Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
621
Views
0
Helpful
5
Replies

QoS policy map configuration help

utawakevou
Level 4
Level 4

‎03-29-2015 02:33 PM - edited ‎03-05-2019 01:07 AM

I need help with reconfiguring my policy map. We have a 4Mbps internet connection that we use for site-to-site VPN, remote VPN connection, guest internet connection, and an internal connection to one of our equipments for access by our stakeholder in overseas. We did some changes recently i.e rerouting our guest internet connection and fully use our site-to-site VPN.. What I want my policy map to do is:

  1. Allocate 1Mbps but can max to 1.5Mbps for our site-to-site VPN
  2. Allocate max 1Mbps for remote VPN users when they dial in via VPN
  3. Allocate 1Mbps but can max to 1.5Mbps
  4. Incoming connection can max to 1Mbps

Am okay with classification using ACL. Some configuration help will policy map will be really appreciated.

Labels:
0 Helpful
5 Replies 5

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎03-30-2015 03:16 AM

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Ingress is very, very difficult to manage (using "stock" Cisco QoS).  You can police ingress, but that often doesn't control the traffic as you really desire or need.

Site-to-site can be managed with egress QoS, on both sides, but your other uses of your Internet connection disrupts this, again your left with managing such traffic's ingress.

0 Helpful

utawakevou
Level 4
Level 4
In response to Joseph W. Doherty

‎03-30-2015 02:04 PM

I have got the policy cconfigured and already applied on both interface as output. Just need help with the configuration of the bandwidth allocation above so when the need arise the bandwidth needed is allocated. By the way this is what I have got

 

policy-map WAN_POLICY
 class PREFERRED
  bandwidth 1024
 class OFFICE_VPN_ENDPOINTS
  priority 1024
 class Guest-Internet
  bandwidth 1024
 class class-default
  set dscp default
  shape average 4096000

 

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to utawakevou

‎03-31-2015 02:59 AM

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

For what specific platforms (and their IOS versions)?  (Cisco QoS features vary per platform and IOS versions.)

What's you physical hand-off?  If greater than 4 Mbps, you'll want to shape, but with a hierarchal policy,  (What you have now would not trigger your non-default classes until the interface congests.

If your physical hand-off is 4 Mbps, than you don't need to shape at all.

Normally you wouldn't use LLQ for something like VPN traffic. Also LLQ has an implicit policer, when a) you might be better shaping for your 1.5 max, and b) and the policer will police at 1 Mbps.

Your other classes have bandwidth floors, no maximums (as you say you want).

You set DSCP for class-default, but don't set DSCP for any of the other classes?

Again, it would be relatively easy to help you with a good egress policy, but what about ingress?  For example, you've placed VPN into LLQ for egress, but your Guest-Internet could flood your ingress disrupting end-to-end quality for other traffic.

What you're trying to do will only work well (with stock Cisco equipment) if your can control ingress too, which normally requires full control over the other side's egress.  Generally you don't have that with any kind of generic Internet traffic.

There are 3rd party traffic appliances that might help.  But, other than those, if you want effective QoS, you need to be able to manage all your traffic in both directions.

0 Helpful

utawakevou
Level 4
Level 4
In response to Joseph W. Doherty

‎03-31-2015 04:32 PM

Thanks for the the informative post.  I forgot to mention that my site-to site VPN tunnel is configured from another router but this router (where Im applying the policy) serves as my router connecting us to the internet. So I'm just classifying the VPN end points and apply the policy for communication between the end points. Anyway, I'm using a 1841 with IOS 12.4(21a) with fastethernet 0/0 facing inwards and fastethernet 0/1 facing outward

 

0 Helpful

utawakevou
Level 4
Level 4
In response to utawakevou

‎04-08-2015 05:46 PM

Have change my policy map configuration as follows:

policy-map WAN_POLICY
 class OFFICE_VPN_ENDPOINTS
  priority percent 25
 class PREFERRED
  bandwidth percent 25
 class Guest-Internet
  priority percent 25
 class class-default
  fair-queue
 

Bandwidth defined on interface is 4096

 

 

0 Helpful
Customers Also Viewed These Support Documents