Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
986
Views
0
Helpful
1
Replies

Help on making clear QoS rate-limiting concept and best practices

akiropoulos
Level 1
Level 1

‎11-29-2017 02:49 PM - edited ‎03-03-2019 08:41 AM

Hi all,

please for your valuable help in making some things clear for me regarding QoS rate-limiting and traffic shaping. Please share your feedback and any suggestions for the following scenario.

Consider the below topology:QoS Policing - Rate limit FTP download.jpg

 

 

Let's say User A (192.168.1.25/24) wants to download some data from the FTP server over at the right. He initiates the download and chokes Acme's network by consuming all available WAN bandwidth which is 50/50Mbps (symmetrical). The administrator needs to:

A. Rate-limit that flow to a maximum of 5Mbps to allow bandwidth available for other Acme needs.

B. Rate-limit any inbound traffic (FTP, HTTP, P2P, etc.) from the Internet to the whole user's subnet to a maximum of 40Mbps to allow 10Mbps free bandwidth for Acme's Servers hosted on DMZ.

 

What is the best way to configure this? On which device/interface/direction should a policer or shaper be configured (use the A-G points in the topology in your answer) by the admin to achieve A and B, if any of the two options could really achieve the above needs. Please share your thoughts/suggestions from real implementations of your own.

 

My thinking is as follows:

Since FTP downloading data (or any other incoming packet) is inbound traffic from the Internet (ISP router) to Acme router, the admin has no control and cannot rate-limit the incoming data. This is only something the ISP can do (before packets are sent over the WAN link to Acme). So in my view if the admin sets a policer at point E with direction input it won't do anything, since the packets have already traversed the WAN link and consumed bandwidth. This totally agrees with the same claim on https://supportforums.cisco.com/t5/security-documents/asa-qos/ta-p/3115852 (NOTE 1).

 

If this thinking is correct, can someone explain why Cisco says otherwise here

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82310-qos-voip-vpn.html

where it is stated: "a single user might be able to absorb most, if not all, of the available bandwidth, thus starving the other users. In order to prevent any one user or site-to-site connection from consuming more than its fair share of bandwidth, QoS provides a policing feature that regulates the maximum bandwidth that any user can use. The primary goal of QoS in the security appliance is to provide rate limiting on selected network traffic for both individual flow or VPN tunnel flow to ensue that all traffic gets its fair share of limited bandwidth."

 

Q1: Is there any point for the admin to set a policer at point A of the ASA with direction input, to limit the FTP bandwidth consumption on the WAN link for User A? As far as I understand this would only drop any packets exceeding the 5Mbps limit as they egress the ASA towards Acme router. But this is upload traffic from user A to the FTP server, not the actual FTP download data. Am I right?

Q2: Same as above but instead of setting the policer to point A of the ASA with direction input, what if the admin sets the policer at point D. Wouldn't the same as Q1 apply?

Q3: I have read in various documentation that policing is best and usually configured in the input direction on an interface. Traffic shaping on the other hand is usually configured on the outbound direction. Is that true? Why only policing inbound, what sense does it make?

Q4: To rate-limit the whole user's subnet (192.168.1.0/24) up to 40Mbps for their Internet access, can the admin configure a traffic shaper of 40Mbps average on point E? Would it do any good? What is the best way to implement this requirement?

 

Thanks all and sorry for the long post

Labels:
0 Helpful
1 Reply 1

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎12-04-2017 07:30 AM

"What is the best way to configure this?"

The best way, IMO, would be an egress FQ at E and F, unless you want to be "unfair". (I.e. you may want to be unfair to "favor" traffic to/from DMZ servers, but even for such, class priorities with FQ within them, would be my recommendation.)

Q1: The point would be to avoid User A from hogging all the outbound bandwidth. Yes, you're correct, this would have little to due with User A also hogging inbound bandwidth. (Of course, again this assumes you don't have FQ at E and F.)

Q2: Yea, although possibly the ASA supports a generic per flow policer, so you wouldn't have to identify "User A". Generally most Cisco routers to not support such a feature.

Q3: Shaping requires queue support, so it can only be used on egress. Policing can be used on ingress or egress.

Q4: Requirement "B" was for providing 10 Mbps of ingress bandwidth to DMZ, correct? If so, a traffic shaper at E wouldn't be what you want.

BTW, possibly above is not what you're looking for, but then again, what the admin "needs to do" I think is very debatable if you're really looking for the "best" solution.
0 Helpful
Customers Also Viewed These Support Documents