ebs_it
asked on
Cisco Router Latency
I'm noticing latency on one of my inbound connections. The circuit is a DS3 provided by Verizon and it has a Cisco 3800 series router (managed by my company).
My external clients connect to the home office via a Citrix Access Gateway (SSL VPN) and 70% of our traffic is HTTPS, I'm wondering if it would be in my best interest to place an inbound QOS for the following protocols:
443 - HTTPS
2598 - Citrix Session Relaiblity
1494 - Citrix ICA
If so, how would I go about enabling this on my device?
Config listed below:
Building configuration...
Current configuration : 3726 bytes
!
! Last configuration change at 11:11:09 PCTime Thu Apr 2 2009 by r00t
! NVRAM config last updated at 10:24:55 PCTime Thu Apr 2 2009 by r00t
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname u257905
!
boot-start-marker
boot-end-marker
!
card type t3 1
security authentication failure rate 3 log
no logging buffered
enable secret 5 **********************
!
no aaa new-model
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
dot11 syslog
!
!
ip cef
!
!
no ip domain lookup
ip name-server 198.6.1.5
ip name-server 198.6.1.4
ip name-server 198.6.1.2
frame-relay switching
multilink bundle-name authenticated
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1918427529
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1918427529
!
!
crypto pki certificate chain TP-self-signed-1918427529
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31393138 34323735 3239301E 170D3039 30333330 31343331
30355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39313834
32373532 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B038 7CD5998B 807318A5 0185BFF1 FB3086C5 AC8F303B BE994663 C792B7D4
26A693E8 47C9CF3F CAF65835 52DD5FAE A69BA4F7 AEF94576 8CA10D42 F18426E9
C42572F1 FA2A3CB5 AB0C7023 265CF46D 983A9B92 26C6E537 E9A0D9B9 3B8378A0
2B05FC3F 888283CE 9472B735 E16D8F2B C054277A E2F4A9D6 C42E0CB2 1FC1D521
FC130203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 07753235 37393035 301F0603 551D2304 18301680 140C58F4
B6416F0E E44D6A1A C6EE5974 0DC9AE9B C2301D06 03551D0E 04160414 0C58F4B6
416F0EE4 4D6A1AC6 EE59740D C9AE9BC2 300D0609 2A864886 F70D0101 04050003
81810007 7722F684 6FBA5A1C F42E4E8A 26693EDF 73D67CDB F85DE778 390DB035
934E603B D65ACA4A FF922865 7B258E4A 1557E422 2A078BE9 FAA93EB4 F790B252
6D1311AA 054509B8 6640DD58 7D919D2D 14AED0E7 8A0EA9EA B8B3D791 D6AF176D
7193046B C378B49D C74707C8 994DA172 86BF969C CCAE8722 656C45AB 74EB770A F9EB00
quit
!
!
username r00t privilege 15 password 7 **********************
archive
log config
hidekeys
!
!
controller T3 1/0
clock source line
cablelength 10
!
!
!
!
!
interface Null0
no ip unreachables
!
interface GigabitEthernet0/0
description $FW_INSIDE$
ip address **.***.187.193 255.255.255.224
no ip unreachables
ip route-cache flow
duplex full
speed 100
media-type rj45
no cdp enable
!
interface GigabitEthernet0/1
no ip address
no ip unreachables
ip route-cache flow
shutdown
duplex auto
speed auto
media-type rj45
!
interface Serial1/0
description $FW_OUTSIDE$
ip address ***.***.44.110 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
ip route-cache flow
no ip mroute-cache
dsu bandwidth 15790
no cdp enable
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Serial1/0
!
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 36000
!
ip http server
ip http authentication local
ip http secure-server
!
no cdp run
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 180 0
password 7 **********************
login
line aux 0
line vty 0 4
exec-timeout 180 0
password 7 **********************
login
transport input telnet
transport output none
!
scheduler allocate 20000 1000
ntp update-calendar
!
end
My external clients connect to the home office via a Citrix Access Gateway (SSL VPN) and 70% of our traffic is HTTPS, I'm wondering if it would be in my best interest to place an inbound QOS for the following protocols:
443 - HTTPS
2598 - Citrix Session Relaiblity
1494 - Citrix ICA
If so, how would I go about enabling this on my device?
Config listed below:
Building configuration...
Current configuration : 3726 bytes
!
