LARTC - Feb 2003 - most out of qos

to get most out of qos in general, would the best thing be to set up qos on both
ends of a bottleneck with both ingress and egress
filtering? the reason for asking is because we have a 2mbit connection with
egress filtering qos, the problem is that we experience
most downloads compared to uploades and therefor the egress filtering doesnt
provide much help.

what we could do is to get ingress filtering on our side here, but i dont know
how much that would help really, the data has already
passed the bottleneck in the path. so, my question, would i experience any
different delay if adding ingress filtering?

it is a 2mbit fiber stub network which looks pretty much like this:

lan - router - fw - isp - internet

the egress qos is at the moment at the router which pretty much says
"prioritize interactive sessions".


since the filtering for qos is rather simple, just telnet/ssh to a certain host,
should i contact my isp and ask them to set some
egress qos going to our network on the cisco router that is at their place? btw,
anyone know how good the qos is on cisco 2600?

thanks for you time, best regards

tomas bonnedahl
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Wednesday 05 February 2003 16:44, Tomas Bonnedahl
wrote:
> to get most out of qos in general, would the best thing be to set up qos on
> both ends of a bottleneck with both ingress and egress filtering? the
> reason for asking is because we have a 2mbit connection with egress
> filtering qos, the problem is that we experience most downloads compared to
> uploades and therefor the egress filtering doesnt provide much help.
>
> what we could do is to get ingress filtering on our side here, but i dont
> know how much that would help really, the data has already passed the
> bottleneck in the path. so, my question, would i experience any different
> delay if adding ingress filtering?
Yes.  A tcp connection will throttle down  if you drop packets.  But this is 
not the same as egress shaping.
> it is a 2mbit fiber stub network which looks pretty much like this:
>
> lan - router - fw - isp - internet
>
> the egress qos is at the moment at the router which pretty much says
> "prioritize interactive sessions".
>
>
> since the filtering for qos is rather simple, just telnet/ssh to a certain
> host, should i contact my isp and ask them to set some egress qos going to
> our network on the cisco router that is at their place? btw, anyone know
> how good the qos is on cisco 2600?
I have no idea how the qos works on cisco router.
Just give it a try and se what happens.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

well, if tcp throttles down at the point where packets are dropped is of course
good, but still, when a download is peaking at the maximum speed
minus a couple kbits, the delay is terrible, that''s what i want to
change. any idea?

regards,

tomas bonnedahl

On Wed, Feb 05, 2003 at 10:13:27PM +0100, Stef Coene
wrote:
> On Wednesday 05 February 2003 16:44, Tomas Bonnedahl wrote:
> > to get most out of qos in general, would the best thing be to set up
qos on
> > both ends of a bottleneck with both ingress and egress filtering? the
> > reason for asking is because we have a 2mbit connection with egress
> > filtering qos, the problem is that we experience most downloads
compared to
> > uploades and therefor the egress filtering doesnt provide much help.
> >
> > what we could do is to get ingress filtering on our side here, but i
dont
> > know how much that would help really, the data has already passed the
> > bottleneck in the path. so, my question, would i experience any
different
> > delay if adding ingress filtering?
> Yes.  A tcp connection will throttle down  if you drop packets.  But this
is
> not the same as egress shaping.
> 
> > it is a 2mbit fiber stub network which looks pretty much like this:
> >
> > lan - router - fw - isp - internet
> >
> > the egress qos is at the moment at the router which pretty much says
> > "prioritize interactive sessions".
> >
> >
> > since the filtering for qos is rather simple, just telnet/ssh to a
certain
> > host, should i contact my isp and ask them to set some egress qos
going to
> > our network on the cisco router that is at their place? btw, anyone
know
> > how good the qos is on cisco 2600?
> I have no idea how the qos works on cisco router.
> Just give it a try and se what happens.
> 
> Stef
> 
> -- 
> 
> stef.coene@docum.org
>  "Using Linux as bandwidth manager"
>      http://www.docum.org/
>      #lartc @ irc.oftc.net
> 
> 
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

yes, thanks for the idea, the reason i did not think of implementing this is
that i cannot see how it would help, the data has already passed the
bottleneck with no particular qos with regard to interactive sessions, which
should mean, if i did egress on the fws internal interface, that the
ssh/telnet data would come in bursts from the fw to the host. 

