02-04-2019 11:03 PM - edited 03-05-2019 11:14 AM
I want to implement QoS for my company and now in testing stage. What I want to achieve are I want to give priority to Office365 public IP subnet 5 Mbps of bandwidth and the bandwidth in total is 10 Mbps for Internet
Upon testing with following topology it is work as expected. I can download any file with almost 10 Mbps of Internet bandwidth and the router will priority Office365 subnet if there are traffics for it.
But when I connected the Router Internet to our Core Switch some how it is not working as expected, and the bandwidth is reduced to almost 10 times. With maximum of download range from 1-3 Mbps. I had make sure the Core switch not running any QoS and the port connected to router is on routed mode.
Here the configuration on router, please take not NAT is do on Firewall :):
router#sho running-config int g0/0
Building configuration...
Current configuration : 165 bytes
!
interface GigabitEthernet0/0
ip address 10.5.254.1 255.255.255.252
duplex auto
speed auto
service-policy output QOS-PARENT
end
router#sho running-config int g0/1
Building configuration...
Current configuration : 163 bytes
!
interface GigabitEthernet0/1
ip address 10.5.254.6 255.255.255.252
duplex auto
speed auto
service-policy output QOS-PARENT
router#show running-config | s access-list
ip access-list extended LOCAL-LAN-ACL
permit ip 10.5.254.0 0.0.0.255 10.5.0.0 0.0.255.255
permit ip 10.5.0.0 0.0.255.255 10.5.254.0 0.0.0.255
ip access-list extended O365-ACL
permit tcp 10.5.0.0 0.0.255.255 object-group O365-IP-RANGE eq www
permit tcp 10.5.0.0 0.0.255.255 object-group O365-IP-RANGE eq 443
PTSMOE-RTR01#show running-config | s class-map
class-map match-all LAN
match access-group name LOCAL-LAN-ACL
class-map match-any WEB
match protocol http
match protocol secure-http
class-map match-all SCAVENGER
match protocol bittorrent
class-map match-all O365
match access-group name O365-ACL
router#show running-config | s policy-map
policy-map QOS-CHILD
class O365
priority percent 50
class SCAVENGER
police 200000
class WEB
bandwidth percent 48
random-detect dscp-based
random-detect ecn
policy-map QOS-PARENT
class LAN
shape average 990000000
class class-default
shape average 10000000
service-policy QOS-CHILD
Please help me brother and sister quite confusing why it not working as expected, I am afraid I am missing some thing or not really understand how QoS behave on Cisco IOS.
Thanks
Solved! Go to Solution.
02-05-2019 08:08 AM - edited 02-05-2019 08:10 AM
Insufficient information to really comment on why adding your "core" L3 switch causes a slowdown, but as to your QoS config, I have several suggestions. (BTW, depending on the model and "vintage" of your L3 switch, some switches no longer require setting interface to trust when QoS is enabled.)
First, understand, downstream/ingress bandwidth management generally doesn't work very well with the features available on a Cisco router. (NB: there are some 3rd party traffic management devices that can do much better than a Cisco router, but even they cannot ideally handle all ingress traffic situations. Ideally, you want to manage other side's egress, but that's very unlikely to be allowed.) I would suggest obtaining a Internet link for just your Office 360 traffic and one for your general Internet traffic. If you do, you might only need a default class with FQ (and perhaps a class to limit BitTorrent on the general Internet link).
There's no real need for QoS on the router's inside (i.e. g0/0) facing interface (as your bottleneck is the 10 Mbps cap for Internet traffic).
You're right to think you need shaping for Internet egress interface (i.e. g0/1) if physically more than provisioned bandwidth, but you want just one shaper sized for the available egress bandwidth. However, for 10Mbps, it would be better to run the egress interface physically at 10 Mbps.
e.g.
policy-map SampleShaperParent
class class-default
shape average 10000000 !10Mbps - might need to set up to 15% less - unclear all shapers account for L2 overhead
service-policy X !the child policy - which manages bandwidth allocations
Your bandwidth management policy, for Internet facing interface (again, interface policy if running interface physically at 10 Mbps, or child policy if shaping parent at 10 Mbps) might be:
policy-map sample
class O365
bandwidth remaining percent 81
fair-queue
class SCAVENGER !optional class
bandwidth remaining percent 1
fair-queue
class class- default
bandwidth remaining percent 9
fair-queue
I highly recommend you don't use WRED (unless you're a QoS expert, and you note you're not). I also recommend you don't use LLQ for your O360 traffic. Lastly, I recommend using FQ, where possible, as it offers many advantages.
02-05-2019 12:03 AM
Hi there,
You should also configure the interfaces on the core switch to trust the QoS markings coming from the router:
! mls qos ! int gi1/1 description link_to_router mls qos trust !
…also you want to mark the traffic coming from the laptop to (add your existing QoS policy-maps and ACLs to the global configuration):
! int gi2/1 description link_to_laptop service-policy input QOS-PARENT !
Cheers,
Seb.
