Hi All,
I am trying to setup traffic shaping to prioritize traffic to or from all of my /24 public subnet over a single address (xx.xx.xx.253/32) in this subnet. What is the best map option without setting firm bandwidth limits? (DSCP, Precedence, CoS)
I have a NV3458 setup as a BGP router in front of my firewall that PATs all user traffic. I want to insure that other vpn routers that connect to the BGP router's switch ports will have access first.
I think I understand the concept that I will mark the PAT'd users packets with a lower value than all the rest of the packets and assume I will put this on the LAN Zone, but I am confused with all the options after that.
Sorry for such a nubie question, but I can't seem to get my head around this one. I have downloaded and read through the "CONFIGURING QOS in AOS" pdf. Is there any other documents or samples that would be better?
There are multiple changes I would recommend for this design and configuration.
First, I recommend you make the changes I mentioned in the previous post, so the traffic will be prioritized outbound (towards the public Internet).
Second, if the WAN interfaces are saturated inbound, then the ISP needs to setup QoS. As I mentioned previously, there will not be a bottleneck sending traffic out the 100 Mbps connection toward the LAN, but when the traffic arrives from the ISP, it will not have been differentiated between normal data or high priority data. There is little the ADTRAN can do at that point, because the traffic has already arrived.
Third, I recommend you review the Configuring Enhanced Ethernet Quality of Service guide, which will review all of the concepts and configurations you have questions about. Here is a conceptual configuration example based on the information you've provided (again, the inbound QoS policies from the ISP will have little to no effect if the ISP doesn't provide QoS, but I have added this portion per your request😞
qos map WAN1-INBOUND 10
match ip list acl
set dscp <value>
!
qos map WAN2-INBOUND 10
match ip list acl
set dscp <vlaue>
!
qos map TOWARD-LAN 10
match ip list first-important-traffic
bandwidth <value>
qos map TOWARD-LAN 20
match ip list second-important-traffic
bandwidth <value>
qos map TOWARD-LAN 30
match ip list third-important-traffic
shape average <value>
!
qos map WAN1-OUTBOUND 10
match ip list acl-outbound
bandwidth <value>
!
qos map WAN2-OUTBOUND 10
match ip list acl-outbound
bandwidth <value>
!
interface <WAN1>
qos-policy in WAN1-INBOUND
qos-policy out WAN1-OUTBOUND
interface <LAN>
qos-policy out TOWARD-LAN
If after you've made the suggested changes, if you have further questions, please let me know in a reply, but also please include the configuration.
Levi
Thank you for asking this question in the support community. Is there any additional information you can provide such as a network diagram? I'm not sure which traffic and from where you are attempting to prioritize. If you get a chance, please provide some additional information about the design and what traffic you would like to prioritize.
Please, do not hesitate to reply to this post with any additional questions or information. I will be happy to help in any way I can.
Levi
I have 2 ISPs providing 10 MB each on eth0/1 y.y.y.y and eth0/2 z.z.z.z. The switchports are on VLAN67 ( 67.x.x.254/24) - the "LAN" side goes to a switch which has my firewall (67.x.x.253) and other VPN routers for vendor access to the DMZ. I want to give all 67.x.x.x ips priority over 67.x.x.253 so the VPN traffic is guarantied access in and out. I tried setting a QOS map at the eth0/1 & 0/2 to mark the VPN traffic as AF11 or AF12 but it didn't help.
Message was edited by: pebo I see the incoming traffic on Eth0/1 or Eth0/2 hit 97+% at times and the VPN tunnels collapse causing all kinds of business problems. I have attached a QOS status output of VLAN67 during a low traffic time period.
Thank you for replying with the additional information. There are several important things to keep in mind regarding quality of service (QoS).
In your application, without the firewall, and the WAN connection only being 10 Mbps, the unit will be able to process the traffic nearly at wire speed. However, for QoS to be implemented on an Ethernet interface, you will need to configure traffic-shaping, because by default, the unit will think it has the entire 100 Mbps bandwidth, when actually, it only has 10 Mbps. Therefore, you will need to add the command traffic-shape rate 10000000 to the WAN interface (Eth 0/2; Ethernet 0/1 is already hard set to 10 Mbps in the ADTRAN configuration).
