http://www.taringa.net/posts/linux/10743306/calidad-de-servicio-_qos_-sobre-routeros.

html

calidad de servicio (qos) sobre routeros

Anuncios Google

Optimizacin SQL Serverwww.confio.com - SQL Mejora del Desempeo en un 65%

Ahorro Costos, Version Evaluacion! CALIDAD DE SERVICIO (QOS) SOBRE ROUTEROS

QoS o Calidad de Servicio (Quality of Service, en ingls) son las tecnologas que garantizan la transmisin de cierta cantidad de informacin en un tiempo dado (throughput). Calidad de servicio es la capacidad de dar un buen servicio. Es especialmente importante para ciertas aplicaciones tales como la transmisin de vdeo o voz. En este artculo veremos cmo discriminar el trafico por tipo de servicio (HTTP, FTP, SSH, HTTPs, etc) y por proceso de transferencia de informacin (DOWNLOAD y UPLOAD), esto es de mucha ayuda a la hora dar prioridad a los servicios crticos.

Antes que nada, en la organizacin deben existir polticas de red en donde se deben detallar que servicios (o aplicaciones) estn permitidos. Luego hay que definir la prioridad que van a tener cada uno de ellos. A continuacin vera una tabla con las columnas (Puerto, Servicio, Prioridad y protocolo), en ella vemos que el trafico http, https, dns, SMTP, IMAP, IMAPs y RDP tienen prioridad 1 (la ms alta) Ahora veremos cmo definir todo esto en un ROUTER OS de mikrotik, por cuestiones de recursos

decid identificar la mayora de los servicios por puerto ya que ocupan menos recursos en el router y son ms fciles de procesar, solo ocupo LAYER7 con skype recuerden que por puerto el router desarma el paquete solo hasta la capa de transporte. Si ustedes estn interesados en el LAYER 7 (capa 7) aqu les dejo una direccin en donde tienen expresiones regulares que ayuda a su router a identificar aplicaciones http://l7-filter.sourceforge.net/protocols La transferencia de informacin (si es download o upload) en este caso lo identifico por puerto de origen y destino, si el paquete tiene en SRC-PORT (Puerto de origen) el puerto de la aplicacin el paquete es DOWNLOAD, porque el servidor externo te lo est enviando. Anlogamente si el paquete tiene en DST-PORT (Puerto de destino) el puerto de la aplicacin el paquete es de UPLOAD, porque el cliente est mandando la peticin a un servidor externo. En el mangle de ROUTER OS marcamos los paquetes: 7 ;;; Marco todos los paquetes estos se leen en las colas padre Download y Upload chain=prerouting action=mark-packet new-packet-mark=all passthrough=no 8 ;;; HTTP DOWNLOAD chain=postrouting action=mark-packet new-packet-mark=http_download passthrough=no protocol=tcp src-port=80 9 ;;; HTTP UPLOAD chain=postrouting action=mark-packet new-packet-mark=http_upload passthrough=no protocol=tcp dst-port=80 connection-mark=users-con 10 ;;; HTTPs DOWNLOAD chain=postrouting action=mark-packet new-packet-mark=https_download passthrough=no protocol=tcp src-port=443 11 ;;; HTTPs UPLOAD chain=postrouting action=mark-packet new-packet-mark=https_upload passthrough=no protocol=tcp dst-port=443 12 ;;; MSN: Conexi n al Servidor de MSN y Mensajes de Texto /DOWNLOAD/ chain=postrouting action=mark-packet new-packet-mark=msn_texto_download passthrough=no protocol=tcp src-port=1863 13 ;;; MSN: Conexi n al Servidor de MSN y Mensajes de Texto /UPLOAD/ chain=postrouting action=mark-packet new-packet-mark=msn_texto_upload passthrough=no protocol=tcp dst-port=1863 14 ;;; MSN: Transferencia de archivos /DOWNLOAD/

chain=postrouting action=mark-packet new-packet-mark=msn_archivos_download passthrough=no protocol=tcp src-port=6891-6900 15 ;;; MSN: Transferencia de archivos /UPLOAD/ chain=postrouting action=mark-packet new-packet-mark=msn_archivos_upload passthrough=no protocol=tcp dst-port=6891-6900 16 ;;; Skype To Phone - Usando L7 chain=postrouting action=mark-packet new-packet-mark=skype_phone passthrough=no layer7protocol=skypeout 17 ;;; Skype To Skype - Usando L7 chain=postrouting action=mark-packet new-packet-mark=skype_to_skype passthrough=no layer7protocol=skypetoskype