what i mean is this, i will try to illustrate it, (this is if the egress on the
fw would be implemented);

data (most bulk traffic, some interactive session too) from the isp -> fw
(buffer the bulk traffic, prioritize the session traffic) -> router and lan

this in turn would mean that after sending the session traffic the fw would send
the bulk traffic in its buffer. meanwhile the fw have received
additional session and bulk traffic, and so on.


maybe im missing something here?


thanks,

tomas

On Thu, Feb 06, 2003 at 09:55:37AM +0100, Rob Rankin
wrote:
> Stick an egress filter on the LAN side of the firewall, and use it to
> control the *inbound* data from your ISP (downloads pass through the
> firewall and become *outbound* traffic on the LAN side / interface).
> 
> Old style Ingress filtering in Linux is horrible.  Its a blanket rule
> stating "if the bw gets above X, drop packets" with no real
filtering
> capability.
> 
> Using an egress filter on the opposite side of the firewall from the
> traffic flow does actually work, although I''m not entirely sure
its a
> "supported" configuration.  For what its worth, I have it setup
exactly
> as I am suggesting on my firewalls, and it does actually work.  Peak
> downloads are slowed down, interactive sessions do get higher priority,
> etc.
> 
> The other alternative would be to use the IMQ logical network device,
> which allows the use of HTB for both ingress and egress filtering.  I
> plan on moving to this type of setup as soon as I have a maintenance
> window long enough to drop the firewalls and bring them up to date with
> the new tools / patches necessary.
> 
> Cheers, hope this was of some help.
> 
> On Wed, 2003-02-05 at 22:28, Tomas Bonnedahl wrote:
> > well, if tcp throttles down at the point where packets are dropped is
of course good, but still, when a download is peaking at the maximum speed
> > minus a couple kbits, the delay is terrible, that''s what i
want to change. any idea?
> > 
> > regards,
> > 
> > tomas bonnedahl
> > 
> > On Wed, Feb 05, 2003 at 10:13:27PM +0100, Stef Coene wrote:
> > > On Wednesday 05 February 2003 16:44, Tomas Bonnedahl wrote:
> > > > to get most out of qos in general, would the best thing be
to set up qos on
> > > > both ends of a bottleneck with both ingress and egress
filtering? the
> > > > reason for asking is because we have a 2mbit connection with
egress
> > > > filtering qos, the problem is that we experience most
downloads compared to
> > > > uploades and therefor the egress filtering doesnt provide
much help.
> > > >
> > > > what we could do is to get ingress filtering on our side
here, but i dont
> > > > know how much that would help really, the data has already
passed the
> > > > bottleneck in the path. so, my question, would i experience
any different
> > > > delay if adding ingress filtering?
> > > Yes.  A tcp connection will throttle down  if you drop packets. 
But this is
> > > not the same as egress shaping.
> > > 
> > > > it is a 2mbit fiber stub network which looks pretty much
like this:
> > > >
> > > > lan - router - fw - isp - internet
> > > >
> > > > the egress qos is at the moment at the router which pretty
much says
> > > > "prioritize interactive sessions".
> > > >
> > > >
> > > > since the filtering for qos is rather simple, just
telnet/ssh to a certain
> > > > host, should i contact my isp and ask them to set some
egress qos going to
> > > > our network on the cisco router that is at their place? btw,
anyone know
> > > > how good the qos is on cisco 2600?
> > > I have no idea how the qos works on cisco router.
> > > Just give it a try and se what happens.
> > > 
> > > Stef
> > > 
> > > -- 
> > > 
> > > stef.coene@docum.org
> > >  "Using Linux as bandwidth manager"
> > >      http://www.docum.org/
> > >      #lartc @ irc.oftc.net
> > > 
> > > 
> > _______________________________________________
> > LARTC mailing list / LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> -- 
> Rob Rankin
> mahhy@undertow.ca
> http://undertow.ca
> 
> 
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Wednesday 05 February 2003 22:28, Tomas Bonnedahl
wrote:
> well, if tcp throttles down at the point where packets are dropped is of
> course good, but still, when a download is peaking at the maximum speed
> minus a couple kbits, the delay is terrible, that''s what i want to
change.
> any idea?
You can give the download 98% of the link so there is always 2% available for 
something else.  It also helps to throttle down _all_ incoming bandwidth to 
99% of your link so _you_ are shaping and not your router.  

