mbps, for video traffic (rtsp, quicktime) and voice traffic reserved; so that even if other applications run then video conferencing with third parties over the internet during congestion will not get affected.
I'm not sure whether i need to mark/classify the packets to provide priority for these to leave the network on the internet router or if simply reserving 2mbps for this type of traffic?
I'm aware that once the packets leave the internet router and enter the internet the marking on the packets will not take effect any more so in this case what would happen to video traffic on the way back. Can i mark the packets as they enter our internet router again?
Can any one please help clarifying this?
On most Cisco routers, outbound traffic can be easily configured to treat traffic as needed or desired. I.e., it's generally not difficult to insure your video and voice traffic isn't adversely impacted by other traffic.
For inbound, ideally we want to manage the other sides outbound. When this isn't possible, it's very difficult, to impossible, to guarantee certain traffic certain performance.
If you have critical traffic that needs guaranteed service across the Internet, although the Internet itself won't allow a true guarantee, what often works well is using Internet links that don't intentionally use their link for "normal" Internet traffic, but only for site-to-site traffic across the Internet. (If you also need "normal" Internet access, use a separate link.)
Yes you should normally be able to mark inbound traffic.
So in my internet router can i reserve bandwidth for video/voice applications? The idea is to use the internet link more efficiently, i dont care what will happen to the packets once they leave our edge (internet) router as long as video applications will be ensured at least 3Mbps of the total banwidth.
Will this be possible using class based policing and MQC?
For outbound, you can "reserve" 3 Mbps of bandwidth for video; no need to police.
class-map match-all yourVideo
bandwidth (75% total bandwidth - 3 Mbps)
!you Internet interface
service-policy output InternetOut
Inbound, isn't so easy. You might think you can police (total bandwidth - 3 Mbps) other traffic to guarantee bandwidth for your video, but policing won't thottle most non-TCP traffic, and even for TCP, since the policing is downsteam of the link, TCP can burst above the policed rate (i.e. not leave the bandwidth for the video traffic).
Thanks for your response the other day.
What are your thoughts about these two configurations:
service-policy output traffic-out
Which is a modification of yours, plus the shaping feature; in order to shape all traffic to total 5Mbps and guaranteeing 1mbps to video traffic.
class-map match-all web-out
police cir percent 75
exceed-action set-dscp-transmit cs1
service-policy output lan-traffic
As majority of traffic is http i think this policing based qos feature will help conserving bandwidth on the internet connection.
Appreciate your help,
Shaping for inbound in your first config won't preclude much if any congestion for inbound.
Policing for inbound on the LAN facing interface is probably much too high, if the percentage is based on the LAN's inteface, and could impact traffic egressing the interface that's not from the WAN (although yours is probably one-to-one).
You can either police inbound on the WAN facing interface and/or shape outbound ACKs. These both work, but they don't provide precise results.
I'm a bit confused let me start again with a brief description of the network to configure QoS.
The WAN configuration is based on a hub and spoke topology with 5 sites.
The access switches are Catalyst4507s, with auto qos enabled.
The WAN routers in 4 sites are a mixture of cisco 1841 and 2801.
WAN router at the central site is cisco 2801.
The links from the head site to the other sites are ethernet tails.
The internet connection is managed from the head office via an ASA 5500 series firewall and a 2801 router, which is managed by us and connects us to the internet service provider by an ethernet service.
Mainly need to give priority to video and voip traffic on the WAN and need to get a more efficient use of our internet link.
Based on this configuration what will be the best option to configure QoS on the routers?
In the internet router how do i determine in which interface i apply the policy and in which direction?
Thanks again for your input.
"Based on this configuration what will be the best option to configure QoS on the routers? "
Outbound CBWFQ policy on WAN egress interfaces. Using classes that match traffic of interest, you guarantee the necessary (for that traffic) bandwidth.
If your WAN interfaces are Ethernet handoffs, you're policy should also shape for the available bandwidth.
If traffic is real-time, e.g. VoIP, use a LLQ (priority) class.
If the WAN supports multipoint across the interface, much more complex to deal with. How to, depends on technology and topology.
