Data Shaping

mark_Bayliss · ‎06-02-2005

Good Afternoon,

We are running VPN connections across three sites using ADSL. The connections seem to be slow. We have been told data shaping will fix the problem. Can someone point me in the right direction? We are using Cisco 1720 routers and PIX 515e for our VPN connections.

Thanks for your help

Georg Pauwen · ‎06-02-2005

Hello Mark,

when you say that your connections are slow, are you referring to specific applications and protocols ? Whatever QoS policy you are implementing depends on the traffic type you want to prioritize. Depending on the IOS version you are running on your routers, you could turn on NBAR (with the interface command ´ip nbar protocol-discovery) and then display the statistics with the exec comamnd ´show ip nbar protocol-discovery. Or you could use Netflow accounting (with the interface command ´ip route-cache flow) and then display the statistics with the exec command ´show ip cache flow´.

After you have determined what traffic you want to prioritize, there are numerous QoS configuration options (like the one in the document below).

Obviously, if your link is slow because of link saturation, any QoS can have only limited effects, since it does not actually increase the bandwidth (except maybe for compression).

If possible, post the configuration of one of your routers, as well as the applications/protocols you are running (e.g. Citrix). That way, could suggest a configuration.

Here is an example of a QoS policy:

Configuring Per Site QoS for IPSec VPN using GRE Tunnel

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns109/networking_solutions_white_paper09186a008018913f.shtml

Regards,

GP

mark_Bayliss · ‎06-03-2005

Thankyou for your response GP

Cheers!!!

julian-head · ‎06-04-2005

Hi Mark,

this is the first time i have ever replied to a forum message so here goes..

With relation to your vpn performance problem traffic shaping might well be the answer, without doing some analysis it is difficult to say as there could be a host of other factors but here are some vary general pointers... If you have an internet connection via ADSL / DSL / E1 / whatever .. and you are going into a pix ther is a speed mismatch, the pix assumes you are connected at 10 or 100Mbps and until version 7.x pixos has had no inteligence whatsoever in egress traffic shaping. Basically as an example on an IOS ethernet router ie Ethernet0 is internal and ethernet1 is connected to cable modem / adsl router / whatever.. you would create some sort of policy map to, at the very least, match all traffic and shape down its egress rate (apply policy map outbound on Eth1) to something resembling your connection speed eg 512000bps, using the "shape average" command under the policy map. Now you can easily be more granular and create a class-map to match important traffic such as Citrix/ realtime apps ect and give that a certain ammount of bandwidth. If you are using voice, then create a priority que, matching your voice traffic eg dscp 46, or ip prec 5 or whatever and stick all other traffic in the under the default wfq class. (WFQ is on by default on interfaces under E1 speed. Now the pix cant do this untill v7, so look at upgrading, if you have controll of the router connecting to ADSL infront of the pix then put your policies on the egress interface of the router eg the dialer.

do a search for LLQ and QOS on cisco and you will find an explantion oc CBWFQ (class based weighted fair queing) and LLQ. the possibilities for matching traffic and giving bandwith to certain apps / peers / traffic type - are virtually endless. Let me know if you cant find some examples and ill giv yo a few of the ones i have used.

All the best.

Julian

mark_Bayliss · ‎06-05-2005

Hey Julian,

Best reply from any forum I have seen in a long time. Thanks for the information. I will do my research on LLQ and QOS.

One question. How do I go about getting the latest IOS for our PIX's. Can I get it free? I do have smartnet is this enough?

Cheers,

Mark