Stef
>
> regards,
>
> tomas bonnedahl
>
> On Wed, Feb 05, 2003 at 10:13:27PM +0100, Stef Coene wrote:
> > On Wednesday 05 February 2003 16:44, Tomas Bonnedahl wrote:
> > > to get most out of qos in general, would the best thing be to set
up
> > > qos on both ends of a bottleneck with both ingress and egress
> > > filtering? the reason for asking is because we have a 2mbit
connection
> > > with egress filtering qos, the problem is that we experience most
> > > downloads compared to uploades and therefor the egress filtering
doesnt
> > > provide much help.
> > >
> > > what we could do is to get ingress filtering on our side here,
but i
> > > dont know how much that would help really, the data has already
passed
> > > the bottleneck in the path. so, my question, would i experience
any
> > > different delay if adding ingress filtering?
> >
> > Yes.  A tcp connection will throttle down  if you drop packets.  But
this
> > is not the same as egress shaping.
> >
> > > it is a 2mbit fiber stub network which looks pretty much like
this:
> > >
> > > lan - router - fw - isp - internet
> > >
> > > the egress qos is at the moment at the router which pretty much
says
> > > "prioritize interactive sessions".
> > >
> > >
> > > since the filtering for qos is rather simple, just telnet/ssh to
a
> > > certain host, should i contact my isp and ask them to set some
egress
> > > qos going to our network on the cisco router that is at their
place?
> > > btw, anyone know how good the qos is on cisco 2600?
> >
> > I have no idea how the qos works on cisco router.
> > Just give it a try and se what happens.
> >
> > Stef
> >
> > --
> >
> > stef.coene@docum.org
> >  "Using Linux as bandwidth manager"
> >      http://www.docum.org/
> >      #lartc @ irc.oftc.net
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

ok, thanks, one question though, you mean that i should use "regular"
ingress qos?

this could rise some problems since i want to shape both traffic entering at a
physical interface and traffic entering at a virtual
ipsec interface. do you have any experiance from this particular sitaution?


