Solved: qos / prioritize one client

ino · ‎10-01-2021

this is a home environment

unfortunately at my location i cant get wired internet so i have to use LTE

if one program is producing heavy internet traffic

mostly if some of my security cams detects motion and uploads to the cloud or P2P downloads

all other traffic is more or less impossible not even ping works any longer

meaning i getting a ping of 3500ms or higher instead of 30ms ish and drops

the traffic is originating from different devices vms pc ... which are connected to a catalyst 2960x switch

connection to the internet is over a isr 1111 with a built-in lte modem

i am not sure but if i understand QOS right then i cant use it because i dont know my connection speed

and cant reserve bandwidth

depending on the weather time of the day gods will and whats not

its anywhere between 0.1-30mbps up / 1-100mbps down (average 5/10updown)

is there any way to set things up in a way that i have the best connection from my workstation

so even if my camera is uploading to the cloud and an other pc is downloading something

if i want to ping something or watch a video on my dedicated workstation prioritize that traffic

also the problem seems to by more prevalent when my cameras uploads which is done by

satbelbits if i am not mistaking they use some high priority qos settings software side

cheers rick

ino · ‎10-03-2021

i got it to work!

i mark the packets on the switch

mls qos

policy-map policy1
 class class-default
  set ip dscp af33 <-- just some value for now

interface GigabitEthernet1/0/3 <--- device to get full speed internet
 switchport access vlan 7 
 service-policy input policy1

class-map match-all LTE_Priority_Traffic
 match access-group 101
!
policy-map LTE_Child
 class LTE_Priority_Traffic
  priority 10240
 class class-default
  fair-queue
policy-map LTE_Parent
 class class-default
  shape average 10240000
   service-policy LTE_Child

interface Cellular0/2/0 
 ip address negotiated
 ip nat outside
 load-interval 30
 dialer in-band
 dialer watch-group 1
 pulse-time 1
 service-policy output LTE_Parent
 ip virtual-reassembly
 ip virtual-reassembly-out

ip access-list extended 101
 permit ip any any dscp af33 <-- same value as on switch

with this settings other devices can upload as they wish if the WORKSTATION is also starting an upload the

others are throttled to 0 may need to adjust some values if possible but in general 0 for the other is fine in my case

and its just if the workstation is taking heavy use of the connection

how fast and well this works i will need to see during the next days

View solution in original post

Georg Pauwen · ‎10-01-2021

Hello,

you could implement QoS on your cellular interface. In the example below, your workstation has IP address 192.168.1.11, and will be guaranteed 10MB no matter what. The rest of the traffic is shaped to 200MB in this example, you can change this value to whatever your LTE has.

access-list 101 permit ip host 192.168.1.11 any
!
class-map CLASS_1
match access-group 101
!
policy-map CHILD_SHAPER
class CLASS_1
priority 10240
class class-default
fair-queue
!
policy-map PARENT_SHAPER
class class-default
shape average 20480000
service-policy CHILD_SHAPER
!
interface Cellular0
service-policy output PARENT_SHAPER

ino · ‎10-01-2021

thats where i am not sure i understand the indications of it

what does this "guaranteed 10MB no matter what" means

lets assume for the sake of argument

my wan connection switches for some magic reason between 100mb / 1000mb speed randomly all few minutes

if its 1000 al should be fine (by side that i would not use the full available bandwidth unless the workstation)

the camera gets 200mb (at max)

and the workstation is free to use what evert it will (up to the maximum the connection can provide)

but what if its 100?

the camera is allowed to used 200mb

but the interface can handle not more then 100

does my workstation still some how gets its guaranteed 10mb?

my cellular is like that best case 100mb worst 1mb

i cant throttle all traffic to 0.5mb so even in the worst scenario

my workstation would still get the other 0.5mb

because then my camera upload would never catchup

Georg Pauwen · ‎10-01-2021

Hello,

with the QoS applied, the workstation will get 10MB no matter what.

ino · ‎10-02-2021

i am having some difficulties implementing this

the rule dont seems to match anything

i am certain the ip is the right one

the set up seams to be ok in general because if i put

ip access-list extended 101

permit ip any any

then is see packets on LTE_Priority_Traffic

could it be because the interface is nat ed? i also tried to put in the external ip in the access list for testing

