5 Replies Latest reply on Dec 8, 2014 9:19 AM by levi

    traffic-shape rate and VPN and other QOS

    bflippen New Member


      So I am starting to delve into the QoS  settings and cam eacross a question.

       

      My current set up:

      2 sites each with their own internet access.

      the 2 sites connected via VPN to route LAN and VOIP traffic.

      SIP trunks come in to site 1.

       

      ACL  UDP_PORTS to match UDP port ranges for VOIP

      ACL COMP_NET to match computer subnet

      QOS Map MARK to use the UDP_PORTS ACL to mark as EF

      QOS Map QUE to match EF marked packets

      QOS Map LIMIT to limit remaining traffic to the remaining 100%

       

      VLAN 1 inbound - MARK

      VLAN 1 outbound - LIMIT

      Eth 0/1 Outbound - QUE

       

      Eth 0/1 has a traffic-shape rate of 10000000

       

      So the assumption is that anything that has the SIP and RTP ports I define gets tagged with EF as they come into the router, that way I don't need to worry if the system or phone tags them or not, or what they tag them with or where in local network the come from.

      It then leaves the VLAN and goes out the Eth 0/1 interface, EF goes first then all the rest of the traffic gets what's left of the 10 meg..(After the 25% that the netvanta takes away initially which leaves 7500000). The queing should happen at this point before encapsulation to the VPN.

      A VPN tunnel would also me subject to this rule since it is going out the eth 0/1 port as well?

       

      if that is the case then some routers like the 3120 can pose an additional challenge sine their VPN tunnels are good for about 2 meg.

      Is there a way of directing the VOIP traffic across the VPN with the size of the tunnel in mind without limiting the upspeed to the SIP trunk provider  and other internet traffic which would be non VPN traffic?

       

      Can you see any flaws in the QoS I implemented?

       

      I understand that everyhing is still subject to the public internet, I just want it leaving the sites under ideal conditions. (Easier to sleep at night knowing that it is the ISP's fault rather than mine )

       

      Thanks in advanced

        • Re: traffic-shape rate and VPN and other QOS
          Employee

          billflippen - Thanks for posting your question on the forum!

           

          I see that you have opened a ticket with Adtran Technical Support. Could you follow up on this thread with the resolution?

           

          Thanks,

          Noor

            • Re: traffic-shape rate and VPN and other QOS
              bflippen New Member

              My Support ticket encompassed some of this but what was not on here has been addressed. What is on this thread I am still awaiting an answer to.

               

              to reiterate in a condensed version.

               

              A site has an upload bandwidth of say 10 meg

              A VPN tunnel is good for 1 Meg

              I have built my QOS with traffic shaping for the 10 meg. but since the VPN has a different throughput how could I  traffic shape for that as well? destination Subnet?

                • Re: traffic-shape rate and VPN and other QOS
                  levi Employee

                  bflippen:

                   

                  Thank you for asking this question in the support community.  If I understand the question, I believe it can be accomplished with Configuring Enhanced Ethernet Quality of Service (EEQoS) in AOS.  Here is an example EEQos configuration where all traffic is shaped to 10 Mbps, and within that QoS map, VPN traffic is further shaped to 1 Mbps.

                   

                  qos map VPN 10

                    match ip list ESP

                    shape average 1000000

                  !

                  qos map SHAPING 10

                    match ip list MATCHALL

                    shape average 10000000

                    qos-policy VPN

                  !

                  ip access-list extended ESP

                    permit esp any  any

                  !

                  ip access-list extended MATCHALL

                    permit ip any  any

                   

                  I hope that makes sense, but please let me know if you have any additional questions.  I will be happy to help in any way I can.

                   

                  Levi

                    • Re: traffic-shape rate and VPN and other QOS
                      bflippen New Member

                      I think I go the gist of what you outlined. I will need to study it a bit more though to implement with my current config.

                      I do have one question about VPN throughputs.

                       

                      I have 3 sites.

                       

                      Each site has a VPN to the two other sites.

                       

                      1) Site A has a 1335 with a VPN throughput of 15mbs

                          is that 15mbs per tunnel or a cumulative  15 mbs (7.5 mbs each for the 2 tunnels?)

                       

                      2) Sites B and C each have a 3448 with a VPN throughput of 30 mbs.

                           for the tunnels that connect back to site A, should those be shaped down to the 15mbs/7.5mbs?(based upon answer of 1).

                       

                      3) how much additional impact on the Routing - VPN Enabled (IMIX Traffic) = 30Mbps (EFP) does the QOS & Shaping enabled (IMIX Traffic) have?

                       

                      4) What about two different tunnels with 2 different throughputs?such Site B that has a 30 Mbps to Site C but only a 15 Mbps to site A? (or however much it is parsed out the answers to 1 and 2 ).

                       

                      levi

                      noor

                        • Re: traffic-shape rate and VPN and other QOS
                          levi Employee

                          bflippen:

                           

                          The AOS Feature Matrix - Product Feature Matrix lists the general throughput capabilities of AOS units.  The throughput values listed there are are total, dynamic values, but often don't account for multiple/various features running concurrently, which could also reduce processing power and throughput.  For example, the NV1335 has a total throughput of 15 Mbps when only VPN is enabled.  If only one VPN is active at a certain point, then it can use the full 15 Mbps, but if two VPN tunnels are being used at the same time, then they would share that bandwidth based on which tunnel was requiring bandwidth at a given time.

                           

                          For a typical design like this, the main location has the highest bandwidth (i.e. 30 Mbps in your example), and the remotes have the smaller throughputs (15 Mbps each).  Therefore, if both of the remotes were transmitting at full speed to the main location, it would total 30 Mbps inbound at the main location.  Are the speeds you mentioned above what you saw on the Product Feature Matrix, or are those the actual Internet speeds at each of those locations?

                           

                          Levi