thanks, 
tomas

On Thu, Feb 06, 2003 at 05:23:27PM +0100, Stef Coene
wrote:
> On Wednesday 05 February 2003 22:28, Tomas Bonnedahl wrote:
> > well, if tcp throttles down at the point where packets are dropped is
of
> > course good, but still, when a download is peaking at the maximum
speed
> > minus a couple kbits, the delay is terrible, that''s what i
want to change.
> > any idea?
> You can give the download 98% of the link so there is always 2% available
for
> something else.  It also helps to throttle down _all_ incoming bandwidth to
> 99% of your link so _you_ are shaping and not your router.  
> 
> Stef
> 
> >
> > regards,
> >
> > tomas bonnedahl
> >
> > On Wed, Feb 05, 2003 at 10:13:27PM +0100, Stef Coene wrote:
> > > On Wednesday 05 February 2003 16:44, Tomas Bonnedahl wrote:
> > > > to get most out of qos in general, would the best thing be
to set up
> > > > qos on both ends of a bottleneck with both ingress and
egress
> > > > filtering? the reason for asking is because we have a 2mbit
connection
> > > > with egress filtering qos, the problem is that we experience
most
> > > > downloads compared to uploades and therefor the egress
filtering doesnt
> > > > provide much help.
> > > >
> > > > what we could do is to get ingress filtering on our side
here, but i
> > > > dont know how much that would help really, the data has
already passed
> > > > the bottleneck in the path. so, my question, would i
experience any
> > > > different delay if adding ingress filtering?
> > >
> > > Yes.  A tcp connection will throttle down  if you drop packets. 
But this
> > > is not the same as egress shaping.
> > >
> > > > it is a 2mbit fiber stub network which looks pretty much
like this:
> > > >
> > > > lan - router - fw - isp - internet
> > > >
> > > > the egress qos is at the moment at the router which pretty
much says
> > > > "prioritize interactive sessions".
> > > >
> > > >
> > > > since the filtering for qos is rather simple, just
telnet/ssh to a
> > > > certain host, should i contact my isp and ask them to set
some egress
> > > > qos going to our network on the cisco router that is at
their place?
> > > > btw, anyone know how good the qos is on cisco 2600?
> > >
> > > I have no idea how the qos works on cisco router.
> > > Just give it a try and se what happens.
> > >
> > > Stef
> > >
> > > --
> > >
> > > stef.coene@docum.org
> > >  "Using Linux as bandwidth manager"
> > >      http://www.docum.org/
> > >      #lartc @ irc.oftc.net
> >
> > _______________________________________________
> > LARTC mailing list / LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 
> -- 
> 
> stef.coene@docum.org
>  "Using Linux as bandwidth manager"
>      http://www.docum.org/
>      #lartc @ irc.oftc.net
> 
> 
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Thursday 06 February 2003 17:29, Tomas Bonnedahl
wrote:
> ok, thanks, one question though, you mean that i should use
"regular"
> ingress qos?
>
> this could rise some problems since i want to shape both traffic entering
> at a physical interface and traffic entering at a virtual ipsec interface.
> do you have any experiance from this particular sitaution?
No

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Stef,

Am I overlooking something obvious?

I''d suggest that Tomas throttles his bandwidth on transmit to the
internal
network.  It is a router, so very little traffic will be initiated from
the router itself.

Why not perform traffic control on packets transmitted to the Internet on
the outward facing NIC.

Then perform traffic control on packets received from the Internet on the
inward facing NIC.

What''s wrong with this?

-Martin

 : > well, if tcp throttles down at the point where packets are dropped is of
 : > course good, but still, when a download is peaking at the maximum speed
 : > minus a couple kbits, the delay is terrible, that''s what i want
to change.
 : > any idea?
 : You can give the download 98% of the link so there is always 2% available for
 : something else.  It also helps to throttle down _all_ incoming bandwidth to
 : 99% of your link so _you_ are shaping and not your router.
 :
 : Stef
 :
 : > > > it is a 2mbit fiber stub network which looks pretty much like
this:
 : > > >
 : > > > lan - router - fw - isp - internet
 : > > >
 : > > > the egress qos is at the moment at the router which pretty
much says
 : > > > "prioritize interactive sessions".

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Thursday 06 February 2003 17:49, Martin A. Brown
wrote:
> Stef,
>
> Am I overlooking something obvious?
>
> I''d suggest that Tomas throttles his bandwidth on transmit to the
internal
> network.  It is a router, so very little traffic will be initiated from
> the router itself.
>
> Why not perform traffic control on packets transmitted to the Internet on
> the outward facing NIC.
>
> Then perform traffic control on packets received from the Internet on the
> inward facing NIC.
>
> What''s wrong with this?
Euh nothing :)
But you have the same problem.  You are controlling already received data.  So 
you can only hope that the other end of the link stops sending data if you 
drop packets.