If your AutoQoS is marking packets correctly, you can match on the markings.
"In the internet router how do i determine in which interface i apply the policy and in which direction? "
As, above, for egress. Ingress, is difficult. Ideal for ingess is far side egress. On most Cisco devices, best you might accomplish is police some ingress traffic or shape egress ACKs. 3rd party QoS devices usually offer some additional features; especially useful for ingess.
>>"If the WAN supports multipoint across the interface, much more complex to deal with. How to, depends on technology and topology."<<
what do you mean by multipoint across the interface?
>>"As, above, for egress"<<
So does this mean, Outbound CBWFQ policy on internet router egress interface?
>>"On most Cisco devices, best you might accomplish is police some ingress traffic or shape egress ACKs"<<
In which interface of the router do you mean? The one facing the internet or the one facing the WAN ? (the internet router has two interfaces, fa0/0 connecting to the ISP and fa0/1 connecting to the Firewall in our network)
Also what does the acronym "ACKs" mean?
Thanks a million for your help.
"what do you mean by multipoint across the interface? "
More than one other site can be contacted across the link. Dedicated serial links are usually point-to-point. "Cloud" WANs, e.g. might not be point-to-point.
"So does this mean, Outbound CBWFQ policy on internet router egress interface? "
Yes, as often WAN egress in slower than LAN side so congestion often forms there.
"In which interface of the router do you mean? The one facing the internet or the one facing the WAN ? "
Facing the Internet (or WAN). (From you description, FA0/0 - i.e. facing your ISP.)
"Also what does the acronym "ACKs" mean?"
ACK is short for acknowledgement. (Used to notify sender TCP packet successfully received.)
Well, the remote sites can only contact the main site not the other sites.
So in conclusion or as a summary to our discussion are these the right points to consider to enable QoS in my network? (I want to make sure i have understood your recommendations)
For the WAN links:
- Outbound traffic: CBWFQ on the WAN routers egress interfaces and shape ACKs.
- Inbound traffic: depends on the main site's egress, as each site in the WAN only communicates with the main site, not among each other.
For the Internet link at the main site:
- Outbound traffic: CBWFQ on the internet router egress interface & shapping ACKs.
-Inbound traffic: policing ingress.
Thanks heaps again.
"Well, the remote sites can only contact the main site not the other sites."
That's fine also assuming they don't share a main site link. I.e., each remote site has it's own link interface at the main site.
Inbound policing and/or outbound ACK shaping are options when you can not perform egress QoS on the remote side (e.g. Internet). Normally you shouldn't need to use these techniques for WAN links. When and if they are used, they are not precise nor handle situations that can be done with egress QoS.
>>"That's fine also assuming they don't share a main site link. I.e., each remote site has it's own link interface at the main site. "<<
That is not the case here, as there is only one link interface at the main site. Each site connects to our supplier's cloud so in a sense the remote sites share the main's sites interface link.
"not the case" and "supplier's cloud"
How many physical links does the main site have, one per remote site or one to a cloud? If there's but one, you can have bandwidth oversubscrition for that shared link and the makes for a different kind of QoS problems.
The main site has one physical link to our IP WAN supplier's cloud. I've checked with the supplier and they confirmed they provide a dynamic QoS service, which enables traffic classified by us to be prioritised through the IP WAN and queued to our router in a manner appropriate to ensure priority traffic flow (egress queuing).
Traffic marked with the following classifications will be prioritised to provide the QoS parameters for matching traffic type: (i'm only showing 3 classes but the suplier follows a 6-class model)
* Multimedia: ToS: 5,6,7; DSCP: 184.108.40.206; PHB: EF, CS5, Cs6, CS7; Queuing: Priority/LLQ; BW%: 100
*Mission critical data: ToS: 4, DSCP: 32,34,36,38; PHB: AF4x, CS4; Queuing: CBWFQ; BW%:40
*Data Transfer: ToS: 1, DSCP: 8, 10, 12, 14; PHB: AF1x, CS1; Queuing: CBWFQ; BW%= 10.
So in this case classification and marking, Traffic shaping and egress queuing based on subscribed rate are supported on the IP WAN. However this is not the case in the internet link...