cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2240
Views
10
Helpful
20
Replies

qos / prioritize one client

ino
Level 1
Level 1

this is a home environment

unfortunately at my location i cant get wired internet so i have to use LTE

if one program is producing heavy internet traffic

mostly if some of my security cams detects motion and uploads to the cloud or P2P downloads

all other traffic is more or less impossible not even ping works any longer

meaning i getting a ping of 3500ms or higher instead of 30ms ish and drops

the traffic is originating from different devices vms pc ... which are connected to a catalyst 2960x switch

connection to the internet is over a isr 1111 with a built-in lte modem

 

i am not sure but if i understand QOS right then i cant use it because i dont know my connection speed 

and cant reserve bandwidth 

depending on the weather time of the day gods will and whats not

its anywhere between 0.1-30mbps up / 1-100mbps down (average 5/10updown)

 

is there any way to set things up in a way that i have the best connection from my workstation 

so even if my camera is uploading to the cloud and an other pc is downloading something 

if i want to ping something or watch a video on my dedicated workstation prioritize that traffic

 

also the problem seems to by more prevalent when my cameras uploads which is done by

satbelbits if i am not mistaking they use some high priority qos settings software side

 

cheers rick

 

 

 

 

 

1 Accepted Solution

Accepted Solutions

ino
Level 1
Level 1

i got it to work!

 

i mark the packets on the switch 

 

mls qos

policy-map policy1
 class class-default
  set ip dscp af33 <-- just some value for now

interface GigabitEthernet1/0/3 <--- device to get full speed internet
 switchport access vlan 7 
 service-policy input policy1

 

class-map match-all LTE_Priority_Traffic
 match access-group 101
!
policy-map LTE_Child
 class LTE_Priority_Traffic
  priority 10240
 class class-default
  fair-queue
policy-map LTE_Parent
 class class-default
  shape average 10240000
   service-policy LTE_Child

interface Cellular0/2/0 
 ip address negotiated
 ip nat outside
 load-interval 30
 dialer in-band
 dialer watch-group 1
 pulse-time 1
 service-policy output LTE_Parent
 ip virtual-reassembly
 ip virtual-reassembly-out

ip access-list extended 101
 permit ip any any dscp af33 <-- same value as on switch

 

with this settings other devices can upload as they wish if the WORKSTATION is also starting an upload the

others are throttled to 0 may need to adjust some values if possible but in general 0 for the other is fine in my case 

and its just if the workstation is taking heavy use of the connection

how fast and well this works i will need to see during the next days

 

View solution in original post

20 Replies 20

Hello,

 

you could implement QoS on your cellular interface. In the example below, your workstation has IP address 192.168.1.11, and will be guaranteed 10MB no matter what. The rest of the traffic is shaped to 200MB in this example, you can change this value to whatever your LTE has.

 

access-list 101 permit ip host 192.168.1.11 any
!
class-map CLASS_1
match access-group 101
!
policy-map CHILD_SHAPER
class CLASS_1
priority 10240
class class-default
fair-queue
!
policy-map PARENT_SHAPER
class class-default
shape average 20480000
service-policy CHILD_SHAPER
!
interface Cellular0
service-policy output PARENT_SHAPER

ino
Level 1
Level 1

thats where i am not sure i understand the indications of it

what does this "guaranteed 10MB no matter what" means

 

lets assume for the sake of argument

my wan connection switches for some magic reason between 100mb / 1000mb speed randomly all few minutes

 

if its 1000 al should be fine (by side that i would not use the full available bandwidth unless the workstation) 

the camera gets 200mb (at max)

and the workstation is free to use what evert it will (up to the maximum the connection can provide)

 

but what if its 100?

the camera is allowed to used 200mb 

but the interface can handle not more then 100

does my workstation still some how gets its guaranteed 10mb?

 

my cellular is like that best case 100mb worst 1mb

i cant throttle all traffic to 0.5mb so even in the worst scenario 

my workstation would still get the other 0.5mb 

because then my camera upload would never catchup

 

 

Hello,

 

with the QoS applied, the workstation will get 10MB no matter what.