tried to put in any 10.0.0.11 vs 10.0.0.11 any

but there are no packets except by any any settings

ip nat translation timeout 300
ip nat translation tcp-timeout 300
ip nat translation udp-timeout 300
ip nat translation finrst-timeout 60
ip nat translation syn-timeout 60
ip nat translation dns-timeout 60
ip nat translation icmp-timeout 60
ip nat inside source static tcp 10.0.0.23 xx interface Cellular0/2/0 xx
ip nat inside source static tcp 10.0.0.23 xx interface Cellular0/2/0 xx
ip nat inside source static tcp 10.0.0.6 xx interface Cellular0/2/0 xx
ip nat inside source static udp 10.0.0.11 xx interface Cellular0/2/0 xx
ip nat inside source static udp 10.0.0.11 xx interface Cellular0/2/0 xx
ip nat inside source static udp 10.0.0.11 xx interface Cellular0/2/0 xx
ip nat inside source static udp 10.0.0.10 xx interface Cellular0/2/0 xx
ip nat inside source static udp 10.0.0.10 xx interface Cellular0/2/0 xx
ip nat inside source static udp 10.0.0.10 xx interface Cellular0/2/0 xx
ip nat inside source static tcp 172.16.200.200 xx interface Cellular0/2/0 xx
ip nat inside source static tcp 10.0.0.123 xx interface Cellular0/2/0 xx
ip nat inside source static tcp 10.0.0.123 xx interface Cellular0/2/0 xx
ip nat inside source static tcp 10.0.0.124 xx interface Cellular0/2/0 xx
ip nat inside source static tcp 172.16.1.10 xx interface Cellular0/2/0 xx
ip nat inside source static tcp 172.16.0.10 xx interface Cellular0/2/0 xx
ip nat inside source static tcp 172.16.0.10 xx interface Cellular0/2/0 xx
ip nat inside source static tcp 10.0.0.124 xx interface Cellular0/2/0 xx
ip nat inside source list NAT interface Cellular0/2/0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0/2/0

ip access-list extended 101
 permit ip host 10.0.0.11 any
ip access-list extended NAT
 permit ip 10.0.0.0 0.0.0.255 any
 permit ip 10.10.10.0 0.0.0.255 any
 permit ip 172.16.0.0 0.0.0.255 any
 permit ip 172.16.1.0 0.0.0.255 any
 permit ip 172.16.2.0 0.0.0.255 any
 permit ip 192.168.0.0 0.0.0.255 any
 permit ip 172.16.200.0 0.0.0.255 any
 permit ip 172.16.3.0 0.0.0.255 any

controller Cellular 0/2/0
 no lte gps enable
 lte modem link-recovery rssi onset-threshold -110
 lte modem link-recovery monitor-timer 20
 lte modem link-recovery wait-timer 10
 lte modem link-recovery debounce-count 6
!
!
vlan internal allocation policy ascending
!
!
class-map match-all LTE_Priority_Traffic
 match access-group 101
!
policy-map LTE_Child
 class LTE_Priority_Traffic
  priority 10240
 class class-default
  fair-queue
policy-map LTE_Parent
 class class-default
  shape average 20480000
   service-policy LTE_Child



interface Cellular0/2/0
 description LTE
 ip ddns update hostname dynu.com
 ip ddns update dynu
 ip address negotiated
 ip nbar protocol-discovery ipv4
 ip nat outside
 load-interval 30
 history BPS all
 dialer in-band
 dialer watch-group 1
 pulse-time 1
 service-policy output LTE_Parent
 ip virtual-reassembly
 ip virtual-reassembly-out

interface GigabitEthernet0/1/1
 description Trunk 1/0/1
 switchport trunk allowed vlan 20,160-168
 switchport mode trunk
 switchport port-security maximum 100
 switchport port-security violation restrict
 switchport port-security

interface GigabitEthernet0/1/2
 description V7 Route
 switchport access vlan 7
 switchport mode access
 switchport port-security maximum 25
 switchport port-security violation restrict
 switchport port-security

interface Vlan7
 description Vlan7
 ip flow monitor MyFlow_monitor input
 ip address 10.0.0.1 255.255.255.0
 ip nbar protocol-discovery ipv4
 ip nat inside


this is the SWTITCH -------------------------

interface GigabitEthernet1/0/1
 description Trunk 0/1/1
 switchport trunk allowed vlan 20,160-168
 switchport mode trunk
 switchport port-security maximum 100
 switchport port-security violation restrict
 switchport port-security

interface GigabitEthernet1/0/2
 description V7 Route
 switchport access vlan 7
 switchport mode access
 switchport port-security maximum 9
 switchport port-security violation restrict
 switchport port-security

interface GigabitEthernet1/0/3
 description WORKSTATION FULL SPEED
 switchport access vlan 7
 switchport mode access
 switchport port-security maximum 9
 switchport port-security violation restrict
 switchport port-security

interface GigabitEthernet1/0/5
 description 10.0.0.6 TRAFFIC TO BE THROTLED 
 switchport access vlan 7
 switchport mode access
 switchport port-security maximum 9
 switchport port-security violation restrict
 switchport port-security


interface Vlan7
 description Vlan7
 ip flow monitor MyFlow_monitor input
 ip address 10.0.0.2 255.255.255.0

do sh policy-map int
 Cellular0/2/0

  Service-policy output: LTE_Parent

    Class-map: class-default (match-any)
      1319309 packets, 1121981774 bytes
      30 second offered rate 1000 bps, drop rate 0000 bps
      Match: any
      Queueing
      queue limit 85 packets
      (queue depth/total drops/no-buffer drops) 0/39991/0
      (pkts output/bytes output) 1279318/1065046164
      shape (average) cir 20480000, bc 81920, be 81920
      target shape rate 20480000

