cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3720
Views
0
Helpful
13
Replies
Joe Lee
Beginner

QoS Issue

We have three locations, Seattle, LA and NJ. All the users need to go through the proxy server in NJ if they need to access to internet. We use the port 3128 on the proxy server for accessing the internet. We implement the QoS on the WAN for those three locations. For the internet acces, we configure the port 3128 as the NBAR and classify it as the lower priority.

The issue is...we want to have the users access to the site www.webex.com as high priority, and the other web sites are still set as the lower priority. Are there any ways to accomodate it?

Thank you,

Joe

1 ACCEPTED SOLUTION

Accepted Solutions

Hi,

IMHO, NBAR is the solution for you.

Looking at this http://blog.ine.com/2008/05/08/using-nbar-for-application-filtering/

your config should look like:

ip nbar port-map http tcp 3128

!

class-map match-any high

match protocol http host “webex.com”

match protocol citrix

class-map match-any default

match access-group 200

class-map match-any low

match class-map mail

match access-group 300

!

policy-map QOS

class high

set ip dcp af31

class low

set ip dscp af21

class default

set ip dscp default

HTH,

Milan

View solution in original post

13 REPLIES 13
Ali Norouzi
Beginner

Hi,

1- Define another class for www.webex.com. You can match traffic towards this host by even NBAR or access-list. I prefer access-list if webex.com has specified IP addresses else use NBAR to match URL. In your policy-map assign higher priority to this new class than others.

2- You have already higher priority queues. Instead of defining new class that I mentioned in item 1 you can change calss type of higher priority queues from default match-all to match-any and then add match terms of item 1 under this old class.

I think item 2 is better and easier to deploy.

Hi Ali,

As I mentioned, we use the port 3218 on the proxy server for accessing internet. Also, we already have high priority queue and we do have the specific IP for the www.webex.com. 1) Should we need to have this port as high priority? 2) How can we use the NBAR to match URL? Can you please have little bit more details on the configuration?

Here is the current configuration.

ip nbar port-map custom-01 tcp 3128

class-map match-any high

match access-group 100

match protocol citrix

class-map match-any default

match protocol customer-01

match access-group 200

class-map match-any low

match class-map mail

match access-group 300

!

policy-map QOS

class high

set ip dcp af31

class low

set ip dscp af21

class default

set ip dscp default

Thank you,

Joe

You only need to increase the priority of traffic destined to webex.com. I added a match term to your configuration.

ip nbar port-map custom-01 tcp 3128
class-map match-any high
match access-group 100
match protocol citrix
match protocol http url "webex"
class-map match-any default
match protocol customer-01
match access-group 200
class-map match-any low
match class-map mail
match access-group 300
!
policy-map QOS
class high
set ip dcp af31
class low
set ip dscp af21
class default
set ip dscp default

By the way it would be better if you match the IP addresses of webex instead of URL because NBAR needs more hardware resources and I don't have good experience with URL matching of NBAR.

It seems it doesn't work with the proxy server. See the configuration below.

access-list 140 permit tcp 64.68.96.0 0.0.31.255 any eq www

access-list 140 permit tcp any 64.68.96.0 0.0.31.255 eq www

access-list 140 permit tcp 66.114.160.0 0.0.15.255 any eq www

access-list 140 permit tcp any 66.114.160.0 0.0.15.255 eq www

!

class-map match-any high

match access-group 140

Please advise.

Thanks,

Joe

Hi,

Can someone please help? or do you need more details?

Thank you!

Hello,

All web traffic need to go through to the proxy server. Here is the problem I am struggling...How can we prioritize "webex" traffic without prioritizing other web traffic?

Thanks,

Joe

Hi,

IMHO, NBAR is the solution for you.

Looking at this http://blog.ine.com/2008/05/08/using-nbar-for-application-filtering/

your config should look like:

ip nbar port-map http tcp 3128

!

class-map match-any high

match protocol http host “webex.com”

match protocol citrix

class-map match-any default

match access-group 200

class-map match-any low

match class-map mail

match access-group 300

!

policy-map QOS

class high

set ip dcp af31

class low

set ip dscp af21

class default

set ip dscp default

HTH,

Milan

View solution in original post

Hi Milan,

Will NBAR recognixe proxy traffic as HTTP traffice?

Thanks,

Joe

Hi,

I hope so.

According to http://www.cisco.com/en/US/docs/ios/12_3t/qos/command/reference/qos_i1gt.html#wp1112526

"To configure network-based application recognition (NBAR) to search for a protocol or protocol name using a port number other than the well-known port, use the ip nbar port-map command in global configuration mode."

But I have not tested this feature personally.

BR,

Milan

Hi Milan,

Thank you for helping me.

Just wonder if it works as the following config.

access-list 176 permit tcp any host "proxy server IP address" eq 3128

access-lsit 176 permit tcp any host "proxy server IP address" eq 80

!

class-map match-any webex

match protocol http url "*webex.com"

match access-group 176

!

class-map match-any high

match class-map webex

!

just don't know if the other web traffic won't be in the high priority.

Thanks,

Joe

Hi,

I'm afraid

access-list 176 permit tcp any host "proxy server IP address" eq 3128

would make all proxy traffic assigned to the high priority class.

And

access-lsit 176 permit tcp any host "proxy server IP address" eq 80

does not make much sense as you ar not using port 80 to access the proxy server, are you?

HTH,

Milan

Hi Milan,

I have been searching, it seems the solution should be covered what we need. One last question...how can we validate if it works?

Thanks!

Hi,

you could try sh policy-map int ... command and watch the numbers  of matching packets when connecting to different web pages.

Or to be absolutely sure, you could capture the outgoing traffic and look into the IP packet headers by Wireshark.

BR,

Milan