ino
Level 1
Level 1

i am having some difficulties implementing this

the rule dont seems to match anything 

i am certain the ip is the right one

the set up seams to be ok in general because if i put 

ip access-list extended 101 

permit ip any any

then is see packets on LTE_Priority_Traffic

could it be because the interface is nat ed? i also tried to put in the external ip in the access list for testing 

tried to put in any 10.0.0.11 vs 10.0.0.11 any

but there are no packets except by any any settings

 

ip nat translation timeout 300
ip nat translation tcp-timeout 300
ip nat translation udp-timeout 300
ip nat translation finrst-timeout 60
ip nat translation syn-timeout 60
ip nat translation dns-timeout 60
ip nat translation icmp-timeout 60
ip nat inside source static tcp 10.0.0.23 xx interface Cellular0/2/0 xx
ip nat inside source static tcp 10.0.0.23 xx interface Cellular0/2/0 xx
ip nat inside source static tcp 10.0.0.6 xx interface Cellular0/2/0 xx
ip nat inside source static udp 10.0.0.11 xx interface Cellular0/2/0 xx
ip nat inside source static udp 10.0.0.11 xx interface Cellular0/2/0 xx
ip nat inside source static udp 10.0.0.11 xx interface Cellular0/2/0 xx
ip nat inside source static udp 10.0.0.10 xx interface Cellular0/2/0 xx
ip nat inside source static udp 10.0.0.10 xx interface Cellular0/2/0 xx
ip nat inside source static udp 10.0.0.10 xx interface Cellular0/2/0 xx
ip nat inside source static tcp 172.16.200.200 xx interface Cellular0/2/0 xx
ip nat inside source static tcp 10.0.0.123 xx interface Cellular0/2/0 xx
ip nat inside source static tcp 10.0.0.123 xx interface Cellular0/2/0 xx
ip nat inside source static tcp 10.0.0.124 xx interface Cellular0/2/0 xx
ip nat inside source static tcp 172.16.1.10 xx interface Cellular0/2/0 xx
ip nat inside source static tcp 172.16.0.10 xx interface Cellular0/2/0 xx
ip nat inside source static tcp 172.16.0.10 xx interface Cellular0/2/0 xx
ip nat inside source static tcp 10.0.0.124 xx interface Cellular0/2/0 xx
ip nat inside source list NAT interface Cellular0/2/0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0/2/0

ip access-list extended 101
 permit ip host 10.0.0.11 any
ip access-list extended NAT
permit ip 10.0.0.0 0.0.0.255 any
permit ip 10.10.10.0 0.0.0.255 any
permit ip 172.16.0.0 0.0.0.255 any
permit ip 172.16.1.0 0.0.0.255 any
permit ip 172.16.2.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any
permit ip 172.16.200.0 0.0.0.255 any
permit ip 172.16.3.0 0.0.0.255 any
controller Cellular 0/2/0 no lte gps enable lte modem link-recovery rssi onset-threshold -110 lte modem link-recovery monitor-timer 20 lte modem link-recovery wait-timer 10 lte modem link-recovery debounce-count 6 ! ! vlan internal allocation policy ascending ! ! class-map match-all LTE_Priority_Traffic match access-group 101 ! policy-map LTE_Child class LTE_Priority_Traffic priority 10240 class class-default fair-queue policy-map LTE_Parent class class-default shape average 20480000 service-policy LTE_Child interface Cellular0/2/0 description LTE ip ddns update hostname dynu.com ip ddns update dynu ip address negotiated ip nbar protocol-discovery ipv4 ip nat outside load-interval 30 history BPS all dialer in-band dialer watch-group 1 pulse-time 1 service-policy output LTE_Parent ip virtual-reassembly ip virtual-reassembly-out
interface GigabitEthernet0/1/1
description Trunk 1/0/1
switchport trunk allowed vlan 20,160-168
switchport mode trunk
switchport port-security maximum 100
switchport port-security violation restrict
switchport port-security

interface GigabitEthernet0/1/2 description V7 Route switchport access vlan 7 switchport mode access switchport port-security maximum 25 switchport port-security violation restrict switchport port-security interface Vlan7 description Vlan7 ip flow monitor MyFlow_monitor input ip address 10.0.0.1 255.255.255.0 ip nbar protocol-discovery ipv4 ip nat inside this is the SWTITCH -------------------------
interface GigabitEthernet1/0/1
description Trunk 0/1/1
switchport trunk allowed vlan 20,160-168
switchport mode trunk
switchport port-security maximum 100
switchport port-security violation restrict
switchport port-security
interface GigabitEthernet1/0/2 description V7 Route switchport access vlan 7 switchport mode access switchport port-security maximum 9 switchport port-security violation restrict switchport port-security interface GigabitEthernet1/0/3 description WORKSTATION FULL SPEED switchport access vlan 7 switchport mode access switchport port-security maximum 9 switchport port-security violation restrict switchport port-security

interface GigabitEthernet1/0/5
description 10.0.0.6 TRAFFIC TO BE THROTLED
switchport access vlan 7
switchport mode access
switchport port-security maximum 9
switchport port-security violation restrict
switchport port-security


interface Vlan7
description Vlan7
ip flow monitor MyFlow_monitor input
ip address 10.0.0.2 255.255.255.0

do sh policy-map int
 Cellular0/2/0

  Service-policy output: LTE_Parent

    Class-map: class-default (match-any)
      1319309 packets, 1121981774 bytes
      30 second offered rate 1000 bps, drop rate 0000 bps
      Match: any
      Queueing
      queue limit 85 packets
      (queue depth/total drops/no-buffer drops) 0/39991/0
      (pkts output/bytes output) 1279318/1065046164
      shape (average) cir 20480000, bc 81920, be 81920
      target shape rate 20480000