      Service-policy : LTE_Child

        queue stats for all priority classes:
          Queueing
          queue limit 512 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0

        Class-map: LTE_Priority_Traffic (match-all)
          0 packets, 0 bytes
          30 second offered rate 0000 bps, drop rate 0000 bps
          Match: access-group 101
          Priority: 10240 kbps, burst bytes 256000, b/w exceed drops: 0


        Class-map: class-default (match-any)
          1316930 packets, 1118593675 bytes
          30 second offered rate 1000 bps, drop rate 0000 bps
          Match: any
          Queueing
          queue limit 85 packets
          (queue depth/total drops/no-buffer drops/flowdrops) 0/39991/0/39991
          (pkts output/bytes output) 1279318/1065046164
          Fair-queue: per-flow queue limit 21 packets

Georg Pauwen · ‎10-02-2021

Hello,

in your config, the Vlan 7 interface appears twice, once with IP address 10.0.0.1, then again with IP address 10.0.0.2, is that a typo ?

ino · ‎10-02-2021

no

one is the router 10.0.0.1 the other the switch 10.0.0.2

in case the switch setting are of any relevance

router

interface GigabitEthernet0/1/1
 description Trunk 1/0/1
 switchport trunk allowed vlan 20,160-168
 switchport mode trunk
 switchport port-security maximum 100
 switchport port-security violation restrict
 switchport port-security

interface GigabitEthernet0/1/2
 description V7 Route
 switchport access vlan 7
 switchport mode access
 switchport port-security maximum 25
 switchport port-security violation restrict
 switchport port-security

interface Vlan7
 description Vlan7
 ip flow monitor MyFlow_monitor input
 ip address 10.0.0.1 255.255.255.0
 ip nbar protocol-discovery ipv4
 ip nat inside

switch

interface GigabitEthernet1/0/1
 description Trunk 0/1/1
 switchport trunk allowed vlan 20,160-168
 switchport mode trunk
 switchport port-security maximum 100
 switchport port-security violation restrict
 switchport port-security

interface GigabitEthernet1/0/2
 description V7 Route
 switchport access vlan 7
 switchport mode access
 switchport port-security maximum 9
 switchport port-security violation restrict
 switchport port-security

interface GigabitEthernet1/0/3
 description 10.0.0.11 WORKSTATION FULL SPEED
 switchport access vlan 7
 switchport mode access
 switchport port-security maximum 9
 switchport port-security violation restrict
 switchport port-security

interface GigabitEthernet1/0/5
 description 10.0.0.6 TRAFFIC TO BE THROTLED 
 switchport access vlan 7
 switchport mode access
 switchport port-security maximum 9
 switchport port-security violation restrict
 switchport port-security


interface Vlan7
 description Vlan7
 ip flow monitor MyFlow_monitor input
 ip address 10.0.0.2 255.255.255.0

Georg Pauwen · ‎10-02-2021

Hello,

understood. Does your host have Internet connectivity at all with your current config ?

ino · ‎10-02-2021

yes

if i do an iperf3 upload on both (10.0.0.11 / 10.0.0.6) the traffic is evenly spread

so no throttling at all

but yes internet works

where by i just turned it of (the shaping settings) because i had some crazy glitches in on of my programs on (10.0.0.11)

like packets would have been dropped whit out the program recognizing it or just receiving incomplete communication

but acting like all would be fine (no communications error or time out ect..) just from a human perspective something was of

Georg Pauwen · ‎10-02-2021

Hello,

the flow monitor might be the problem...can you try and disable that ?

ino · ‎10-02-2021

removed it on both the router and switch

not the actual setup but its not attached to any interface

interface Cellular0/2/0
 description LTE
 ip ddns update hostname dynu.com
 ip ddns update dynu
 ip address negotiated
 ip nat outside
 load-interval 30
 history BPS all
 dialer in-band
 dialer watch-group 1
 pulse-time 1
 service-policy output LTE_Parent
 no ip virtual-reassembly
 no ip virtual-reassembly-out

but traffic is still evenly distributed between the hosts

and a sh policy-map interf still dont shows any packet on the LTE_Priority_Traffic

so some how the

ip access-list extended 101
 permit ip host 10.0.0.11 any

is wrong or not working for some reason (the ip 10.0.0.11 is 100% the correct one) is NAT not mixing things up some how?

