That won't accomplish what we are trying to do.  I appreciate your help, but here is my rational:

If we use service policy on the inside interfaces, it's already entered the WAN link.  We can use shaping outbound, but not inbound.  We can use policing inbound..but all that does is provide a maximum amount of bandwidth--not a minimum bandwidth gaurantee.

I'm starting to believe this isn't possible, but figured I'd ask.  Rating you for you help anyways.

Kyle

Hello

You are correct,Policing can be done inbound  but this is for traffic destined towards your LAN, It will have no effect for traffic traversing your wan link, This can only be done from the other side of the connection (ISP)  - ie shaping towards your site.

Shaping is a egress function ( towards your ISP or from your ISP towards you)

Policing is a ingress Function ( usually set for traffic originating from your LAN interfaces)

Contact your ISP and query them regards their QOS  SLA

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

If you are using dmvpn you can prioritize traffic on egress on the spoke routers. You can do snapping, policing or bandwidth on the remote end routers.


Sent from Cisco Technical Support iPhone App

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

Yes, inbound QoS does have limitations.

If all your traffic is from hub, depending on the IOS version being used, you can shape and prioritize traffic being sent to the branch.  (The branch can "tell" the hub what policy to use to it.)

If some of the branch's data is from the hub and some is "raw" Internet, ISP could implement QoS on your behalf, but almost all won't.  If not, your only option is to try to manage non-corporate ingress bandwidth leaving enough for you corporate traffic (which should still be shaped).  E.g. if you want 500 K of 1.5 M or corporate, you police none corporate traffic at (least to) 1 M.

This latter approach isn't the most optimal, as it "wastes" unused (corporate) bandwidth.  It also cannot fully guarantee any bandwidth for your corporate traffic, because not all (non-corporate) traffic will adjust its transmission rate when policed.  Also, even for traffic that does adjust its transmission rate, you often have to police (sometime much) more than the nominal bandwidth because of the "lag" before the non-corporate traffic will slow (which makes for more inefficiency),

Because of all the limitations of ingress traffic management, in situations where a branch needs "raw" Internet access, I recommend having two ISP links, one dedicated for VPN traffic and one used for "raw" Internet traffic.  If an Internet link is solely used for VPN, and you can manage every site's VPN egress, QoS allows performance often almost as good a dedicated links or private clouds.  What cannot be controlled with VPN (across the Internet) is interior (Internet) cloud performance, although usually there's ample bandwidth that it's not a problem.

All,

Thanks for your responses.

Problem is that we've implemented this in people's homes; two internet connections aren't really an option (practically).  While we could police the traffic, this really isn't a solution I'm looking to implement--as it does not have a bandwidth gaurantee..but moreso a cap.  In an ideal world we'd say "corprorate you get 1 mbps and home users get 1 mbps," with the assumption that they have a 2mb download link. 

I wish shaping was a possibility!

With regards to contacting the ISP..we have a possibility of 1000+ at home users, all using a variety of ISPs...so this is less than practical.  Good suggestions, though!

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

While we could police the traffic, this really isn't a solution I'm looking to implement--as it does not have a bandwidth gaurantee..but moreso a cap.  In an ideal world we'd say "corprorate you get 1 mbps and home users get 1 mbps," with the assumption that they have a 2mb download link. 

"bandwidth" guarantee, yes and no.

Just to insure we're on the "same page", by "capping" non-corporate traffic, you (sort of) guarantee "left-over" bandwidth for the corporate traffic.  So again, if we cap non-corporate to 1 M of 1.5 M, you've (sort of) guaranteed 500 K for corporate.  (NB: reason for "sort of", because you're policing downstream, upstream can overrun your policed limit on the actual link.)

I.e. ingress policing can offer some benefit, it just doesn't fully guarantee bandwidth, but it can be better than nothing.

Even if you don't (branch) ingress police, you may still want to shape (and prioritize) as you send to the branch.  For example, you might still shape for 500 K (or up to branch's downstream bandwidth).  Why needlessly overrun branch (home) bandwidth?  If downstream bandwidth is actually available, you'll get predictable performance.  (Actually, if home user is using corporate VPN, there shouldn't be much if any other non-corporate traffic; unless others at the home are using the Internet too.)