02-05-2019 06:59 AM
Hi seb, thank you for your answer. Lol I had configured on all of our switch trust boundary yet I am forget to tag it on core switch when do some testing what a stupid of me. Any way thank you very much for your guide and answer.
02-05-2019 12:53 AM
Hello,
in addition to Seb's post, I am not really clear why the connection between your switch and the router is a layer 3 connection, and why you are shaping LAN traffic in the LAN class (with a very high value, which basicallly only uses CPU and doesn't achieve anything).
Since you are testing, try and make the link between the switch and the router a layer 2 link. Also, try the changes marked in boild below:
router#sho running-config int g0/0
Building configuration...
Current configuration : 165 bytes
!
interface GigabitEthernet0/0
ip address 10.5.254.1 255.255.255.252
duplex auto
speed auto
--> no service-policy output QOS-PARENT
!
interface GigabitEthernet0/1
ip address 10.5.254.6 255.255.255.252
duplex auto
speed auto
service-policy output QOS-PARENT
!
--> no ip access-list extended LOCAL-LAN-ACL
permit ip 10.5.254.0 0.0.0.255 10.5.0.0 0.0.255.255
permit ip 10.5.0.0 0.0.255.255 10.5.254.0 0.0.0.255
!
ip access-list extended O365-ACL
permit tcp 10.5.0.0 0.0.255.255 object-group O365-IP-RANGE eq www
permit tcp 10.5.0.0 0.0.255.255 object-group O365-IP-RANGE eq 443
PTSMOE-RTR01#show running-config | s class-map
--> no class-map match-all LAN
match access-group name LOCAL-LAN-ACL
class-map match-any WEB
match protocol http
match protocol secure-http
class-map match-all SCAVENGER
match protocol bittorrent
class-map match-all O365
match access-group name O365-ACL
!
policy-map QOS-CHILD
class O365
priority percent 50
class SCAVENGER
police 200000
class WEB
bandwidth percent 48
random-detect dscp-based
random-detect ecn
policy-map QOS-PARENT
--> no class LAN
shape average 990000000
class class-default
--> no shape average 10000000
service-policy QOS-CHILD
02-05-2019 07:03 AM - edited 02-05-2019 07:20 AM
Hi Georg,
Thank for your suggestion, I am really new with Cisco QoS and I will remove the configuration that you are suggesting and see the result. Actually the switch is our core switch that run layer 3 to our distribution, I just make the topology simple.
02-05-2019 03:50 AM
Hello
As your are traffic shaping egress traffic try removing qos from the core and your routers inside interface gig0/0
Below is a amended policy map with some fair queuing applied for the default class>
policy-map QOS-CHILD
class O365
priority percent 50
class SCAVENGER
police 200000
class WEB
bandwidth percent 48
random-detect dscp-based
random-detect ecn
class class-default
fair queue
policy-map QOS-PARENT
no class LAN
no shape average 990000000
class class-default
shape average 10000000
service-policy QOS-CHILD
interface GigabitEthernet0/0
no service-policy output QOS-PARENT
02-05-2019 07:07 AM
02-05-2019 08:08 AM - edited 02-05-2019 08:10 AM
Insufficient information to really comment on why adding your "core" L3 switch causes a slowdown, but as to your QoS config, I have several suggestions. (BTW, depending on the model and "vintage" of your L3 switch, some switches no longer require setting interface to trust when QoS is enabled.)
First, understand, downstream/ingress bandwidth management generally doesn't work very well with the features available on a Cisco router. (NB: there are some 3rd party traffic management devices that can do much better than a Cisco router, but even they cannot ideally handle all ingress traffic situations. Ideally, you want to manage other side's egress, but that's very unlikely to be allowed.) I would suggest obtaining a Internet link for just your Office 360 traffic and one for your general Internet traffic. If you do, you might only need a default class with FQ (and perhaps a class to limit BitTorrent on the general Internet link).
There's no real need for QoS on the router's inside (i.e. g0/0) facing interface (as your bottleneck is the 10 Mbps cap for Internet traffic).
You're right to think you need shaping for Internet egress interface (i.e. g0/1) if physically more than provisioned bandwidth, but you want just one shaper sized for the available egress bandwidth. However, for 10Mbps, it would be better to run the egress interface physically at 10 Mbps.
e.g.
policy-map SampleShaperParent
class class-default
shape average 10000000 !10Mbps - might need to set up to 15% less - unclear all shapers account for L2 overhead
service-policy X !the child policy - which manages bandwidth allocations
Your bandwidth management policy, for Internet facing interface (again, interface policy if running interface physically at 10 Mbps, or child policy if shaping parent at 10 Mbps) might be:
policy-map sample
class O365
bandwidth remaining percent 81
fair-queue
class SCAVENGER !optional class
bandwidth remaining percent 1
fair-queue
class class- default
bandwidth remaining percent 9
fair-queue
I highly recommend you don't use WRED (unless you're a QoS expert, and you note you're not). I also recommend you don't use LLQ for your O360 traffic. Lastly, I recommend using FQ, where possible, as it offers many advantages.
02-06-2019 03:46 AM
02-06-2019 05:01 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: