cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1597
Views
0
Helpful
11
Replies

QOS on Cisco 1841 between MS TMG and managed Cisco 1841?

EildonHousing
Level 1
Level 1

Replicating our VM data from our Site A to a Hosted Provider (Site B) for DR purposes.

Crude annotaion of our network:

VIRTUAL HOSTS-----NORTEL L3 SWITCH-----MS TMG 2010 EDGE FIREWALL-----ISP MANAGED CISCO 1841-------------------CLOUD---------------SITE B

At times the replication traffic is hogging the connection and causing degraded performance for VPN clients amongst other things.

TMG 2010 doesn't support QOS and we cannot make any changes to the ISP managed Cisco router, nor can we request changes to be made.

My plan was to get a hold of a small switch that supported QOS and place this between the MS TMG and the managed router but we actually have another Cisco 1841 sitting doing nothing, would I be able to use the spare 1841 for this purpose?

Many thanks

Steve

11 Replies 11

Joseph W. Doherty
Hall of Fame
Hall of Fame

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

A concern with using an 1841, how much bandwidth would it have to deal with?

What's sourcing the replication traffic and does it use TCP?

Would the 1841 be upstream or downstream (or both) of the replication traffic?

Hi Jospeh,

Thanks for the reply.

Site A has a 10Mbps symmetrical down/up connection and Site B has 100Mbps sym down/up, so at the most 10Mbps.

Using VMware SRM (with vsphere replication). Yes the actual ongoing replication traffic will be TCP but there will be some UDP traffic although I wouldn't need to meter this traffic, just the replication traffic.

I guess it would be both upstream and downstream because after a test or an actual DR event, we would fail the data back the way but that scenario is going to be rare (I hope!), in which case I can remove the router for the purpose of that exercise, so doesn't necessarily have to be downstream as well.

Steve

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.


Posting

10 Mbps is around the limits of an 1841.  It might or might not have enough capacity.  You could try using it and monitor its CPU when it's dealing with saturated 10 Mbps.

You can police or shape before the 10 Mbps bottleneck.  That will insure you can guarantee bandwidth for the non-replication traffic.

You can only police after the 10 Mbps bottleneck.  If the replication traffic is TCP based, dropped packets should slow the sender, but the sender can often still burst saturate the link before it detects the drops and slows.  If you set a very low bandwidth allowance for the replication traffic, you can often keep it from burst saturating the link.  The other issue with policing, it cannot dynamically allow bandwidth utilization (i.e. prioritization) as you can do with a shaper.

If most of the replication traffic bandwidth consumption is one way, insert the 1841 anywhere upstream (where all traffic will pass through it) of the 10 Mbps bottleneck, and shape or police.  I would recommend shaping with a very low bandwidth allowance for replication (e.g. 1%).  This will allow replication traffic to use all 10 Mbps, but any other traffic will get priority.

If the replication traffic bandwidth consumption is two way, you'll really want a 2nd device, on the other side of the bottle neck.

PS:

BTW, in lieu of shaping, having your upstream (of bottleneck) also with a physical 10 Mbps interface works even better.  Again, de-prioritize the replication traffic.

e.g.

class-map replication

match

policy-map phy-10m

class replication

bandwidth percent 1

(optionally random-detect)

class class-default

fair-queue

int 10m

service-policy output replication

Sorry to come back to this so late, just getting round to trying to implement this, been held up elsewhere.

Can I go back a level and ask about the actual networking on the 1841 that will be intercepting the managed router and the TMG. Fairly new to this, studying for my CCNA just now, so bear with me.

Currently the TMG is in Edge Firewall mode so is the internet facing point for the network. Which means it has 2 NICs, one NIC with a connection to the internal network and the other NIC to the external network (directly connected to the managed Cisco router). And this external NIC uses one of the public addresses in the /28 address block we have assigned from our ISP. And obviously the managed router also uses one of the public addresses.

So by putting the intercepting 1841 between the TMG and the managed router, by my estimations we are going to need to pinch 2 of our public addresses for the 2 ports on the 1841 so that it is networkable?? Am I being dense, is there an easier way to do this??

Using up 2 addresses isn’t an issue we have 2 spare. Also, moving provider in about 4 months and this provider will supply a router I can implement QOS, so this is just a stop gap.

Tried to give the 2 Ethernet interfaces each an address in the public address range but the second one failed with ‘overlaps with fasteothernet0/0’. Which is what I would expect because they have the same subnet (255.255.255.240) but are different logical networks. Can I do VLSM with public addresses or am I barking up the wrong tree??

Not sure if I am seeing this from the wrong angle

Steve

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

You might either place the 1841 between the Nortel switch and the firewall (i.e. internally) or you might place it on the external interface of the firewall, but in that case, you would need to bridge the two ports, not route them.

Hi Joseph,

Apologies , more delays in getting a look at this.

Set up the bridging - thanks for that.

With reference to the the 10m phys adapter, I am assuming i would need to set the speed on both the interfaces in the bridge to 10. they are currently at 100 - matching the TMG interface and the connected interface on the ISP managed Cisco. Problem is, the ISP prohibits changes so can't get them to change that interface to 10Mb to match.

Have had problems with mismatch in speeds before so don't really want to go down route of 10Mb on one and 100Mb on other.

Going to create a separate class-map for all traffic and shape to 10MB, then add that service-policy to the bridged interface, can you tell me if I have this correct before I implement it??


   class-map all-traffic-on-int-class
   match any
   exit


   policy-map all-traffic-on-int-policy
   shape average 10000000

   exit
  
  

class-map replication
match
exit


policy-map phy-10m
class replication
bandwidth percent 1
exit


class class-default
fair-queue

exit


int
    service-policy output all-traffic-on-int-class
service-policy output replication
exit

Many thanks,

Steve

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

Your hiearchal policy would be similar to:

policy-map shape10M

class class-default

shape average 10000000

service policy sample

policy-map sample

class replication !like your class-map

bandwidth percent 1

fair-queue !if HQF

class class-default

fair-queue

int !NB: haven't tried a policy on a bridged interface

service-policy output shape10M

Thanks very much for quick reply, appreciated!

You were right, get a 'GTS not supported on this interface' 

Can I apply the policy on both interfaces on the bridge, or even one of them?

Steve

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Don't know, have almost no experience with routers configured to do bridging.

What you could do, is place the 1841 in-line between the Nortel L3 switch and the FW.  You should be able to create a new routed link.

EildonHousing
Level 1
Level 1

Ok cool - I'll do some testing with that

What you could do, is place the 1841 in-line between the Nortel L3 switch and the FW.  You should be able to create a new routed link.

If I place it internally am I not sill going to need to bridge the interfaces, because the L3 switch and the internal NIC on the TMG both have an IP in the same range?

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

Yes, which is why I suggested you define a new routed link (this would be either from the Nortel to the inserted 1841, or from the inserted 1841 to the FW).  If you control internal addressing and devices, you should be able to do so.

Review Cisco Networking for a $25 gift card