      Service-policy : LTE_Child

        queue stats for all priority classes:
          Queueing
          queue limit 512 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0

        Class-map: LTE_Priority_Traffic (match-all)
          0 packets, 0 bytes
          30 second offered rate 0000 bps, drop rate 0000 bps
          Match: access-group 101
          Priority: 10240 kbps, burst bytes 256000, b/w exceed drops: 0


        Class-map: class-default (match-any)
          1316930 packets, 1118593675 bytes
          30 second offered rate 1000 bps, drop rate 0000 bps
          Match: any
          Queueing
          queue limit 85 packets
          (queue depth/total drops/no-buffer drops/flowdrops) 0/39991/0/39991
          (pkts output/bytes output) 1279318/1065046164
          Fair-queue: per-flow queue limit 21 packets

Hello,

 

in your config, the Vlan 7 interface appears twice, once with IP address 10.0.0.1, then again with IP address 10.0.0.2, is that a typo ?

ino
Level 1
Level 1

no

one is the router 10.0.0.1 the other the switch 10.0.0.2

in case the switch setting are of any relevance 

 

 

router

interface GigabitEthernet0/1/1
 description Trunk 1/0/1
 switchport trunk allowed vlan 20,160-168
 switchport mode trunk
 switchport port-security maximum 100
 switchport port-security violation restrict
 switchport port-security

interface GigabitEthernet0/1/2
 description V7 Route
 switchport access vlan 7
 switchport mode access
 switchport port-security maximum 25
 switchport port-security violation restrict
 switchport port-security

interface Vlan7
 description Vlan7
 ip flow monitor MyFlow_monitor input
 ip address 10.0.0.1 255.255.255.0
 ip nbar protocol-discovery ipv4
 ip nat inside

 

 

switch

interface GigabitEthernet1/0/1
 description Trunk 0/1/1
 switchport trunk allowed vlan 20,160-168
 switchport mode trunk
 switchport port-security maximum 100
 switchport port-security violation restrict
 switchport port-security

interface GigabitEthernet1/0/2
 description V7 Route
 switchport access vlan 7
 switchport mode access
 switchport port-security maximum 9
 switchport port-security violation restrict
 switchport port-security

interface GigabitEthernet1/0/3
 description 10.0.0.11 WORKSTATION FULL SPEED
 switchport access vlan 7
 switchport mode access
 switchport port-security maximum 9
 switchport port-security violation restrict
 switchport port-security

interface GigabitEthernet1/0/5
 description 10.0.0.6 TRAFFIC TO BE THROTLED 
 switchport access vlan 7
 switchport mode access
 switchport port-security maximum 9
 switchport port-security violation restrict
 switchport port-security


interface Vlan7
 description Vlan7
 ip flow monitor MyFlow_monitor input
 ip address 10.0.0.2 255.255.255.0

Hello,

 

understood. Does your host have Internet connectivity at all with your current config ?

ino
Level 1
Level 1

yes

if i do an iperf3 upload on both (10.0.0.11 / 10.0.0.6)  the traffic is evenly spread

so no throttling at all 

 

but yes internet works

 

where by i just turned it of (the shaping settings) because i had some crazy glitches in on of my programs on (10.0.0.11) 

like packets would have been dropped whit out the program recognizing it or just receiving incomplete communication

but acting like all would be fine (no communications error or time out ect..) just from a human perspective something was of

 

 

 

Hello,

 

the flow monitor might be the problem...can you try and disable that ?

ino
Level 1
Level 1

removed it on both the router and switch

not the actual setup but its not attached to any interface

 

interface Cellular0/2/0
 description LTE
 ip ddns update hostname dynu.com
 ip ddns update dynu
 ip address negotiated
 ip nat outside
 load-interval 30
 history BPS all
 dialer in-band
 dialer watch-group 1
 pulse-time 1
 service-policy output LTE_Parent
 no ip virtual-reassembly
 no ip virtual-reassembly-out

but traffic is still evenly distributed between the hosts

and a sh policy-map interf still dont shows any packet on the LTE_Priority_Traffic

 

so some how the 

ip access-list extended 101
 permit ip host 10.0.0.11 any

is wrong or not working for some reason (the ip 10.0.0.11 is 100% the correct one) is NAT not mixing things up some how?

