• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 704
  • Last Modified:

Managing Bandwidth on my network

My network looks as follows:

10Mbps Internet Circuit>>Cisco 2821 Router>>Cisco ASA5510>>Cisco 4506 Switch

In the past when a user was downloading something from the internet, that user could essentially take up all the bandwidth.  This was a problem because a lot of my internal users use RDP over a site-to-site VPN I have configured on the ASA, and when a user was downloading a large file using all the bandwidth, these users performance would suffer.  So for web traffic I implemented the following policy on my Cisco 2821 Router

class match-any web
match protocol http

policy-map http
class web
police 5000000

interface fa0/0 (WAN INTERFACE)
service-policy input http

This made sure that web traffic only uses 5Mbps.  Now, this is great for my users who use RDP over VPN as they have enough bandwidth now to do their job, but for web users, especially my boss, is still not happy.  If a user is downloading a file, that one users could essentially take up most of the 5Mbps allotted for web traffic, so if my boss is surfing the net, its slow to him.  Of course if we don't have any downloads going on, I have no complaints on web speed.  Large downloads of files happen often at this office daily.  I am trying to think of a creative way to make the boss happy.  Is there a way, for example, to possibly always have 1Mbps at his disposal?  The traffic policing is done on the WAN connection, so I'm not sure how I would ensure he always had at least 1Mbps at his disposal, or even if its possible.  Any thoughts?
0
denver218
Asked:
denver218
  • 7
  • 5
  • 3
  • +1
1 Solution
 
eeRootCommented:
Could you put the VIP's on their own VLAN with it's own IP subnet and give that range of IP's higher priority in the QOS statements?
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Instead of policing a whole class to a limit, it might be better to prioritize the RDP (or other interesting traffic), which would move the RDP packets to the front of the queue ... problem is, on incoming traffic, you have to do that on the other side of the line ... e.g., most likely your provider would have to add that, as you can't change the way packets are received on you side ... also, with the current setup, all you are doing is discarding any packets that cause the >5M traffic, which essentially causes transmit window reduction for the TCP session ... this means the downloads are still (partially) using up more than the 5M you configured, but the users only get 5M (though, with the reduced window size, the problem is somewhat mitigated, resulting in RDP working a bit better). Again, this policing - if done - should be configured on the remote (sending) end ...
Bottom line, contact your provider and see if they are willing and able to set up QoS on your link with preference for "interesing" traffic (like RDP).
0
 
denver218Author Commented:
eeRoot, right now everyone is on the same VLAN, if I did created a second VLAN for VIP's, could you give me an example on how I could give that VLAN higher priority?  Thanks
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 
Garry GlendownConsulting and Network/Security SpecialistCommented:
The uplink provider would have to support additional VLANs, and set QoS for the port usage appropriately ...
0
 
denver218Author Commented:
Well, I don't know that my provider can or will do that.  Is there any other way to accomplish this?
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
IMHO, nothing really effcient/effective ... with the throttling you're doing at the moment, you've done about as much as you can, limiting the effects on your incoming bandwidth, but not fixing the problem ..
In essence, it's like advertisement letters you get in your mailbox - you can decide to throw them away, but unless you can get your postman to deliver them any slower or not at all, that's all you can do ...
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Having said that, of course if anybody knows a firewall that is able to do incoming throttling based on delaying outgoing ACK packets for TCP connection and forcing smaller transmit window sizes, this would help ... anyway, neither the 2821 (very sure) nor the ASA (relatively sure) do that as far as I know ... I know boxes like Fortigate firewall have pretty complex traffic shaping abilities, but I'm not sure in what way they take care of "overuse" of a connection ...
0
 
Fred MarshallCommented:
I don't think you can fix this with QoS settings at the firewall level.  If you can then you're very clever or lucky.
Here's why:
You have conflicting demands that occur *at the same time*.   If that's not correct then you might be able to solve this.  But, I sense that it is correct.  That's because you say:
If a user is downloading a file, that one users could essentially take up most of the 5Mbps allotted for web traffic, so if my boss is surfing the net, its slow to him.
Well, this means that the boss would have likely been unhappy during big downloads before you put in the QoS limit - except the "outages" would have lasted half as long - so maybe not as noticeable?

Do you have a managed switch?  Might you put in QoS on various switch ports?  Then maybe the boss can be "wide open" while others in the facility have lessser performance.

Why do I think you need more bandwidth from the ISP?
You might check out fiber service or MPLS or whatever your ISP (or potential ISPs) offers.
0
 
denver218Author Commented:
My Cisco 4506 is a managed switch, but since its older I don't know what kind of QoS it offers if any.  I will look into it.
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
It is able to do the QoS, but you're still in the same situation - you can only limit/manage the traffic AFTER it's already been on your WAN link ... so it may already have congested your connection, all you're doing at that point is possibly reducing the results ...
0
 
denver218Author Commented:
Thanks.  So there is not really any kind of solution unless I can get the ISP involved.  Is this the verdict?  I will contact the ISP, I was just hoping I could do it on my equipment and not rely on the ISP.  I am doubting they can or will do anything but it's worth a phone call.
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
If it's a commercial ISP (well, ISP for commercial users), and they want to keep you as a customer (and keep getting your money), they ought to be flexible enough to get it working ... they may charge a bit extra, or a one-time setup fee, but it's not some magic they need to do, just some router configuration ;)
0
 
Fred MarshallCommented:
If you manage QoS at the switch level then the packet transfers will be throttled back to the source.  There's no place for the WAN side to buffer an unknown amount of data.  The handshaking takes place between the source and the destination and, by extension, any intervening routers/switches.
0
 
Fred MarshallCommented:
In other words, QoS at the switch could work for you.
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
but only as long as the buffers of the switch are able to buffer all the information coming in e.g. during a download ... the policing offered by the 4500 Catalyst to my knowledge has the option to transmit with DSCP, but that would not we propagated towards the source, but rather only marked on the local packets ... there is no "exceed-action throttle" or similar ...
0
 
denver218Author Commented:
Thanks.  I am currently working with my ISP to see what they can do for me.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 7
  • 5
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now