WAN traffic shaping

Andy White · ‎01-21-2015

Hello,

I'm looking for some ideas regarding how we prioritise traffic into our MPLS WAN to and from our HQ LAN explained below.

We have 2 Cisco routers working in HSRP. The active router is a 1gb line and the standby is 100mb, inbound they then go into a stacked pair or 3750Gs then into a pair of ASA5520s again in active standby, then into out LAN.

In the MPLS we have replication going from a site to our HQ and other traffic like Citric and SQL. Anyway Netflow on the ASA shows at times we hit the 450mbps mark which is their maximum throughput and we the hit input errors which are mainly overruns. Most of this traffic is replication and I've been asked what options we have. Are these any good?

- Replace the ASAs to the 5525x which has 650mbps throughput or the 5545x which has 1gb? Very expensive.

- install QoS into the MPLS, HSRP routers and ASAs to priorities traffic and lower and throttle down replication slightly.

- policy based routing which my boss said they did in his last place on the 2 WAN routers and utilise both lines? Would a third router be required to control the policies and push to either router?

- remove the ASAs and put the WAN straight into the LAN as it is a private MPLS?

Thanks

Joseph W. Doherty · ‎01-21-2015

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

MPLS WAN, eh? If just one remote, do you control that router? If you control it, it should be simple to shapes a prioritize on it. This would keep from overloading your ASAs and also guarantee performance for your Citrix traffic.

You can also police, replication ingress, on you HQ routers but unless you police much lower than available bandwidth, it isn't very effective, especially when trying to support Citrix traffic.

Does you MPLS vendor offer any QoS support? Some do. Some charge extra for it, but if you have a multipoint WAN, its often critical in providing different traffic different service levels.

Andy White · ‎01-21-2015

We have access to all our routers in the WAN and can make changes within reason, for major changes I will ask them to help.

We have multiple remote sites than come into our HQ for the servers, but within the MPLS we have our DR site where we replcate to and from and another site where CItrix is hosted. At some point critical servers will move to where Citrix is. Anywhre what you say shape and priorities, what are we talking, QoS or some sort or policy base routing? It's not something I have had experience in.

I'm going to ask the replication guys to look at DoubleTake & Veeam (replication software) first at the DR site to reduce the bandwidth it uses, but I guess I can get something simple running on the ASAs and the MPLS routers otherwise I read it is just using FIFO, it would be nice to be able to just put replication down the priority list below Citrix, SQL etc.

Joseph W. Doherty · ‎01-21-2015

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

I'm talking QoS, both what you might configure and what the MPLS provider might configure.

You asked about removing the ASAs. It would make QoS much easier/effective.

How you would use QoS would be, each site would, if there's outbound interface congestion, prioritize different traffic types differently. So, for example, Citrix traffic would be given priority over your replication traffic. You would also have your MPLS provider prioritize in a similar manner for traffic egressing their MPLS cloud to any one site. This way, something like replication can use all the available bandwidth, yet not be adverse to more "important" traffic.

If you need to keep your ASAs, and its only the replication traffic from one site that pushes you beyond your ASAs performance capacity, you can shape that traffic at the remote site and/or police that traffic as it enters your HQ site; or you could shape, at your HQ site, all traffic going toward your ASAs and prioritize it.

If advanced QoS is new to you, you might want to retain a network consultant. (Should be less expensive than replacing your ASAs.)

What I'm describing should work fine, because I used to support an international WAN, running over MPLS, which shared everything from replication to VoIP. Ports/links to MPLS often ran at 100% continuously during business hours, but it worked fine because QoS insured traffic that needed certain bandwidth, such as VoIP and/or Citrix, to work well, got it. Traffic like replication traffic, just used "left over" available bandwidth (which would push utilization to 100%, but as it was "background" priority, it wasn't adverse to other traffic).