QOS on PIX 515 version 7.0

Discussion in 'Cisco' started by rjmnyc, Jun 5, 2006.

  1. rjmnyc

    rjmnyc Guest

    Some of the users on my network are using testing software that is
    sensitive to latency.
    The software company recommends 100 pings as a test and they say
    anything more than 4 seconds will cause the test to reset. I ran their
    diagnostic as well as using the ping command and I did see some latency
    of 4 seconds and greater.
    LAN-- ISA 2000--PIX-515--Router(2600)--Internet

    If it makes any difference we are using 2 T-1's which are somehow bound
    together. I think I remember hearing some mention of express

    I used the following link to configure QOS on the PIX

    The problem is that I am not sure it is working. I did a 'sh
    priority-queue statistics' and my LLQ shows zero for all statistics. I
    guess the bigger questions is weather or not the problem is on my end
    and I'm not 100% sure what to ask my ISP.

    Anyway, using the Cisco document I came up with the following config:
    (I only included the changes to my config - I can post the entire
    config if needed).

    Thanks in advance for your help.

    access-list myQOS extended permit tcp xxx.xx.0.0 any
    access-list myQOS extended permit udp xxx.xx.0.0 any

    class-map inspection_default
    match default-inspection-traffic
    class-map QOS
    match access-list myQOS

    policy-map global_policy
    class inspection_default
    inspect dns maximum-length 512
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect http
    inspect ils
    inspect netbios
    inspect pptp
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    policy-map QOS
    class QOS
    service-policy global_policy global
    service-policy QOS interface outside
    tftp-server inside tftp-root
    priority-queue outside
    queue-limit 1000
    tx-ring-limit 3
    priority-queue inside
    queue-limit 1000
    tx-ring-limit 3
    rjmnyc, Jun 5, 2006
    1. Advertisements

  2. Bonding together channels can, in some configurations, make a
    big difference to latency. It's worth asking about the details
    of the bonding. Is it using per-packet distribution -- if so then
    latency is going to be inconsistant. If it is not using per-packet
    then it must be using some combination of source and destination
    addresses to determine which channel to send any given packet over;
    you need to know what the combination is and you need to know
    your PIX NAT policy, so that you can figure out whether different
    inside hosts might take different channels to the destination --
    inconsistant latency if so, and possible underutilization of one
    link with congestion on the other link if the same channel is
    always used...

    I haven't investigated PIX 7 QOS; when I had a quick look at
    your configuration, my mental question was whether the QOS ACL
    has the source and destination in the correct places, and whether
    the public or private IP needs to be used for that ACL. At first
    glance, it looks like -maybe- you are applying QOS to -incoming-
    packets... either that, or applying QOS to all outgoing packets
    (destination 'any')
    Walter Roberson, Jun 6, 2006
    1. Advertisements

  3. rjmnyc

    rjmnyc Guest

    Hi Walter

    I was applying priority based QOS to incoming packets and pinging the
    destination to see if my QOS ACL showed any hits but it didn't. I
    ended up contacting Cisco and I was told that I was not getting hits
    because it was return traffic. They told me I had to configure QOS on
    outbound packets even though it was the inbound throughput that was
    very high (outbound was only at 30% of capacity). After I did this I
    could see the ACL's (in and outbound) showing hits. I also did a 'show
    priority-queue statistics' and I could see packet statistics in the low
    latency queue (LLQ).

    I hope it works.
    rjmnyc, Jun 7, 2006
  4. Applying QOS to inbound traffic is usually too late: the packet
    has already reached you and a fair bit of processing has already
    been done on it by the time the ACL is examined. You just might
    be able to shave a couple of microseconds off of latency by
    having the PIX prioritize the packet as it goes in through the PIX,
    but it probably wouldn't make that much difference.

    When QOS is applied to inbound packets, often the main purpose is
    to have the QOS drop TCP packets so that the normal TCP
    congestion control mechanisms kick in and cause the sender to
    slow down.
    Walter Roberson, Jun 7, 2006
  5. rjmnyc

    rjmnyc Guest

    Hi Walter

    Thanks for clearing that up.
    I am still experiencing latency > 4 seconds.
    Users are being bounced out of the application and Cisco is telling me
    I need to configure QOS on the router too. I asked Cisco if QOS is
    configured at the router what happens when the packets reach the next
    router. Would we have to configure every router on the Ineternet too?
    Verizon says either one (firewall or router) can be configured but they
    recommend the router. I'm really confused now. Any ideas?
    rjmnyc, Jun 7, 2006
  6. rjmnyc

    rjmnyc Guest

    I spoke with several people at Verizon. They told me the congestion is
    on the inbound traffic and that QOS would have to be configured at the
    Verizon ISP (another department). When I contacted the ISP they told me
    what I wanted to do was available through a product they offered and
    that I should call my salesperson.
    rjmnyc, Jun 8, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.