Cisco QoS Guidance

I have a 10M connection to the internet that is hooked into a 100M port. I am getting started with QoS, and am hopping for a little guidance on setting it up on a Cisco 3825 router. Right now I am going forward with the idea that I have to implement it on my router, and the provider can't provide QoS for me.

How I envision it working is that the QoS will drop or queue packets on my router and that will help prevent a situation where the provider has to start dropping a lot of packets. Right now all I am tasked with is making sure that one of the 3 LANs gets a certain slice (say 3M for Gig Lan1) of the 10M internet connection (But ideally this will be more flexible in the Future).

            10M Internet on 100M port on HWIC-4ESW
                  +-----------------------+
                  |                       |
         Gig Lan1 |      Cisco 3825       | Lan3 on HWIC-4ESW
                  |                       |
                  +-----------------------+
                          Gig Lan2

I need to learn more about QoS, but having a target technology and maybe example configuration will help me wrap my head around the reading I am doing a little more.

  • Which Cisco QoS Technology do you recommend for this particular situation?
  • Have a basic sample config of how this might work?

Right now the 10M line is not congested, so this more to have something in place in case it starts to become mildly congested in the future.

I do have VOIP at one location connected to this one over the Internet that goes through a VPN tunnel. Everything else that is between this location and other offices is on a separate MPLS network.


Whhich bandwidth are you concerned about - outgoing or incoming? If you do not have control over Service Provider's router, you can't achieve true QoS(when you can make sure certain kinds of traffic get more priority than others) for incoming traffic. What you can do though, is to limit certain traffic on your router, ensuring that the remaining portion is available to the target network. For example, you can limit traffic(or certain kinds of traffic, like streaming videos) on LAN2 and LAN3 interfaces which will guarantee that LAN1 always has 3mbits available.

In Cisco terminology this is called traffic policing(as opposed to shaping for true QoS) This document is a good start : http://www.ict-partner.net/en/US/docs/ios/12_2/qos/configuration/guide/qcfpolsh.html#wpxref40342


Seeing as how you have VOIP on the link, I'd probably go with something like this (I am assuming that your 10M WAN-facing port is nailed to 10 M, so won't use a hierarchical QoS policy to install a 10M shaper).

class-map voice
  match dscp ef

policy-map outbound
  class voice
   priority [ insert voice bandwidth allocation here ]
  class class-default
   fair-queue
   random-detect

int Fa[whatever]
  service-policy output outbound

In order, this QoS policy defines your voice traffic (I am assuming you are allowing DSCP through your switch-fabric, otherwise use another criterion to match the traffic, you have full use of extended ACLs for matching) as anything tagged as "Expedited Forwarding" (this is standard for most hardware VoIP phones). The policy-map itself should be pretty straight-forward, you set aside one chunk for voice traffic (count on ~100 kbps per simultaneous call for G.711, if you're using G.728 it's less) and the rest is fair-queued (giving as close as possible to an even allocation of bandwidth to all flows) and has WRED enabled, to avoid TCP Synchronisation.

IN Cisco terms, a flow is defined as all packets having the same source and destination IP, source and destination ports, incoming interface and TOS.

TCP Synchronisation is when multiple TCP streams tend towards ramping up their transmission window at the same time, causing all the streams to congest the interface at the same time and then falling back at the same time, causing the "peak bandwidth" to have a pretty characteristic sawtooth shape over time. By discarding a few packets, from a few flows, this "sawtoothing" is smoothed out and you end up with more throughput.

EDIT: If you're primarily interested in dealing with "downloads", I would enable random-detect on the LAN interface, nothing you do, QoS-wise, on the traffic coming from the ISP is going to have any large impact, since the 10M limitation will already have happened. But, by using WRED on the traffic into the LAN (WRED only works on egress, as far as I am aware, so doing it on egress to LAN is probably better than not doing it at all), you should at least avoid TCP synchronisation.

More edit:

There are two ways of enforcing a given speed on an interface. There's shaping, this only works outbound but will queue packets rather than drop them. There's also policing, this works both in- and out-bound and will drop any packets that exceed the specified limits. Both policing and shaping can define two limits, a lower limit and an excess on top of that, traffic in the "commited" rate can be handled differently than traffic in the "excess" and in the "violates" classes.

A policy that allows 3 Mbps outbound, using shaping, fair queueing and WRED would look something like:

policy-map 3Mbps
  class class-default
    shape average 3000000
    fair-queue
    random-detect

Apply this as an outbound policy on the LAN interfaces you're interested in keeping to "3 Meg or less" and you should be set.