01-08-2008 01:05 PM - edited 03-03-2019 08:11 PM
I am hoping that someone could help me out with a rather simple QoS config for a Cisco 3845 with a single T1/CSU card in it.
I have no VoIP running through this interface. I was hoping to put some limits on how much web and other traffic is used on the inbound side of the interface. I would like it so that the interface drops any HTTP(or HTTPS) packets when it has reached >90% capacity.
My problem is that akamai technologies servers aren't closing sessions properly and they keep hammering my T1 (even after my client is disconnected). So that has resulted in me adding a lot of deny xxxxx in my Inbound ACL. If I could just QoS that interface and say that no more than 90% of my bandwidth can be HTTP(S) traffic shouldn't that prevent me from adding all of these servers to my ACL? At least a little bit?
01-08-2008 01:14 PM
Ypu can basically try to achive this using policing.
What are the other traffic types that you trying to protect from the http/https traffic?
eg to restrict
class-map match-all QoS
match protocol http
match protocol https
policy-map QoS
class QoS
police CIR
interface serial 0/0
ip nbar protocol-discovery
service-policy output QoS
We should know what other traffic types that need to be protected so that they can be prioritised during congestion rather than just dropping the above traffic
HTH
Narayan
01-08-2008 01:20 PM
I really am just trying to prevent one or two IPs taking up all of my inbound bandwidth. There really aren't too many other protocols on that line that I should be worried about other than UDP 53(DNS) and VPN traffic (VPN 3005 using IPSec is behind that router).
Thanks for the help.
01-09-2008 06:49 AM
Depending on your IOS version, you may be able to implement this command to keep akamai from holding connections open indefinitely.
There's also syn and fin wait times you might want to check out. Just a thought.
If you have a firewall instead, you could also apply these commands there instead.
01-09-2008 09:15 AM
Hi,
You are talking about "inbound bandwidth". Are the servers at the other end of your T1? Then the harm is already done, when the packet arrives at your router, as the bandwidth to transport the packets across the T1 is already taken. I would rather suggest in this case to have an outbound policy to prevent the packets from being transmitted.
As such a simple queueing configuration should be sufficient, like
class-map match-any noWeb
match not protocol http
match not protocol https
policy-map Queueing
class noWeb
bandwidth percent 10
interface "T1"
policy-map output Queueing
This will guarantee at least 10% of the interface bandwidth to the rest of the traffic. You may want to adjust the percentage setting for optimum results.
Regards, Martin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide