Cisco – DSCP trust boundary

ciscodscpjuniperqos

I have performed some analysis and noticed that traffic coming in from the Internet contains a myriad of DSCP values. This traffic competes for voice and video resources on the internal network.

How do I establish a trust boundary where all incoming DSCP is rewritten to zero on Cisco and Juniper routers?

Best Answer

The following policy-map would work. Just apply this to the inbound of the WAN interface.

policy-map MARKDOWN
  class class-default
    set dscp default

Interface Config:

interface gig 0/1
  service-policy input MARKDOWN

Just saw the bit about juniper. The following I believe will work for JunOS.

interfaces {
  so-1/2/3 {
    unit 0 {
      rewrite-rules {
        dscp default;
      }
    }
  }
}

Related Solutions

Cisco – QoS woes – managed IP VPN

To answer your questions:

RDP traffic should get up to the 25% of the remaining bandwidth. Where the already reserved bandwidth is the 35% ( class-default gets 25% by default and EF get 10% ). So, if i'm right, you assigned ~665Kbps to RDP. Anyway you should check if you're dropping packets issuing the command below:

show policy-map <your wan interface> output class REMOTEDESKTOP

and checking for dropped packets.

Cisco assign a queue to each user-defined class that includes the bandwidth or police commands. To make a long-story simple those commands define the amount of bandwidth assigned to every queue during congestions.
In theory every TCP based stream should be OK with drops. In practice some of them aren't. Dropping precedence bits tell the routers what packets should be dropped, within a given class, before congestion happens. Since RDP is the only type of traffic defined in your REMOTEDESKTOP class, you should not worry about it.
Bandwidth percentage are not in order ( as Jeremy stated ).

That said, there are a lot of things that i would change in your configuration:

There are no matches between some of classes of the setTos and the useTos policy-map. For instance the one named AF-HIGH is processing no packets since no class in setTos sets DSCP to AF41.
BE class in setTos is somehow self-defeating since it makes the class-default class useless. Note that class-default is the only system-defined class and get the 25% of the bandwidth by default ( 100 - max-reserved-bandwidth ) .
bandwidth remaining percent is not the best options ( as Jeremy explained ). I would change it to bandwidth percent.
I would prefer to mark EF packets by myself and not to rely on the phones' settings.

Cisco – How to control WAN Download Bandwith on an ASA

If you think about it for a moment, you'll realize that the congestion is happening at the far end of your WAN circuit (i.e., at your provider). Their interface is not prioritizing real-time traffic, so you are seeing poor audio and video performance. It is as if you are at the finish line of an auto race, but your team can't get out of their driveway because of all the big trucks on the highway. Unfortunately, this means that there is not a lot you can do from your end. The traffic has already been delayed by the time it gets to you.

One possibility is to use a packet shaping appliance. This will control your FTP traffic by modifying the window size in the ACK packets your ftp server sends back. If the window size is reduced, the sender will have to slow down. This of course means buying another appliance, which you may not be able to do. But there isn't much you can do on the ASA.

You could also talk with your provider -- perhaps they would be willing to add some QoS on their side (doubtful, but worth asking).

Best Answer

Related Solutions

Cisco – QoS woes – managed IP VPN

Cisco – How to control WAN Download Bandwith on an ASA

Related Topic