 

i just tried it again with any any and then its instantly shows packets

this produces packets in the show command but obviously that make so no sense

as so all traffic is unshaped

ip access-list extended 101
 permit ip any any

ino
Level 1
Level 1

i just trying to attach other access lists to 

class-map match-all LTE_Priority_Traffic
match access-group 101

 

like 

         match access-group LogIn

% Invalid input detected at '^' marker.

but i cant it shows me an error like the access-list wouldn't exist

but it does

ip access-list standard LogIn
 permit 10.0.0.10
 permit 10.0.0.11
 permit 10.0.0.12
 permit 10.0.0.6

or (extended vs standard)

 

ip access-list extended Cowrie
 permit tcp any any established
 permit tcp 10.0.0.0 0.0.0.255 172.16.200.0 0.0.0.255 eq 22
 deny   ip 172.16.0.0 0.0.255.255 10.0.0.0 0.255.255.255
 deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
 deny   ip 172.16.0.0 0.0.255.255 192.0.0.0 0.255.255.255
 permit ip any any

 

match access-group Cowrie

wont work either

 

but it lets me attach any numbered X 

even if they dont exist 

c1111(config-cmap)# match access-group 1
c1111(config-cmap)# match access-group 2
c1111(config-cmap)# match access-group 3
c1111(config-cmap)# match access-group 4

all fine??!

non of them exists!

 

Hello,

 

going through the QoS guide, I found the following restriction:

 

--> Queuing policy in egress direction does not support match access-group classification.

 

Try and apply the service policy inbound.

Joseph W. Doherty
Hall of Fame
Hall of Fame

What you've described creates several, generally, "impossible" issues.

You describe both your "up" and "down" bandwidths as variable.  Generally, QoS manages congestion at bottlenecks.  If we don't know the bandwidth we have, i.e. there's no indication to us there's congestion, we cannot manage it via QoS.

There's one exception (of which I'm aware), Cisco has a dynamic shaper that works with some of their DMVPN tunnels, Adaptive QoS, but that doesn't help us here.

W/o that feature we can shape for the "usual" expected "up" bandwidth (which you note as 5 Mbps).  Two possible issues, doing that though.  First, if there's actually more bandwidth that's available, your traffic will not take advantage of it.  Second, if there's less actual bandwidth, your QoS will not manage the congestion the way we want.

Note: I'm not current on ISR 1K QoS features.  However, assuming it supports the usual QoS MQC, some variations of what @Georg Pauwen already supported might work for you.

First, possibly something like:

policy-map up1
class class-default
shape average 5000000 !set value to correspond with bandwidth that's always available

In the past, I believe I noted shapers sometimes used FQ, but also recall noticing later shapers no longer did.
If so, on your ISR, you'll need a policy closer to what Georg described.

policy-map up2parent
class class-default
shape average 5000000
service-policy up2child

policy-map up2child
class class-default
fair-queue

FQ, in the above, might be sufficient, but if you find you actually need to further prioritize some particular traffic, what Georg described, or a variation of it, could be used.

class-map special match-any !or -all
match . . .

policy-map up3parent
class class-default
shape average 5000000
service-policy up2child

policy-map up3child
class special
fair-queue
bandwidth percent 90 !adjust percentage values as desired - they should add to 100
class class-default
fair-queue
bandwidth percent 10 !adjust percentage values as desired - they should add to 100

One difference from what Georg suggested, I recommend to only use "priority" for real-time traffic, like VoIP. The bandwidth command doesn't "cap" that class's bandwidth, and if you set percentages to 99:1, you'll get similar priority for your special class as if you used the priority command.

Managing "down" bandwidth, effectively, is quite difficult. From what you've described, suspect if you manage your "up" bandwidth, you may resolve you issue.

ino
Level 1
Level 1

i looked in to this several times over the past (every time the situation stressed me enough to try to solve it some how)

and yes i came to the same conclusion as @Joseph W. Doherty that i need to know my bandwidth which i dont

 @Georg Pauwen made me some hope that it will regardless work

i can set an upload limit on the program in question whit a simple click although its still somehow manages to make

any other communication some what sluggish even if i throttle it fare below the current capacity

unfortunately my bandwidth is so low that i cant spare any to waste by setting a really low limit some where

 

in the in direction i not even can apply it to the interface probably a limitation of the LTE standard 

i will read a round although it dont looks like but maybe there is a solution if so i let you know

 

thank you both for all your time and effort

cheers rick 

 

Review Cisco Networking for a $25 gift card