Giving priority to traffic from one VLAN 2

[primate]

Hi,

I have an 877W with two VLANs. Staff use VLAN1, non-staff users use VLAN2. I want traffic from VLAN1 to have priority for the internet connection (ADSL). I either want to restrict the traffic from VLAN2 to a maximum throughput level thus guaranteeing a certain amount of bandwidth of the internet connection for VLAN1, or I need to make sure that packets from VLAN1 are pushed out to the internet before packets from VLAN2.

Is this possible? I've been reading various QoS guides on the Cisco website but seem to be going round in circles.

 

[KiscoKid]

If you want to control available bandwidth to vlan 2, consider implementing Class Based Weighted Fair Queuing (CBWFQ)

CBWFQ:

http://www.cisco.com/en/US/partner/...s_configuration_example09186a0080094cf6.shtml

If you want to to make sure all VLAN 1 traffic is serviced before VLAN 2, consider Low Latency Queuing (LLQ)

LLQ:

http://www.cisco.com/en/US/partner/...s_configuration_example09186a008009461f.shtml

 

[primate]

Thanks, I'll give those articles a read and let you know how I get on.

 

[primate]

OK, so if I want to limit traffic from VLAN2 to a macimum of half the 1024/256 connection I would do something like this?

access-list 115 permit ip 172.31.17.0 0.0.0.255 any
access-list 116 permit ip any 172.31.17.0 0.0.0.255

class-map from_VLAN2
match access-group 115

class-map to_VLAN2
match access-group 116

policy-map upld_VLAN2
class from_VLAN2
bandwidth 128

policy-map downld_VLAN2
class to_VLAN2
bandwidth 512

int ATM0

service policy output upld_VLAN2
service policy input downld_VLAN2



Is this anywhere close to the mark? Do I need to put any other configuration info on the ATM interface?

Will this allow traffic from VLAN1 to use all the bandwidth when VLAN2 is not consuming bandwidth? But subsequently limit VLAN2 to half the bandwidth if both are using the connection, thus guaranteeing a proportion of the bandwidth will always be available for clients on VLAN1?

 

[KiscoKid]

Your QoS config looks fine to me. I would just mention that you may need to enable ATM traffic shaping on your PVC, something like:

int atm0
pvc 0/32
vbr-nrt 2260 2260

Without some kind of ATM shaping in place, I don't think you will be allowed to apply the service policies.

Essentially you are reserving 50% B/W to VLAN2 during congestion.When not congested, either VLAN can utilise as much B/W as it available - those restrictions only kick in when your line is flooded with traffic.

 

[primate]

Thanks for the response.

Quote: "Essentially you are reserving 50% B/W to VLAN2 during congestion. When not congested, either VLAN can utilise as much B/W as it available - those restrictions only kick in when your line is flooded with traffic."

Sorry to labour the point but I find this slightly counter-intuitive - are you saying that I'm reserving 50% for VLAN2 or limiting VLAN2 to using 50%? In my mind that's a big difference! If I'm reserving a proportion then would it be better to apply this to traffic from VLAN1 since that is the VLAN that I want to provide a higher priority to? - or should I lower the reservation even further for VLAN2 to ensure that VLAN1 gets the majority? Again, sorry for labourig the point but this is all new to me and hence more than a little confusing!

What do the numbers refer to in the traffic shaping statement? (vbr-nrt 2260 2260)

 

[KiscoKid]

When you assign VLAN 2 50% during congestion, you are guaranteeing a minimum of 50% bandwidth for the users of that VLAN. Therefore there is a possibility for users of VLAN 2 to use more than 50% bandwidth during congestion.

Based on what you say, you may be right in reserving the minimum bandwidth for VLAN 1 instead and let VLAN 2 contend for the remaining bandwidth that is available.

The numbers in the traffic shaping correspond to Peak Cell Rate (PCR) and Sustained Cell Rate (SCR), written as:

vbr-nrt PCR SCR

In this example, PCR=SCR. 2260 cells equates to about 1mb.

 

[primate]

Great, thanks for clarifying that and for the earlier responses, you've been a great help.

 

[primate]

I've tried inputting the PCR value you suggested and on my router I can't input a value that hight. The syntax for the command is shown as follows:

vbr-nrt ?
<32-288> Peak Cell Rate(PCR) in Kbps

Any suggestions?

 

[KiscoKid]

Ah yes I had a brain drain there, the settings on the vbr-nrt are not in cells per second but in kbps

So you just need to specify the upload speed of your DSL connection which was 256k?

So you statement should read: vbr-nrt 256 256

Sorry for the confusion!

 

[primate]

Hi,

I've had time to test this now and the results have been a little underwhelming in that, not much, if anything seems to happen.

I've tried both methods and all I really seem able to do is to actually reduce the performance for VLAN1 when using the LLQ method....

I appreciate these things are probably a little tricky to get working correctly on ADSL but is there anything obvious I should try in the config or any other methods you can suggest?

Thanks again.

 

[plshlpme]

what exactly are your symptoms here?
are you over utilizing the dsl line?

when cerating your policies you may want to set it up with a bigger ration like say.. 70% for vlan1 and 30% for vlan2

but you should also make sure you have some sort of rate-limiting or policing to ensure you don't try to push to much data into the dsl line or it will queue at your modem.. which will cause the internet to be sluggish for everybody...

 

[plshlpme]

the other solution which is not so nice to the users is to assign police values in your policy which will drop vlan2's traffic after a certain threshhold..

 

[primate]

Could you supply any URL's for guides to do this or a config example? As I've said I'm a complete neophyte to QoS so whilst in principle I understand what you mean I have no idea how to actually implement it.

Many thanks.

 

[plshlpme]

well i searched very quickly and found this for policing. it acn be used in addition to the links KiscoKid provided above...

http://www.cisco.com/en/US/products...figuration_guide_chapter09186a00804a27c4.html

 

[primate]

Thanks for that.

After reading the policing section, it seemed I could keep things simple and just limit traffic from (and perhaps to) VLAN2 to a specific bandwidth rather than trying to assign priorities. I thought it might be worth just trying to get this working first.

So I now have the following config on the router:

class-map match-all to_VLAN2
match access-group 116
class-map match-all from_VLAN2
match access-group 115
!
!
policy-map downld_VLAN2
class to_VLAN2
police 128000 conform-action transmit exceed-action drop
policy-map upld_VLAN2
class from_VLAN2
police 64000 conform-action transmit exceed-action drop
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/38
ubr 240
encapsulation aal5mux ppp dialer
dialer pool-member 1
service-policy input downld_VLAN2
service-policy output upld_VLAN2
!
dsl operating-mode auto
!
!
access-list 115 permit ip 172.17.0.0 0.0.0.255 any
access-list 116 permit ip any 172.17.0.0 0.0.0.255


Testing the bandwidth from VLAN2 still clearly shows that VLAN2 can consume the full bandwidth of the line, when I thought this config should drop any traffic exceeding 64kbps up? I'm using an online bandwidth testing tool and whilst I know these things aren't particularly accurate, I ran it three times before applying the policy and three times after and both sets showed the same upload rate of about 210 to 220kbps

If I run "sh policy-map int" I get the following output, which seems to show that nothing is being matched by the policies - I've triple checked the IP addresses in the access list:

ATM0: VC 0/38 -

Service-policy input: downld_VLAN2

Class-map: to_VLAN2 (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 116
police:
cir 128000 bps, bc 4000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps

Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any


Service-policy output: upld_VLAN2

Class-map: from_VLAN2 (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 115
police:
cir 64000 bps, bc 2000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps

Class-map: class-default (match-any)
231 packets, 47395 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any


So do you have any further suggestions?

 

[plshlpme]

are you sure the access-lists aren't backwards in your to class maps?

reading it i think you may have your in and out backwards.

 

[plshlpme]

do you have a dialer interface? try putting the policies on that interface instead?

 

[primate]

Hi,

Thanks for your continued help.

Changing the access-lists round and applying them to the dialer interface make no difference, sh policy-map int still shows no matching packets except for in class-default like above.

 

[norteldude78]

I noticed the networks in post#4 do not match the ones in post #15. What networks are you trying to match 172.17.0.0 or 172.31.17.0?

I was just reading and noticed that, not sure if those are what you are really using...

peace