Stef
>
> -Martin
>
>  : > well, if tcp throttles down at the point where packets are dropped
is
>  : > of course good, but still, when a download is peaking at the
maximum
>  : > speed minus a couple kbits, the delay is terrible, that''s
what i want
>  : > to change. any idea?
>  :
>  : You can give the download 98% of the link so there is always 2%
>  : available for something else.  It also helps to throttle down _all_
>  : incoming bandwidth to 99% of your link so _you_ are shaping and not your
>  : router.
>  :
>  : Stef
>  :
>  : > > > it is a 2mbit fiber stub network which looks pretty much
like
>  : > > > this:
>  : > > >
>  : > > > lan - router - fw - isp - internet
>  : > > >
>  : > > > the egress qos is at the moment at the router which
pretty much
>  : > > > says "prioritize interactive sessions".
-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

: > I''d suggest that Tomas throttles his bandwidth on transmit to
the internal
 : > network.  It is a router, so very little traffic will be initiated from
 : > the router itself.
 : > Why not perform traffic control on packets transmitted to the Internet
on
 : > the outward facing NIC.
 : > Then perform traffic control on packets received from the Internet on
the
 : > inward facing NIC.
 : > What''s wrong with this?
 : Euh nothing :)
 : But you have the same problem.  You are controlling already received data. 
So
 : you can only hope that the other end of the link stops sending data if you
 : drop packets.

Well, slap me with a wet fish!  That''s pretty obvious.

(Martin, neophyte with traffic control, returns to routing.)

Thanks, Stef,

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

hm, the only way i see how to really get a hold on downloads is egress filtering
on the isp side.

ingress filtering here is just waste of time? partly because, what stef also
said, the data is already reveived, so i can get the same
effect with egress filtering on the internal interface of the fw, and partly
because ingress filtering in linux is not well
functioning?


thanks,
tomas

On Thu, Feb 06, 2003 at 11:01:08AM -0600, Martin A. Brown
wrote:
>  : > I''d suggest that Tomas throttles his bandwidth on transmit
to the internal
>  : > network.  It is a router, so very little traffic will be initiated
from
>  : > the router itself.
>  : > Why not perform traffic control on packets transmitted to the
Internet on
>  : > the outward facing NIC.
>  : > Then perform traffic control on packets received from the Internet
on the
>  : > inward facing NIC.
>  : > What''s wrong with this?
>  : Euh nothing :)
>  : But you have the same problem.  You are controlling already received
data.  So
>  : you can only hope that the other end of the link stops sending data if
you
>  : drop packets.
> 
> Well, slap me with a wet fish!  That''s pretty obvious.
> 
> (Martin, neophyte with traffic control, returns to routing.)
> 
> Thanks, Stef,
> 
> -Martin
> 
> -- 
> Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
> 
> 
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Thursday 06 February 2003 18:11, Tomas Bonnedahl
wrote:
> hm, the only way i see how to really get a hold on downloads is egress
> filtering on the isp side.
Even that''s too late.  The isp has no control on the data that people
is
sending to you.
> ingress filtering here is just waste of time? partly because, what stef
> also said, the data is already reveived, so i can get the same effect with
> egress filtering on the internal interface of the fw, and partly because
> ingress filtering in linux is not well functioning?
You can get the same effect.  And ingress shaing is works, but it''s not
so
powerfull.  

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

i dont really see your reasoning here. of course my isp has no
"control" of the data that other people is sending me, but if the
sending party could do egress filtering on their nearest router on the path to
reach me, my isp should be able to do the same?
the difference between my isp doing egress filtering and if i were to do egress
filtering is that if the isp would do it, the data is
yet to enter the bottlneck in the path and could be buffred their. was this what
you meant?

thanks,
tomas

On Thu, Feb 06, 2003 at 06:22:04PM +0100, Stef Coene
wrote:
> On Thursday 06 February 2003 18:11, Tomas Bonnedahl wrote:
> > hm, the only way i see how to really get a hold on downloads is egress
> > filtering on the isp side.
> Even that''s too late.  The isp has no control on the data that
people is
> sending to you.
> 
> > ingress filtering here is just waste of time? partly because, what
stef
> > also said, the data is already reveived, so i can get the same effect
with
> > egress filtering on the internal interface of the fw, and partly
because
> > ingress filtering in linux is not well functioning?
> You can get the same effect.  And ingress shaing is works, but
it''s not so
> powerfull.  
> 
> Stef
> 
> -- 
> 
> stef.coene@docum.org
>  "Using Linux as bandwidth manager"
>      http://www.docum.org/
>      #lartc @ irc.oftc.net
> 
> 
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/