02-06-2020 07:52 PM
There lots of different ways to setup QOS and I am trying to determine the best and/or effective way to limit bandwidth for an incoming let's say IP address or source traffic on an interface. Something like the below a good way?
class-map match-all 1
match access-group 1
class-map match-all TEST_QMAP
match access-group 1
match input-interface GigabitEthernet2
!
policy-map Single_Rate_Two_Color
class TEST_QMAP
policy-map TEST_PM
policy-map polmap
class 1
bandwidth 2
interface GigabitEthernet2
service-policy output polmap
02-06-2020 10:23 PM
Hi,
In your sample config, your match input-interface GigabitEthernet2 and service-policy output interface is same, this qos will be ineffective on this interface.
There are multiple ways to apply QOS in effective way. I personally do following to enforce QOS on WAN link ( non-encrypted , without any tunnel ):
1) classify the interesting traffic with help of ACL, it can be specific session from one source subnet to destination or just match source only
access-list 100 extended permit ip x.x.x.0 0.0.0.255 any
class-map match-any C-QOS
match access-group 100
2) create policy map
policy-map P-QOS
class C-QOS
bandwidth 1000
3) Apply policy map on the WAN interface in outbound direction
interface gi0/0
service-policy output P-QOS
02-08-2020 08:34 AM
02-08-2020 08:40 AM
02-08-2020 11:36 AM
02-08-2020 01:13 PM
Yes, you can do that with encrypted traffic if encryption is going to happen on the sam Router.
You can take advantage of TOS fields.
From Cisco IOS Software Release 11.3T introduced support for IPSec
and along with it the ToS byte preservation feature. With this feature, the router automatically copies the ToS header value from the original IP packet to the encapsulating IP header when the IPSec in tunnel mode is used
Refer to below document:
Sample config:
Input Policy
access-list 150 permit ip x.x.x.0 0.0.0.255 y.y.y.0 0.0.0.255
!
! Above access list define your traffic that will be encrypted
class-map match-any ingress-QOS
match access-group 150
policy-map setToS
class ingress-QOS
set ip precedence 1
!
interface gi 0/1
service-policy in setToS
Output Policy
class-map match-any egress-QOS
match ip precedence 1
!
policy-map wan1-shape
class egress-QOS
priority 5000 28000
...
interface gi0/0
service-policy output wan1-shape
!
! where gi0/0 is the outside interface where you applied your crypto for VPN and gi0/1 is the lan facing interface
02-07-2020 10:04 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide