08-06-2013 12:21 PM - edited 03-04-2019 08:40 PM
Hello!
I'm using a Cisco 881 to create a DMVPN tunnel to a Cisco 3945e. We are trying to figure out the QoS settings on the WAN link to prioritize corporate traffic.
We are currently using QoS to mark and queue traffic going outbound, but cannot figure out how to do so for traffic coming inbound.
For more information:
Corporate user is in Vlan 10
Home user is in Vlan 20
How can we ensure that there is enough download bandwidth to support the corporate user, if the home user is using something download intensive?
If we have a 1.5 mbps download link..how could we allocate, for example, 500kbps of traffic for corporate use?
Let me know if you require any more information!
Thanks!
Kyle
08-06-2013 01:41 PM
HI u can configure rate-limit or service policy.
Create ACL for that allow specific IP and call ACL rate-limit / service policy.
Apply that rate-limit or service policy to inside interface.
*** Do rate helpful posts***
Jawad
08-06-2013 02:02 PM
That won't accomplish what we are trying to do. I appreciate your help, but here is my rational:
If we use service policy on the inside interfaces, it's already entered the WAN link. We can use shaping outbound, but not inbound. We can use policing inbound..but all that does is provide a maximum amount of bandwidth--not a minimum bandwidth gaurantee.
I'm starting to believe this isn't possible, but figured I'd ask. Rating you for you help anyways.
Kyle
08-06-2013 04:26 PM
Hello
You are correct,Policing can be done inbound but this is for traffic destined towards your LAN, It will have no effect for traffic traversing your wan link, This can only be done from the other side of the connection (ISP) - ie shaping towards your site.
Shaping is a egress function ( towards your ISP or from your ISP towards you)
Policing is a ingress Function ( usually set for traffic originating from your LAN interfaces)
Contact your ISP and query them regards their QOS SLA
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
08-06-2013 05:28 PM
If you are using dmvpn you can prioritize traffic on egress on the spoke routers. You can do snapping, policing or bandwidth on the remote end routers.
Sent from Cisco Technical Support iPhone App
08-07-2013 06:09 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Yes, inbound QoS does have limitations.
If all your traffic is from hub, depending on the IOS version being used, you can shape and prioritize traffic being sent to the branch. (The branch can "tell" the hub what policy to use to it.)
If some of the branch's data is from the hub and some is "raw" Internet, ISP could implement QoS on your behalf, but almost all won't. If not, your only option is to try to manage non-corporate ingress bandwidth leaving enough for you corporate traffic (which should still be shaped). E.g. if you want 500 K of 1.5 M or corporate, you police none corporate traffic at (least to) 1 M.
This latter approach isn't the most optimal, as it "wastes" unused (corporate) bandwidth. It also cannot fully guarantee any bandwidth for your corporate traffic, because not all (non-corporate) traffic will adjust its transmission rate when policed. Also, even for traffic that does adjust its transmission rate, you often have to police (sometime much) more than the nominal bandwidth because of the "lag" before the non-corporate traffic will slow (which makes for more inefficiency),
Because of all the limitations of ingress traffic management, in situations where a branch needs "raw" Internet access, I recommend having two ISP links, one dedicated for VPN traffic and one used for "raw" Internet traffic. If an Internet link is solely used for VPN, and you can manage every site's VPN egress, QoS allows performance often almost as good a dedicated links or private clouds. What cannot be controlled with VPN (across the Internet) is interior (Internet) cloud performance, although usually there's ample bandwidth that it's not a problem.
08-07-2013 06:38 AM
All,
Thanks for your responses.
Problem is that we've implemented this in people's homes; two internet connections aren't really an option (practically). While we could police the traffic, this really isn't a solution I'm looking to implement--as it does not have a bandwidth gaurantee..but moreso a cap. In an ideal world we'd say "corprorate you get 1 mbps and home users get 1 mbps," with the assumption that they have a 2mb download link.
I wish shaping was a possibility!
With regards to contacting the ISP..we have a possibility of 1000+ at home users, all using a variety of ISPs...so this is less than practical. Good suggestions, though!
08-07-2013 08:30 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
While we could police the traffic, this really isn't a solution I'm looking to implement--as it does not have a bandwidth gaurantee..but moreso a cap. In an ideal world we'd say "corprorate you get 1 mbps and home users get 1 mbps," with the assumption that they have a 2mb download link.
"bandwidth" guarantee, yes and no.
Just to insure we're on the "same page", by "capping" non-corporate traffic, you (sort of) guarantee "left-over" bandwidth for the corporate traffic. So again, if we cap non-corporate to 1 M of 1.5 M, you've (sort of) guaranteed 500 K for corporate. (NB: reason for "sort of", because you're policing downstream, upstream can overrun your policed limit on the actual link.)
I.e. ingress policing can offer some benefit, it just doesn't fully guarantee bandwidth, but it can be better than nothing.
Even if you don't (branch) ingress police, you may still want to shape (and prioritize) as you send to the branch. For example, you might still shape for 500 K (or up to branch's downstream bandwidth). Why needlessly overrun branch (home) bandwidth? If downstream bandwidth is actually available, you'll get predictable performance. (Actually, if home user is using corporate VPN, there shouldn't be much if any other non-corporate traffic; unless others at the home are using the Internet too.)
08-06-2013 07:40 PM
Hi Kyle,
The best thing is to check with their ISP to apply out bound policy if yours is a leased line or MPLS.
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide