Solved: Re: Qos Internet Download/Upload

dchochan · ‎10-26-2020

Hi all,

I have a question. Is it possible to do QoS on internet facing router(using ISR router for example), especially for download?

I had a case with user that they want to guaranteed minimal bandwidth for Teams/Webex/Zoom application, because they often had issue with those application when internet download being full.

My senior said is it not possible since we do need to apply QoS on ISP router egress interface toward costumer for download and Costumer router egress interface toward ISP for upload. He said ideally QoS need to be end-to-end solution.

Can we apply download QoS on Costumer egress interface toward LAN for guaranteed Teams/Webex/Zoom application, instead ISP egress interface?

I had configuration like below that I had in mind that will be applied on Costumer egress interface toward LAN:

class-map match-any video-interactive
match protocol ms-teams
match protocol webex

policy-map child
class video-interactive
bandwith percentage 50%
class class-default
fair-queue

policy-map parent
class class-default
shape average 10Mbps
service-policy parent-download

interface GigabitEthernet1
description "Toward LAN"
ip address x.x.x.x x.x.x.x

ip nbar protocol-discovery ipv4
service-policy output parent

Please let me know your opinion, Cisco QoS really confusing matter for me hahaha.

Thanks

Joseph W. Doherty · ‎10-26-2020

"I have a question. Is it possible to do QoS on internet facing router(using ISR router for example), especially for download?"

Yes, you can. For Internet egress, you can well manage outbound congestion, but, no control beyond that point, so no end-to-end QoS.

For Internet ingress (downloading) it depends on the nature of the traffic and it has "considerations", which often make such QoS, far from "ideal".

For Internet ingress, your best option (beyond getting control over QoS features on the ISP's side of your Internet connection) is using a third party traffic management appliance.

BTW, if you're wondering what your options are, on a Cisco router, for Internet ingress, for traffic that slows when it detects drops, you can police such inbound traffic. When the sender detects drops, it should slow its transmission rate.

For ingress TCP traffic, you can also shape the outbound ACKs. This too should slow the TCP sender's transmission rate.

(NB: I've used both techniques, and they do work.)

Now, regarding "considerations". To insure the ingress traffic doesn't fill your link, before it responds to either packet drops and/or delayed TCP ACKs, you generally need to slow such ingress traffic "a lot". By a "a lot", I mean you might need to target ingress bandwidth to not exceed 10% or even less, of your available ingress bandwidth. Why so much? Several reasons, such as a major one being, the feedback loop, between "signally" the sender to slow its transmission rate, and when it actually does, is "slow". So, what can happen, sender will burst and fill your link before it "knows" it should slow.

Another major reason, TCP will also burst transmit before it too responds to delayed ACKs.

On a Cisco router, you cannot shape outbound ACKs per ingress flow rates, nor easily target particular flows for drops.

I haven't used one, but from what I've read, a dedicated traffic management appliance can do egress ACK shaping and/or drop much more precisely (i.e. tied to individual flow rates). It also can "spoof" the receiver's TCP RWIN, again controlling the sender's transmission rate.

What you cannot do, on either a Cisco router, or traffic shaping appliance is control the rate of non-flow rate kinds of traffic. (Whereas a far side shaper might.)

Another solution to this (common) issue, is obtain more ISP links and dedicate a specific link for specific traffic. This is often a not too expensive solution if you can obtain ISP connection(s) using cable, DSL or FiOS.

Again, it would be a rare ISP which will allow you to define a QoS policy, on their side of your Internet link, but if that's not an option, another possible solution would be for the ISP to allow you to insert a device, on their side of the link, somewhere in-line with the traffic that will be sent down your Internet connection. This too is something that most ISPs will not allow. (Something you might accomplish at a local metro exchange.)

To recap, your most likely best options are usage of a 3rd party traffic management device and/or additional Internet links which are dedicated to specific traffic. (I.e. for the latter, you want to not mix traffic that expands to use all available bandwidth, with those that really need a fixed amount of guaranteed bandwidth.)

Lastly, a "common" solution is to just obtain more bandwidth, but this is often an on-going game. As other Internet sites increase their bandwidth too, they can utilize more of your bandwidth and you once again hit this problem.

View solution in original post

Georg Pauwen · ‎10-26-2020

Hello,

if your ISR is the ISP facing router, your best option is to configure an output service policy like the one below. In most cases, you won;t get the ISP to implement your QoS policies on their end, your senior is right about that.

The configuration you posted misses a few things (marked in bold

class-map match-any video-interactive
match protocol ms-teams
match protocol webex
--> match ip dscp 40 (ZOOM default video dscp)
--> match ip dscp 56 (ZOOM default audio dscp)
!
policy-map CHILD_SHAPER
class video-interactive
bandwith percentage 50%
class class-default
fair-queue
!
policy-map PARENT_SHAPER
class class-default
--> shape average 10240
--> service-policy CHILD_SHAPER
!
interface GigabitEthernet0
description Uplink to ISP
ip address x.x.x.x x.x.x.x
--> service-policy output PARENT_SHAPER

Leo Laohoo · ‎10-26-2020

No, it will not work.

Why? Because QoS is is between your router and your LAN. Anything beyond your router, the ISP will no "honour" it.

dchochan · ‎10-26-2020

Thank @Georg Pauwen & @Leo Laohoo,

I want to make sure what I learned is correct or not, regarding QoS on internet upload/download.\

Suppose I had working guaranteed webex upload (upload control on costumer egress interface toward ISP correct). Assuming download bandwidth being full and webex packet on last entry in queue, the ISP router will drop the webex packet because they are running best-effort (FIFO) hence make QoS for internet facing router is not working.

Is it correct?

Thanks

Georg Pauwen · ‎10-26-2020

Hello,

the maximum you can achieve with implementing QoS on the interface towards the ISP is to mitigate congestion on YOUR end. As Leo said, anything beyond that is out of your control.

dchochan · ‎10-26-2020

Hello @Georg Pauwen,

Which mean we only can manage congestion for upload correct and it is impossible to manage congestion for dowload?

Is it correct?

Thanks

paul driver · ‎10-26-2020

Hello

You can managed traffic from isp into your lan however the traffic would have already traversed your internet pipe but you still can apply qos ingress into you lan.

One reason for the qos egress on your wan is ISP's may have a policy not to don't drop client traffic when they exceed their committed interface rate but charge extra for the privilege or they may just drop excess traffic, So its best to append a shaping policy here also

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Joseph W. Doherty · ‎10-26-2020