18 ;;; SMTP DOWNLOAD chain=postrouting action=mark-packet new-packet-mark=smtp_download passthrough=no protocol=tcp src-port=25 19 ;;; SMTP UPLOAD chain=postrouting action=mark-packet new-packet-mark=smtp_upload passthrough=no protocol=tcp dst-port=25 20 ;;; FTP DOWNLOAD chain=postrouting action=mark-packet new-packet-mark=ftp_download passthrough=no protocol=tcp src-port=21,20 21 ;;; FTP - UPLOAD chain=postrouting action=mark-packet new-packet-mark=ftp_upload passthrough=no protocol=tcp dst-port=21,20 22 ;;; SSH - DOWNLOAD chain=postrouting action=mark-packet new-packet-mark=ssh_download passthrough=no protocol=tcp src-port=22

23 ;;; SSH - UPLOAD chain=postrouting action=mark-packet new-packet-mark=ssh_upload passthrough=no protocol=tcp dst-port=22 24 ;;; TELNET - DOWNLOAD chain=postrouting action=mark-packet new-packet-mark=telnet_download passthrough=no protocol=tcp src-port=23 25 ;;; TELNET - UPLOAD chain=postrouting action=mark-packet new-packet-mark=telnet_upload passthrough=no protocol=tcp dst-port=23 26 ;;; DNS TCP - DOWNLOAD chain=postrouting action=mark-packet new-packet-mark=dns_tcp_download passthrough=no protocol=tcp src-port=53 27 ;;; DNS TCP - UPLOAD chain=postrouting action=mark-packet new-packet-mark=dns_tcp_upload passthrough=no protocol=tcp dst-port=53 28 ;;; DNS UDP DOWNLOAD chain=postrouting action=mark-packet new-packet-mark=dns_udp_download passthrough=no protocol=udp src-port=53 29 ;;; DNS UDP UPLOAD chain=postrouting action=mark-packet new-packet-mark=dns_udp_upload passthrough=no protocol=udp dst-port=53 30 ;;; POP3 - DOWNLOAD chain=postrouting action=mark-packet new-packet-mark=pop3_download passthrough=no protocol=tcp src-port=110 31 ;;; POP3 - UPLOAD chain=postrouting action=mark-packet new-packet-mark=pop3_upload passthrough=no protocol=tcp dst-port=110 32 ;;; IMAP - DOWNLOAD chain=postrouting action=mark-packet new-packet-mark=imap_download passthrough=no protocol=tcp src-port=143

33 ;;; IMAP - UPLOAD chain=postrouting action=mark-packet new-packet-mark=imap_upload passthrough=no protocol=tcp dst-port=143 34 ;;; IMAP SSL - DOWNLOAD chain=postrouting action=mark-packet new-packet-mark=imap_ssl_download passthrough=no protocol=tcp src-port=993 35 ;;; IMAP SSL - UPLOAD chain=postrouting action=mark-packet new-packet-mark=imap_ssl_upload passthrough=no protocol=tcp dst-port=993 36 ;;; PUERTOS TCP DISTINTOS DE LOS ACORDADOS DOWNLOAD chain=postrouting action=mark-packet new-packet-mark=puertos_tcp_download_redundantes passthrough=no protocol=tcp src-port=!80,443,1863,25,21,22,23,53,110,143,993,3389,20 37 ;;; PUERTOS TCP DISTINTOS DE LOS ACORDADOS UPLOAD chain=postrouting action=mark-packet new-packet-mark=puertos_tcp_upload_redundantes passthrough=no protocol=tcp dst-port=!80,443,1863,25,21,22,23,53,110,143,993,3389,20 38 ;;; Windows Remote Desktop Protocol (RDP) download chain=postrouting action=mark-packet new-packet-mark=windows_remote_download passthrough=no protocol=tcp src-port=3389 39 ;;; Windows Remote Desktop Protocol (RDP) UPLOAD chain=postrouting action=mark-packet new-packet-mark=windows_remote_upload passthrough=no protocol=tcp dst-port=3389 40 ;;; PUERTOS UDP DISTINTOS DE LOS ACORDADOS DOWNLOAD chain=postrouting action=mark-packet new-packet-mark=puertos_udp_download_redundantes passthrough=no protocol=udp