In the configuration you attached, you do not have QoS setup outbound on either of the ISP facing Ethernet interfaces. I would recommend configuring this, as that is where the network constriction point is (not the LAN). Since the LAN is 100 Mbps, but there will never be more than a theoretical max input from both ISPs of 20 Mbps, the unit will have no problems sending traffic toward the LAN; however, it could be congested when sending traffic outbound, which is why I would suggest setting the QoS maps on the WAN interfaces outbound.
Let me know what questions you have.
Levi
Levi,
Because most of my congestion on my WAN interfaces is inbound. I have setup some QOS maps to mark the packets coming in by thier destinations and am limiting users inbound traffic on each WAN interface by setting a 7MB out on the LAN interface. All other traffic has unlimited access Does this make sense?
Here is the output from SHOW QOS MAP:
qos map eth0/1-ISP_A-IN
map entry 10
match ACL acl_vpns_DEST
set DSCP value to af31 (26)
map entry 20
match ACL acl_users_DEST
set DSCP value to af11 (10)
Interfaces using qos map eth0/1-ISP_A-IN:
eth 0/1:Input (enabled)
qos map eth0/2-ISP_B-IN
map entry 10
match ACL acl_vpns_DEST
set DSCP value to af41 (34)
map entry 20
match ACL acl_users_DEST
set DSCP value to af12 (12)
Interfaces using qos map eth0/2-ISP_B-IN:
eth 0/2:Input (enabled)
qos map LAN-OUTBOUND
map entry 10
match IP packets with a DSCP value of af31, af41
priority bandwidth: unlimited
map entry 20
match ACL AmazonAWS_IPs
class shape rate: 500 (kilobits/sec), average
map entry 30 match-all
match IP packets with a DSCP value of af11
match ACL acl_users_DEST
class shape rate: 7000 (kilobits/sec), average
map entry 40 match-all
match IP packets with a DSCP value of af12
match ACL acl_users_DEST
class shape rate: 7000 (kilobits/sec), average
Interfaces using qos map LAN_OUTBOUND:
vlan 67:Output (enabled)
ip access-list extended acl_users_DEST
permit ip any host 67.x.x.253 log
!
ip access-list extended acl_vpns_DEST
permit ip any 67.x.x.0 0.0.0.127 log
permit ip any host 67.x.x.249 log
There are multiple changes I would recommend for this design and configuration.
First, I recommend you make the changes I mentioned in the previous post, so the traffic will be prioritized outbound (towards the public Internet).
Second, if the WAN interfaces are saturated inbound, then the ISP needs to setup QoS. As I mentioned previously, there will not be a bottleneck sending traffic out the 100 Mbps connection toward the LAN, but when the traffic arrives from the ISP, it will not have been differentiated between normal data or high priority data. There is little the ADTRAN can do at that point, because the traffic has already arrived.
Third, I recommend you review the Configuring Enhanced Ethernet Quality of Service guide, which will review all of the concepts and configurations you have questions about. Here is a conceptual configuration example based on the information you've provided (again, the inbound QoS policies from the ISP will have little to no effect if the ISP doesn't provide QoS, but I have added this portion per your request😞
qos map WAN1-INBOUND 10
match ip list acl
set dscp <value>
!
qos map WAN2-INBOUND 10
match ip list acl
set dscp <vlaue>
!
qos map TOWARD-LAN 10
match ip list first-important-traffic
bandwidth <value>
qos map TOWARD-LAN 20
match ip list second-important-traffic
bandwidth <value>
qos map TOWARD-LAN 30
match ip list third-important-traffic
shape average <value>
!
qos map WAN1-OUTBOUND 10
match ip list acl-outbound
bandwidth <value>
!
qos map WAN2-OUTBOUND 10
match ip list acl-outbound
bandwidth <value>
!
interface <WAN1>
qos-policy in WAN1-INBOUND
qos-policy out WAN1-OUTBOUND
interface <LAN>
qos-policy out TOWARD-LAN
If after you've made the suggested changes, if you have further questions, please let me know in a reply, but also please include the configuration.
Levi
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Levi