Solved: Cisco IOS Limit WAN Download Bandwith

NAGISWAREN2 · ‎10-13-2016

Hi all,

We have 3Mbps Internet link connected to Cisco Router. The router has GRE tunnel to remote site. Most of the time Internet usage hit maximum, causes my VPN performance drop, even though actual VPN traffic is less than 100Kbps. Because the maximum usage of VPN only 100kbps, the balance bandwidth was utilized by Internet traffic which is about 2.9Mbps(still considered congestion at 97%). Due to this, overall link performance drop, and eventually effect VPN performance as well. So to overcome this, we planned to limit Internet usage to 2.5Mbps on download direction , so that no congestion happens . But im unable to achieve this with CBQOS.

Below is my command under class-default

police rate 2500000 conform-action transmit exceed-action drop

I could see the drop rate at 500Kbps, conform rate at 2.5Mbps, I have applied the same policy on WAN interface Input direction and LAN interface Output direction. But still the WAN interface download usage stays at 3Mbps. LAN interface output rate shows at 2.5Mbps( as expected). WHY IS THIS SO ?

Regards, Nagis

e.ciollaro · ‎10-13-2016

Hi,

policing or shaping this way is not a best practice because you drop packets after they traverse the bottleneck (your WAN Link). Dropping after the link can't directly avoid congestion because congestion happen before your router. Depending on the type of traffic you could have some indirect effect because TCP sessions should reduce their window but the real effect it's hard to foreseen and, moreover, you could have also UDP traffic the effect of packet dropping for this kind of traffic depends primarily on the application generating the traffic flow. Consider also that in case of DoS attack dropping traffic in this way has no effect.

Bye,

enrico.

PS: please rate if useful

View solution in original post

e.ciollaro · ‎10-13-2016

Hi,

policing or shaping this way is not a best practice because you drop packets after they traverse the bottleneck (your WAN Link). Dropping after the link can't directly avoid congestion because congestion happen before your router. Depending on the type of traffic you could have some indirect effect because TCP sessions should reduce their window but the real effect it's hard to foreseen and, moreover, you could have also UDP traffic the effect of packet dropping for this kind of traffic depends primarily on the application generating the traffic flow. Consider also that in case of DoS attack dropping traffic in this way has no effect.

Bye,

enrico.

PS: please rate if useful

Joseph W. Doherty · ‎10-13-2016

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

To expand a bit on what e.ciollaro has posted, managing inbound traffic bandwidth consumption is a bit hit or miss. If it's mostly TCP traffic, policing much, much lower often insures there's sufficient traffic for your other traffic. I.e. try policing Internet ingress at 1 Mbps, and adjust.

Also if most traffic is TCP, you can shape return ACKs, but this tends to be inexact too.

You can also investigate obtaining a dedicated traffic shaping appliance, that has other tricks, like spoofing TCP RWINs, but they too won't always work for the reasons noted in e.ciollaro's post.

Your best option is to obtain another Internet link dedicated for VPN traffic only (and hope no one performs a DoS attack against it).

NAGISWAREN2 · ‎11-06-2016

Thanks. We are getting dedicated bandwidth management device to achieve the requirement . Thanks again.

Regards, Nagis