Hi, I want to add QoS on my network, my set up is:
LAN > Pix 515 > Cisco 3750 VLAN > Cisco 2600 Internet router.
I have no QoS running anywhere. My ISP looks after my Cisco 2600, but I know there is no QoS on it. My Pix is running version 7.x.
I have noticed that http takes all the bandwidth at times of the day and wondered if I could give it say 2mb of our 10mb line and let our VPN's have 4mb, 3mb http/https and ftp 1mb. Can is be done like this?
I just hate it when http goes up to 10mb then email and VPN's suffer and just wondered what options I have as this is new to me.
I'm not 100% sure which the interface you are using with ISP. If the interface can know congestion when it went to 10 Mbps then you can use CBWFQ to confine the traffics that you want to when congestion occured.
let's say you connect to ISP with the fastethernet interface you can manually configure the interface to 10Mbps.
IMHO If you may need to constrain the rate of all traffics all the time I thought that you should use the police method.
One thing when you use policing if the traffics go beyond the threshold then it will drop the remaining packets by default.
So maybe you need to use shaping and/or nested policy to do if you concern about dropping packets.
Hopes that helps.
You can do much to traffic with QoS but it's usually only effective if you can control both directions at the bottlenecks. If you're ISP is unwilling, many are (they'll often suggest you just buy more bandwidth), then discussing how to accomplish what you desire, alas, would be academic.
There is merit to what other posters are suggesting concerning using policers or shapers, but some other caveats if you do.
Using a policer or shaper somewhere "downstream" from the actual bottleneck might help some. The more the traffic is limited relative to the "upstream" bottleneck the more effective it tends to be. E.g. if your bottleneck bandwidth is 10 Mbps, and FTP is using all this bandwidth, downstream limiting it to 1 Mbps on a 100 Mbps connection will likely help but it you limit FTP to 9 Mbps, you're unlikely to see any benefit.
Note that individual traffic policers or shapers will also keep that traffic from taking advantage of excess available bandwidth.
The best solution is like what Slidersv is suggesting on the interface to the ISP, CBWFQ. (You wouldn't need the shaper part if the physical interface is limited to its actual bandwidth.)
Doing what is suggested the on your internal facing interface will be less effective because you're now likely downstream of the physical bottleneck. You really want to place it on the ISP side of the WAN link. (Again, you wouldn't need the shaper part if the physical interface is limited to its actual bandwidth.)
I assume from your original post, you have no direct control over the 2600's QoS config. But you could discuss these ideas with your ISP.
Assuming your ISP is unwilling to change anything, and you are unable to change the 2600, you can do something similar to what Slidersv suggested outbound on either the PIX or 3750 (I'm unfamiliar with PIX features; a non ME 3750 is feature limited). Again, inbound, where you're now downstream of the bottleneck, doing policing or shaping effectively often requires severe policing or shaping bandwidth restrictions.
You could also set up traffic policing policing on the PIX, see http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/mpc.html#wp1061027
In this case on PIX you can police (cut the rate) of the traffic only. On 2600 router you can implement detailed QoS exactly to your specifications.
e.g. Create a shaper for 10Mbps, and in that shaper defines the rules that you want.
But you need access to the 2600 router.
Here is a policy, which you need to adjust a bit to implement what you need:
ip access-list extended VPN
permit tcp any any VPN_PORTS (depends what VPN are you running)
ip access-list extended HTTPS
permit tcp any any eq 443
permit tcp any any eq 80
ip access-list extended FTP
permit tcp any any eq 20 21
match access-group VPN
match access-group HTTP
match access-group FTP
bandwidth percent 40
bandwidth percent 30
bandwidth percent 10
shape average 10000000
service-policy output SHAPER
service-policy output SHAPER
You can possibly have problems with FTP, since it opens dynamic ports in 1024+ range after the session is established. You could use NBAR for that.
Also, you need to know what VPN are you running, if it's TCP od UDP VPN, or is it HTTPS VPN, and so on. Again NBAR might help.
So this is a high level design. You need to QoS traffic in BOTH DIRECTIONS, that's why i put it on both interfaces. Also, shaper is implemented, because interface speed is usually different thatn the actual speed.
I increased the limit of reservable bandwidth from 75 to 80 for map to be compatible on IOS, but with the CBWFQ mewchanics this has no practical effect because of how the algorithm works.
Hope this helps
I asked our ISP about QoS and they dont do it on our service, somthing about they only do on their MPLS networks so they control both ends of the traffic. So I have few option to control inbound and outbound traffic. Is packeteer shaper expensive and where would it sit? I assume between the Pix and Cisco 2600 or on the outside interface of the router?
We are upgrading to a ASA 5520, but I guess this doesn't change much?
James, Typically QoS is only offered on MPLS networks in general. However, you have unique oppertunity to look at some acceleration hardware.
Cisco WAAS can help you here and other vendors such as (Dare I say it here) Juniper etc..
Implementing a company wide solution using WAAS can save you time and problems with link usage by the acceleration techniques built in to the appliance.
QoS on your Pix and or a Cisco router to limit the http usage on the link towards your PIX /ISP can help you here too. if you use a traffic policing policy you will be able to limit http to say 80% of your link and protect other services link management and or business critical services.
investigate both and see what fits you network model the best.
Oh.. and buying QoS from a SP is always expensive for data, usually only buy it for voice and video, the rest can fight it out a lower class.
Hi, I don't have much budget yet for this but may later in the year.
So the only option or quick fix could be to add a traffic policing policy on the outbound traffic on the outside interface that goes to the ISPs router? I guess I cannot control the inbound traffic as it has already hit my network and my ISP control this?
If so what what the config look like or is it the same as the router example above? If I have 30% to http and 10% to ftp and not fedinr other traffic like email and VPNs would they just all share the 60% left?
As a quick fix on a budget you can police outbound traffic on the pix firewall. This will drop packets exceeding the specified limit, but it does the job although in a hamfisted way.
Do you have access to 2600 router? Because if you do, you can implement all your QoS for 0$ yourself even with MPLS network (shaper and child map will take care of that). You have all the technology you need, and you don't need to buy anything.
Ofcourse if you do not have access to the 2600 you can put another router before 2600, like 2811 for example, and do all configuration there.
Hi, thanks for your help. I guess I could fix the outbound traffic using the pix for the moment, and wondered if you could provide me with a config for this traffic policing I could work with? I have a test Pix and a DSL line to practice.
What happens ti undefined traffic?
We don't have access to the 2600, the 2611 option sounds like a plan, would that sit between the pix and 2600?
If you're willing to drop in a new device, you might want to pursue you're earlier interest in something like a Packeteer type of product. Cost, though, might be a problem on a small budget.
Besides the PIX, the 3750 also has some QoS features that you might use. They're not real rich, though, because of its LAN orientation.
Another router like the suggested 2811 (or a 2801) would let you perform policing or shaping on it. Do note a software shaper doesn't truly emulate a hardware port in how it impacts traffic although with tuning its timers you can usually get close.
It could easily shape (or police) outbound traffic. As I've noted earlier, shaping or policing inbound is less effective since you're likely to be downstream from the bottleneck.
There is a technique that is effective downstream, although routers don't have the precision to do it nicely like Packeteer type products. That technique is outbound ACK shaping.
Like downstream policing, for it to be effective you often need to be very severe in the bandwidth permitted. It's advantage over policing is at least it doesn't discard packets causing needless retransmits.
Thanks, I think for a quick fix the Traffic Policing Policy on the outbound traffic would help. Can you suggest an example for me to work from then I can add other types of traffic?
Also if you said 50% http/https, 20 % smtp, 25 % VPN's, 5$ ftp. Would this mean no other traffic could go outbound because it equals 100%? and if you defined only 80% would the rest of the traffic just use the 20%?