i just tried it again with any any and then its instantly shows packets

this produces packets in the show command but obviously that make so no sense

as so all traffic is unshaped

ip access-list extended 101
 permit ip any any

ino · ‎10-02-2021

i just trying to attach other access lists to

class-map match-all LTE_Priority_Traffic
match access-group 101

like

match access-group LogIn

% Invalid input detected at '^' marker.

but i cant it shows me an error like the access-list wouldn't exist

but it does

ip access-list standard LogIn
 permit 10.0.0.10
 permit 10.0.0.11
 permit 10.0.0.12
 permit 10.0.0.6

or (extended vs standard)

ip access-list extended Cowrie
 permit tcp any any established
 permit tcp 10.0.0.0 0.0.0.255 172.16.200.0 0.0.0.255 eq 22
 deny   ip 172.16.0.0 0.0.255.255 10.0.0.0 0.255.255.255
 deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
 deny   ip 172.16.0.0 0.0.255.255 192.0.0.0 0.255.255.255
 permit ip any any

match access-group Cowrie

wont work either

but it lets me attach any numbered X

even if they dont exist

c1111(config-cmap)# match access-group 1
c1111(config-cmap)# match access-group 2
c1111(config-cmap)# match access-group 3
c1111(config-cmap)# match access-group 4

all fine??!

non of them exists!

Georg Pauwen · ‎10-02-2021

Hello,

going through the QoS guide, I found the following restriction:

--> Queuing policy in egress direction does not support match access-group classification.

Try and apply the service policy inbound.

Joseph W. Doherty · ‎10-02-2021

What you've described creates several, generally, "impossible" issues.

You describe both your "up" and "down" bandwidths as variable. Generally, QoS manages congestion at bottlenecks. If we don't know the bandwidth we have, i.e. there's no indication to us there's congestion, we cannot manage it via QoS.

There's one exception (of which I'm aware), Cisco has a dynamic shaper that works with some of their DMVPN tunnels, Adaptive QoS, but that doesn't help us here.

W/o that feature we can shape for the "usual" expected "up" bandwidth (which you note as 5 Mbps). Two possible issues, doing that though. First, if there's actually more bandwidth that's available, your traffic will not take advantage of it. Second, if there's less actual bandwidth, your QoS will not manage the congestion the way we want.

Note: I'm not current on ISR 1K QoS features. However, assuming it supports the usual QoS MQC, some variations of what @Georg Pauwen already supported might work for you.

First, possibly something like:

policy-map up1
class class-default
shape average 5000000 !set value to correspond with bandwidth that's always available

In the past, I believe I noted shapers sometimes used FQ, but also recall noticing later shapers no longer did.
If so, on your ISR, you'll need a policy closer to what Georg described.

policy-map up2parent
class class-default
shape average 5000000
service-policy up2child

policy-map up2child
class class-default
fair-queue

FQ, in the above, might be sufficient, but if you find you actually need to further prioritize some particular traffic, what Georg described, or a variation of it, could be used.

class-map special match-any !or -all
match . . .

policy-map up3parent
class class-default
shape average 5000000
service-policy up2child

policy-map up3child
class special
fair-queue
bandwidth percent 90 !adjust percentage values as desired - they should add to 100
class class-default
fair-queue
bandwidth percent 10 !adjust percentage values as desired - they should add to 100

One difference from what Georg suggested, I recommend to only use "priority" for real-time traffic, like VoIP. The bandwidth command doesn't "cap" that class's bandwidth, and if you set percentages to 99:1, you'll get similar priority for your special class as if you used the priority command.

Managing "down" bandwidth, effectively, is quite difficult. From what you've described, suspect if you manage your "up" bandwidth, you may resolve you issue.

ino · ‎10-02-2021

i looked in to this several times over the past (every time the situation stressed me enough to try to solve it some how)

and yes i came to the same conclusion as @Joseph W. Doherty that i need to know my bandwidth which i dont

@Georg Pauwen made me some hope that it will regardless work

i can set an upload limit on the program in question whit a simple click although its still somehow manages to make

any other communication some what sluggish even if i throttle it fare below the current capacity

unfortunately my bandwidth is so low that i cant spare any to waste by setting a really low limit some where

in the in direction i not even can apply it to the interface probably a limitation of the LTE standard

i will read a round although it dont looks like but maybe there is a solution if so i let you know

thank you both for all your time and effort

cheers rick