! Last configuration change at 11:11:09 PCTime Thu Apr 2 2009 by r00t
! NVRAM config last updated at 10:24:55 PCTime Thu Apr 2 2009 by r00t
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname u257905
!
boot-start-marker
boot-end-marker
!
card type t3 1
security authentication failure rate 3 log
no logging buffered
enable secret 5 **********************
!
no aaa new-model
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
dot11 syslog
!
!
ip cef
!
!
no ip domain lookup
ip name-server 198.6.1.5
ip name-server 198.6.1.4
ip name-server 198.6.1.2
frame-relay switching
multilink bundle-name authenticated
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1918427529
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1918427529
!
!
crypto pki certificate chain TP-self-signed-1918427529
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31393138 34323735 3239301E 170D3039 30333330 31343331
30355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39313834
32373532 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B038 7CD5998B 807318A5 0185BFF1 FB3086C5 AC8F303B BE994663 C792B7D4
26A693E8 47C9CF3F CAF65835 52DD5FAE A69BA4F7 AEF94576 8CA10D42 F18426E9
C42572F1 FA2A3CB5 AB0C7023 265CF46D 983A9B92 26C6E537 E9A0D9B9 3B8378A0
2B05FC3F 888283CE 9472B735 E16D8F2B C054277A E2F4A9D6 C42E0CB2 1FC1D521
FC130203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 07753235 37393035 301F0603 551D2304 18301680 140C58F4
B6416F0E E44D6A1A C6EE5974 0DC9AE9B C2301D06 03551D0E 04160414 0C58F4B6
416F0EE4 4D6A1AC6 EE59740D C9AE9BC2 300D0609 2A864886 F70D0101 04050003
81810007 7722F684 6FBA5A1C F42E4E8A 26693EDF 73D67CDB F85DE778 390DB035
934E603B D65ACA4A FF922865 7B258E4A 1557E422 2A078BE9 FAA93EB4 F790B252
6D1311AA 054509B8 6640DD58 7D919D2D 14AED0E7 8A0EA9EA B8B3D791 D6AF176D
7193046B C378B49D C74707C8 994DA172 86BF969C CCAE8722 656C45AB 74EB770A F9EB00
quit
!
!
username r00t privilege 15 password 7 **********************
archive
log config
hidekeys
!
!
controller T3 1/0
clock source line
cablelength 10
!
!
!
!
!
interface Null0
no ip unreachables
!
interface GigabitEthernet0/0
description $FW_INSIDE$
ip address **.***.187.193 255.255.255.224
no ip unreachables
ip route-cache flow
duplex full
speed 100
media-type rj45
no cdp enable
!
interface GigabitEthernet0/1
no ip address
no ip unreachables
ip route-cache flow
shutdown
duplex auto
speed auto
media-type rj45
!
interface Serial1/0
description $FW_OUTSIDE$
ip address ***.***.44.110 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
ip route-cache flow
no ip mroute-cache
dsu bandwidth 15790
no cdp enable
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Serial1/0
!
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 36000
!
ip http server
ip http authentication local
ip http secure-server
!
no cdp run
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 180 0
password 7 **********************
login
line aux 0
line vty 0 4
exec-timeout 180 0
password 7 **********************
login
transport input telnet
transport output none
!
scheduler allocate 20000 1000
ntp update-calendar
!
end
ASKER
yes clients are accessing an applicance/gateway at the same facility as the 3800 but behind a firewall. Inbound/Outbound are pretty consistant with one another.
Could you provide the commands for egress QOS? I'd like to set it up for the following ports 443, 2598, 1494.
Could you provide the commands for egress QOS? I'd like to set it up for the following ports 443, 2598, 1494.
If there isn't any congestion or high usage on the DS3 line, then QoS is not going to help.
By the way, the actual subscribed banwidth from Verizon is not DS3, is it? Because I noticed that you've put a "dsu bandwidth 15790" in your config.
By the way, the actual subscribed banwidth from Verizon is not DS3, is it? Because I noticed that you've put a "dsu bandwidth 15790" in your config.
ASKER
The service is a DS3 provided by Verizon. We've only commited to 15mb of bandwidth but it does allow for bursting up to the 45mb.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
firstly, you may want to determine the line usage on the DS3 both in the incoming and outgoing directions.
inbound QoS is usually not effective because if the link was already congested, then the traffic would already have been dropped / delayed before reaching your router.
are the clients accessing server in your this location where the 3800 is and more traffic is download for them (i.e. upload from your site up to the DS3)? if yes, then maybe outbound/egress QoS will be more useful.