07-15-2022 07:10 AM
Hi Guys,
I have a question about QoS deployment in a network. I have recently started working for a project network where they don't have QoS configured at all. As a best practice, I was about to suggest QoS configuration in this network. Current Network Connectivity is like below : Stacked Access Switches (C2960X) >> Distribution Switches (9500) >> Palo Alto Firewall >> Internet Line which is terminated on FW.
If I want to plan QoS as per 1P3QxT style from Access towards Distribution, I don't believe QoS means anything to plain internet line unlike MPLS link.
So If I cant have end to end QoS marking for traffic, should I go ahead with QoS configuration or leave it as is? May I just configure it on Access and Distribution, will this be able to improve the traffic or not?
07-15-2022 07:19 AM
Hi,
What are you trying to accomplish? What problem are you trying to resolve? QoS is usually used for VoIP traffic, video traffic, and also if you have cameras installed in your environment. If you are not using any of these, not sure what QOS will do for you. Also, in the order for Qos to be effective, it needs to be done end-to-end.
HTH
07-15-2022 07:21 AM
There is all kind of traffic on network including VoIP and video along with CCTV. My question is if I cannot configure it at the end because of internet line, is it even going to make any sense to have QoS? Then there is no way to structure traffic?
07-15-2022 07:51 AM - edited 07-15-2022 08:01 AM
Well, it depends on the issue. So, for example, if you have CCTV and the quality of the picture or video is not so good, and the cameras and viewing stations are all connected to your switches in one or multiple VLANs, configuring even just a default QoS on access and distro switches will improve the quality. If the source and destination for the cameras are not within your environment (over the Internet) then deploying Qos may get more complicated as you have no control over the Internet.
Overall, deploying Qos will require quite a bit of planning.
HTH
07-15-2022 08:04 AM
Thanks Reza for the input. So it means if destination is over internet, regardless of QoS configuration within LAN - It is not going to help the network. Am I understanding it correctly?
07-15-2022 08:17 AM
QoS is really only necessary when there congestion, within your network, that's adverse to application performance needs.
Generally, there always some congestion points with almost any network, but again, the congestion might not be enough to be adverse to any application being subject to that congestion.
Applications like VoIP and CCTV, though, are often the kind of applications that are most sensitive to the impact of congestion.
Even if there's no current need for QoS, sometimes it's worthwhile to implement QoS to preclude future issues. E.g. your VoIP, today, is fine, but next week someone places some new applications on the network, e.g. some kind of data replication or backup, and then, VoIP suffers.
BTW, you don't need to do QoS end-to-end, for benefits of it, but when done end-to-end, it better covers future possible issues.
Also BTW, QoS can be used with Internet links, but much depends on how you're using the Internet link.
Also QoS "marking" isn't required for effective QoS, nor, ideally, is a QoS model, for you, based on some equipment supporting 1P3QxT.
In conclusion, insufficient information to say whether your network would currently benefit from a QoS implementation.
07-15-2022 10:27 AM - edited 07-15-2022 10:33 AM
Thank you Joseph for taking time to look into this. Let me tell you why I even thought about it.
My company network get interim drops in network. Wired & wireless user looses the connectivity abruptly for 10-20 seconds and then connectivity is restored without any intervention. There is no pattern OR any trend with whom, when one might face disconnection. It is really random. Some day you may face it more than once and then there are few days where no issue would occur.
Everyone accused every networking device that comes in between, like
1. Access switches which are stacked and of C2960X model . Currently 6 switches are stacked in single stack and there are many stacks like this one on every floor. When wired users used to face disconnection, we checked end ports for any flap/errors but nothing. Port was up all the time when he reported the issue of network disconnection. Also, switch does not show any other logs, it was clean. However utilization remains high - close to 40%. Thats only issue I see.
CPU utilization for five seconds: 39%/0%; one minute: 40%; five minutes: 41%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
180 3606672262 345271674 10445 22.31% 22.24% 22.14% 0 Hulc LED Proces s
138 393 97 4051 0.35% 0.46% 0.11% 1 SSH Process
197 53842558 33236452 1619 0.35% 0.31% 0.30% 0 HRPC qos reques t
196 52545664 2776203 18927 0.29% 0.30% 0.29% 0 HQM Stack Proce s
143 35072069 13941580 2515 0.29% 0.31% 0.29% 0 hpm counter pro c
216 17766324 14696096 1208 0.29% 0.15% 0.12% 0 CDP Protocol
2. On Wireless Side, again WLC are 9800 series and working fine. They do have frequent SSO for unknown reason but we are working with CISCO TAC on that.
3. In this network, L3 VLANS are not on distribution switches but on Palo Alto Firewall which is on top of distribution switches. That FW is also acting as DHCP Server. Palo Alto TAC gave clean cheat for FW and said that aint the one to cause the issue. To me, design looks weird from simplification of network, If it is up to me, I would have loved to bring down L3 SVI to distribution switches which is now acting as transit L2.
4. We have cloud based ISE authentication and to rule out whether ISE causes this random disconnection or not, we have bypassed authentication for some users and put them under monitoring. We will run it for 2-3 weeks.
5. On other side, I was just looking at distribution switches (9500) and saw all port-channels which are going back to stack switches as uplink are having output drops. Like Below
TwentyFiveGigE2/0/8 is up, line protocol is up (connected)
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 4740504
7605192960 packets output, 8202445279589 bytes, 0 underruns
TwentyFiveGigE2/0/9 is up, line protocol is up (connected)
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 1062546
10384258067 packets output, 7572393495144 bytes, 0 underruns
May be drop ratio is not considerable compared to output packets, however I would feel comfortable if these can be 0. Not sure if it is because too much of traffic coming to uplink or vice versa. Access Switch <1 gig connection> Distribution Switch <10 gig Connection> Firewall
So because of this, I thought of giving a try to implementation of QoS on switches, that may help with better queuing or congestion like this.
Sorry if I have confused you guys.
07-15-2022 11:04 AM - edited 07-15-2022 11:06 AM
The fact you see an interface with drops reveals congestion (enough to overflow the queue). The fact that the overall drop percentage is so low, though, doesn't insure these drops aren't causing transient application performance issues, as often, such drops occur in microbursts.
What switch link are these interfaces on? I.e. 2960X stack to 9500, the converse, 9500 to FW, the converse? (If I understand, correctly, what you wrote, these interfaces are from 9500 to stack?)
Personally, I too would prefer to see the gateway interfaces on the 9500 and leave the FW to just be a FW, but if you generally don't have, local site, VLAN<>VLAN traffic, and FW is beefy enough, it's not horrible using it as the gateways for the VLANs.
How is your Interlink used. I.e. site-to-site or multi-site VPN, general Internet traffic, some combination, etc?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide