So I am starting to delve into the QoS settings and cam eacross a question.
My current set up:
2 sites each with their own internet access.
the 2 sites connected via VPN to route LAN and VOIP traffic.
SIP trunks come in to site 1.
ACL UDP_PORTS to match UDP port ranges for VOIP
ACL COMP_NET to match computer subnet
QOS Map MARK to use the UDP_PORTS ACL to mark as EF
QOS Map QUE to match EF marked packets
QOS Map LIMIT to limit remaining traffic to the remaining 100%
VLAN 1 inbound - MARK
VLAN 1 outbound - LIMIT
Eth 0/1 Outbound - QUE
Eth 0/1 has a traffic-shape rate of 10000000
So the assumption is that anything that has the SIP and RTP ports I define gets tagged with EF as they come into the router, that way I don't need to worry if the system or phone tags them or not, or what they tag them with or where in local network the come from.
It then leaves the VLAN and goes out the Eth 0/1 interface, EF goes first then all the rest of the traffic gets what's left of the 10 meg..(After the 25% that the netvanta takes away initially which leaves 7500000). The queing should happen at this point before encapsulation to the VPN.
A VPN tunnel would also me subject to this rule since it is going out the eth 0/1 port as well?
if that is the case then some routers like the 3120 can pose an additional challenge sine their VPN tunnels are good for about 2 meg.
Is there a way of directing the VOIP traffic across the VPN with the size of the tunnel in mind without limiting the upspeed to the SIP trunk provider and other internet traffic which would be non VPN traffic?
Can you see any flaws in the QoS I implemented?
I understand that everyhing is still subject to the public internet, I just want it leaving the sites under ideal conditions. (Easier to sleep at night knowing that it is the ISP's fault rather than mine )
Thanks in advanced
My Support ticket encompassed some of this but what was not on here has been addressed. What is on this thread I am still awaiting an answer to.
to reiterate in a condensed version.
A site has an upload bandwidth of say 10 meg
A VPN tunnel is good for 1 Meg
I have built my QOS with traffic shaping for the 10 meg. but since the VPN has a different throughput how could I traffic shape for that as well? destination Subnet?
Thank you for asking this question in the support community. If I understand the question, I believe it can be accomplished with Configuring Enhanced Ethernet Quality of Service (EEQoS) in AOS. Here is an example EEQos configuration where all traffic is shaped to 10 Mbps, and within that QoS map, VPN traffic is further shaped to 1 Mbps.
qos map VPN 10
match ip list ESP
shape average 1000000
qos map SHAPING 10
match ip list MATCHALL
shape average 10000000
ip access-list extended ESP
permit esp any any
ip access-list extended MATCHALL
permit ip any any
I hope that makes sense, but please let me know if you have any additional questions. I will be happy to help in any way I can.
I think I go the gist of what you outlined. I will need to study it a bit more though to implement with my current config.
I do have one question about VPN throughputs.
I have 3 sites.
Each site has a VPN to the two other sites.
1) Site A has a 1335 with a VPN throughput of 15mbs
is that 15mbs per tunnel or a cumulative 15 mbs (7.5 mbs each for the 2 tunnels?)
2) Sites B and C each have a 3448 with a VPN throughput of 30 mbs.
for the tunnels that connect back to site A, should those be shaped down to the 15mbs/7.5mbs?(based upon answer of 1).
3) how much additional impact on the Routing - VPN Enabled (IMIX Traffic) = 30Mbps (EFP) does the QOS & Shaping enabled (IMIX Traffic) have?
4) What about two different tunnels with 2 different throughputs?such Site B that has a 30 Mbps to Site C but only a 15 Mbps to site A? (or however much it is parsed out the answers to 1 and 2 ).
The AOS Feature Matrix - Product Feature Matrix lists the general throughput capabilities of AOS units. The throughput values listed there are are total, dynamic values, but often don't account for multiple/various features running concurrently, which could also reduce processing power and throughput. For example, the NV1335 has a total throughput of 15 Mbps when only VPN is enabled. If only one VPN is active at a certain point, then it can use the full 15 Mbps, but if two VPN tunnels are being used at the same time, then they would share that bandwidth based on which tunnel was requiring bandwidth at a given time.
For a typical design like this, the main location has the highest bandwidth (i.e. 30 Mbps in your example), and the remotes have the smaller throughputs (15 Mbps each). Therefore, if both of the remotes were transmitting at full speed to the main location, it would total 30 Mbps inbound at the main location. Are the speeds you mentioned above what you saw on the Product Feature Matrix, or are those the actual Internet speeds at each of those locations?