src-port=!80,443,1863,25,21,22,23,53,110,143,993,3389 41 ;;; PUERTOS UDP DISTINTOS DE LOS ACORDADOS UPLOAD chain=postrouting action=mark-packet new-packet-mark=puertos_udp_upload_redundantes passthrough=no protocol=udp dst-port=!80,443,1863,25,21,22,23,53,110,143,993,3389 Ya tenemos los paquetes marcados, ahora tenemos que agregar un tipo de cola pcq. Es el tipo de cola sin clases que slo se puede hacer limitacin. Es una versin mejorada de SFQ sin su naturaleza stohastic. PCQ tambin crea subcolas, en relacin con el parmetro-clasificador PCQ. Cada subcola tiene un lmite de velocidad de datos de PCQ-tasa y el tamao del lmite de los paquetes-PCQ. El tamao total de una cola PCQ no puede ser mayor que PCQ-lmite total de los paquetes. El siguiente ejemplo muestra el uso de PCQ con los paquetes, clasificados por su direccin de origen.

Vamos a tipos de cola y agregamos la cola subida con identificador dst-port y descarga con el identificador src-port [sadam@OMEGA] /queue type>

name="subida" kind=pcq pcq-rate=0 pcq-limit=50 pcq-classifier=src-port pcq-total-limit=2000 name="descarga" kind=pcq pcq-rate=0 pcq-limit=50 pcq-classifier=dst-port pcq-total-limit=2000 total-limit y limit lo dejamos por defecto. Una vez que tenemos los tipos de colas creados vamos a arbol de cola y agregamos lo siguiente: Presten atencion que para download tengo definida la interface local y para upload la publica (la de salida a internet) [sadam@OMEGA] /queue tree> 0 name="Download" parent=LOCAL packet-mark=all limit-at=0 priority=8 max-limit=1500k burstlimit=0 burst-threshold=0 burst-time=0s 4 name="http_download" parent=Download packet-mark=http_download limit-at=0 queue=pcqdownload priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s 5 name="skype_to_skype_download" parent=Download packet-mark=skype_to_skype limit-at=0 queue=descarga priority=7 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s 6 name="skype_phone_download" parent=Download packet-mark=skype_phone limit-at=0 queue=descarga priority=7 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s 8 name="https_download" parent=Download packet-mark=https_download limit-at=0 queue=descarga priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s 12 name="smtp_download" parent=Download packet-mark=smtp_download limit-at=0 queue=descarga priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s 14 name="ftp_download" parent=Download packet-mark=ftp_download limit-at=0 queue=descarga priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s 16 name="ssh_download" parent=Download packet-mark=ssh_download limit-at=0 queue=descarga priority=6 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s 18 name="telnet_download" parent=Download packet-mark=telnet_download limit-at=0 queue=descarga priority=6 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s 20 name="dns_tcp_download" parent=Download packet-mark=dns_tcp_download limit-at=0 queue=descarga priority=1 max-limit=>

