Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1285
Views
5
Helpful
4
Replies

General QoS and ingress vs egress help

willb1
Level 1
Level 1

‎03-07-2018 07:50 AM - edited ‎03-05-2019 10:03 AM

I have a corporate site with multiple locations connected via GRE over IPSec tunnels. I'm running into issues where some downloads from users at the corporate office saturate the link affecting the VPN traffic and other users at the corporate office.

 

Below is the QoS policy I've begun putting together for the external router at the corporate office. I have a few questions:

1. Am I on the right track with this policy?

2. When applying QoS and traffic shaping to the external router, to which interface should it be applied?

3. Prioritizing VPN traffic is one step but what is the best method to prevent a single user from sapping all of the bandwidth?

 

ip access-list extended VPN_TRAFFIC
permit tcp any eq 50 any
permit tcp any eq 51 any
permit udp any eq 500 any
permit udp any eq 4500 any

 

class-map match-all VPN_DATA
match access-group name VPN_TRAFFIC

 

policy-map VPN_OUT
class VPN_DATA
bandwidth percent 70
class class-default
fair-queue


policy-map PARENT
class class-default
shape average 50000000
service-policy VPN_OUT

 

 The external router shown below is located at the corporate office.

BasicNetworkDiagram.PNG

Labels:
0 Helpful
4 Replies 4

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎03-07-2018 09:18 AM

If the issue is aggregate traffic from branches can be more than the HQ's bandwidth supports, you would need to limit branches' egress such that they don't routinely or ever congest ingress to HQ.

If some heavy flows congest a branch's egress, impacting other branch flows, that can often be addressed by placing all flows in FQ.

If you're mixing regular Internet traffic with VPN traffic - DON'T. Obtain dedicated links for both. Otherwise Internet traffic will make QoS for VPN often useless.
0 Helpful

willb1
Level 1
Level 1
In response to Joseph W. Doherty

‎03-07-2018 09:25 AM

Thank you for the reply. I do have QoS policies applied to the GRE tunnels to prevent branch offices from congesting the ingress to HQ.

 

I'd love to have separate dedicated links for internet & VPN traffic but that's just not practical. We have all traffic routed through corporate for content filtering. The costs to implement content filtering and/or dedicated links at 10+ offices would be a bit much. Since the congestion issues only crop up occasionally it'd be difficult to justify.

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to willb1

‎03-07-2018 10:00 AM - edited ‎03-07-2018 10:01 AM

You can still use one link per branch, if Internet is being pulled across the VPN.

What's creates a problem is "raw" Internet sharing a link with VPN. For the VPN sites, you can manage bandwidth assuming you can apply QoS at each. What you cannot generally control, is ingress Internet bandwidth. I.e. you may only need separate links for "raw" Internet and VPN at your HQ site.

willb1
Level 1
Level 1
In response to Joseph W. Doherty

‎03-07-2018 10:03 AM

That makes sense and may be doable. Thank you!

0 Helpful
Customers Also Viewed These Support Documents