Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1503
Views
0
Helpful
2
Replies

Design guidance: DMVPN over Internet + QoS

etamminga
Spotlight
Spotlight

‎07-26-2011 02:48 AM - edited ‎03-04-2019 01:05 PM

Hi,

For a large customer we've rolled out a pretty large DMVPN network using Internet connections. All is working fine.

We would now like to add some QoS in order to give a certain group of people at the branch a "gauaranteed" bandwidth (inbound, seen from the branch).

The branches use local internet breakout.

In deploying QoS we already configured QoS for data from HQ to the Spokes using the servicepolicies attached to the NHRP groups. This works as well.

Where we are having problems is at the branch internet interface. At this interface common local internet traffic joins the DMVPN traffic. Service-Policies at the HQ do not have any influence or knowledge of the local traffic that enters the router.

How should we apply QoS to traffic inbound at the branch router?

Two things that make it more complicated:

- the branch routers use NME-WAE's and WCCP to "explode" traffic leaving the router; there is no relation between the amount of traffic entering the router from the internet and traffic leaving the router to the LAN.

- the inbound links vary in bandwidth (Sattelites or UMTS, link type depends on wireless-coverage, the branches are mobile (ships)).

Regards,

Erik

Labels:
0 Helpful
2 Replies 2

Latchum Naidu
VIP Alumni
VIP Alumni

‎07-26-2011 04:27 AM

Hi Erik,

What about if you use bandwidth control on the internet interface at your branch.
Say like if you limit for 2 MB the packet will drop once the bandwidth usage reached 2 MB.

Is that what you are looking for?

Please rate the helpfull posts.
Regards,
Naidu.

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎07-26-2011 08:08 AM

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

You've already identified the root problem, sharing direct Internet connectivity on the same link used by VPN means you can not effectively manage VPN quality since available link bandwidth is unknown.

What I normally recommend is two Internet connections, one for VPN and one for direct Internet access.  An alternative is you can provide the branch's Internet access via VPN.  This can add considerable latency for Internet traffic, but does allow you to manage bandwidth.

PS:

A third alternative is ISP supporting you QoS policy on their side of the link to your branch.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card