burst-limit=0 burst-threshold=0 burst-time=0s

22 name="dns_udp_download" parent=Download packet-mark=dns_udp_download limit-at=0 queue=descarga priority=1 max-limit=> burst-limit=0 burst-threshold=0 burst-time=0s 24 name="pop3_download" parent=Download packet-mark=pop3_download limit-at=0 queue=descarga priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s 26 name="imap_download" parent=Download packet-mark=imap_download limit-at=0 queue=descarga priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s 28 name="imap_ssl_download" parent=Download packet-mark=imap_ssl_download limit-at=0 queue=descarga priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s 30 name="puertos_tcp_download_redundantes" parent=Download packetmark=puertos_tcp_download_redundantes limit-at=0 queue=descarga priority=8 max-limit=500k burst-limit=0 burst-threshold=0 burst-time=0s 32 name="windows_remote_download" parent=Download packetmark=windows_remote_download limit-at=0 queue=descarga priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s 34 name="puertos_udp_download_redundantes" parent=Download packetmark=puertos_udp_download_redundantes limit-at=0 queue=descarga priority=8 max-limit=500k burst-limit=0 burst-threshold=0 burst-time=0s 2 name="Upload" parent=SALIDA packet-mark=all limit-at=0 priority=8 max-limit=1M burst-limit=0 burst-threshold=0 burst-time=0s 7 name="http_upload" parent=Upload packet-mark=http_upload limit-at=0 queue=subida priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s burst-threshold=0 burst-time=0s 9 name="https_upload" parent=Upload packet-mark=https_upload limit-at=0 queue=subida priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s burst-threshold=0 burst-time=0s 10 name="skype_to_skype_upload" parent=Upload packet-mark=skype_to_skype limit-at=0 queue=subida priority=7 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s 11 name="skype_phone_upload" parent=Upload packet-mark=skype_phone limit-at=0

queue=subida priority=7 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s 13 name="smtp_upload" parent=Upload packet-mark=smtp_upload limit-at=0 queue=subida priority=1 max-limit=0 burst-limit=> burst-threshold=0 burst-time=0s 15 name="ftp_upload" parent=Upload packet-mark=ftp_upload limit-at=0 queue=subida priority=6 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s 17 name="ssh_upload" parent=Upload packet-mark=ssh_upload limit-at=0 queue=subida priority=6 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s 19 name="telnet_upload" parent=Upload packet-mark=telnet_upload limit-at=0 queue=subida priority=6 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s 21 name="dns_tcp_upload" parent=Upload packet-mark=dns_tcp_upload limit-at=0 queue=subida priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s 23 name="dns_udp_upload" parent=Upload packet-mark=dns_udp_upload limit-at=0 queue=subida priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s 23 name="dns_udp_upload" parent=Upload packet-mark=dns_udp_upload limit-at=0 queue=subida priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s 25 name="pop3_upload" parent=Upload packet-mark=pop3_upload limit-at=0 queue=subida priority=6 max-limit=0 burst-limit=> burst-threshold=0 burst-time=0s 27 name="imap_upload" parent=Upload packet-mark=imap_upload limit-at=0 queue=subida priority=1 max-limit=0 burst-limit=> burst-threshold=0 burst-time=0s 29 name="imap_ssl_upload" parent=Upload packet-mark=imap_ssl_upload limit-at=0 queue=subida priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s 31 name="puertos_tcp_upload_redundantes" parent=Upload packetmark=puertos_tcp_upload_redundantes limit-at=0 queue=subida priority=8 max-limit=500k burst-limit=0 burst-threshold=0 burst-time=0s 33 name="windows_remote_upload" parent=Upload packet-mark=windows_remote_upload limitat=0 queue=default priority=1

max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s 35 name="puertos_udp_upload_redundantes" parent=Upload packetmark=puertos_udp_upload_redundantes limit-at=0 queue=subida priority=8 max-limit=500k burst-limit=0 burst-threshold=0 burst-time=0s

Podrn ver que cada cola hija tiene una prioridad, pero solo a las tcp/udp que llamo redundantes le pongo limite. Esto es porque no decidimos bloquear los puertos que no estn autorizados sino asignarle un ancho de banda pequeo y unaprioridad baja.