Hi,
I have been working on a QoS config for the 6500 w/o much luck. I hope
someone on this list has more insight than I have.
We're using a 6506 with PFC2/MSFC2 as our Internet router. Here is our
Internet config:
* We have an SMDS connection (HSSI on FlexWAN) to Verizon
* We have a GigE connection (VLAN2 on Port 2 on SUP2) to Yipes
* We have another GigE connection (VLAN1 on Port 1 on SUP2) to the
campus firewall (PIX)
Verizon Yipes
(HSSI) \ / (VLAN 2)
\ /
6506 switch (Internet router)
(VLAN 1)|
|
PIX
|
6506 switch (Choke router)
| |
(2)Alpine 3808 L2 switches
/ | | ... | \
Other campus L3 switches
Here is what I would like to do:
Students in the dorms are using KaZaa, etc. for P2P file sharing. Most
of their traffic is outbound, as others on the Internet pull files off
their PCs. This outbound traffic is saturating our two Internet links.
I do not want to simply block them with an ACL, as this gives the dorm
students an incentive to find other ways around the restrictions, making
more work for us.
Instead, what I would like to do is:
1) Restrict multiple dorm subnets outbound traffic to the Internet to
some fraction of total outbound traffic, e.g., no more than 15Mb outbound.
2) Within that restriction, I want to limit outbound KaZaa traffic (tcp
1214) to no more than some additional fraction, e.g., 1.5Mb outbound.
3) I also want to prioritize traffic so that any KaZaa traffic had the
lowest priority, SNMP had highest priority, WebCT traffic (port 4567)
has high priority and everything else has normal priority.
I understand I need to do ingress policing on VLAN1 to control the
outbound traffic. The way KaZaa works, once a connection is opened by
the client to some system on port 1214, the local or destination port is
registered with a series of servers ("Super Nodes") on the Internet.
Other KaZaa clients will use these servers to reach the local system,
circumventing our firewall. We would need to police the traffic, based
on the established connection.
After much reading, here is my attempt at a config to do this:
! CoS = DSCP = Description
!
! COS 6,7 = DSCP 48,56 = NetMgt
! COS 5 = DSCP 40 = Priority
! COS 4 = DSCP 32 = High
! COS 2,3 = DSCP 16,24 = Normal
! COS 0,1 = DSCP 0,8 = Low
!
set qos enable
set qos bridged-microflow-policing enable 1
!
set port qos 1/1 vlan-based
!
! Don't trust anything coming from the Campus Network...
!
set port qos 1/1 trust untrusted
!
! Set port default CoS to Normal (2)...
!
set port qos 1/1 cos 2
!
! Set up Input scheduling on 1p1q4t GE ports.
! Accept everything received on the interface...
!
set qos drop-threshold 1p1q4t rx queue 1 100 100 100 100
!
! Set up Policing...
! If policed, drop DSCP from Priority to High, High to Normal,
! and Normal to Low.
!
set qos policed-dscp-map normal 56:40 40:32 32:16 16,24:8 8:0
!
! Rate limit traffic...
!
set qos policer aggregate IN-LAN rate 10000 burst 300 drop
set qos policer microflow IN-NMS rate 1000 burst 30 policed-dscp
set qos policer microflow IN-SVC rate 100 burst 10 policed-dscp
!
! Dorm subnets, mark traffic Normal...
!
set qos acl ip IN-LAN-ACL dscp 16 aggregate IN-LAN ip 10.10.10.0 0.0.0.255
....
!
! KaZaa traffic, mark traffic Low...
!
set qos acl ip IN-LAN-ACL dscp 0 microflow IN-SVC tcp 10.10.10.0
0.0.0.255 1214 any established
!
! SNMP traffic, mark traffic from NetMgmt subnet...
!
set qos acl ip IN-LAN-ACL dscp 56 microflow IN-NMS udp 10.10.20.0
0.0.0.255 range 161 162 any established
!
! Set up Output scheduling on 1p2q2t GE ports...
!
set qos map 1p2q2t tx 3 1 cos 6,7
set qos map 1p2q2t tx 2 1 cos 4
set qos map 1p2q2t tx 2 2 cos 5
set qos map 1p2q2t tx 1 1 cos 0,1
set qos map 1p2q2t tx 1 2 cos 2,3
!
set qos drop-threshold 1p2q2t tx queue 1 60 80
set qos drop-threshold 1p2q2t tx queue 2 80 100
!
set qos wred 1p2q2t tx queue 1 0:50 0:100
set qos wred 1p2q2t tx queue 2 0:80 0:100
!
set qos wrr 1p2q2t 30 70
set qos txq-ratio 1p2q2t 70 15 15
!
commit qos acl all
set qos acl map IN-LAN-ACL 1
--- Am I on the right track with this? I'm having the most difficulty understanding how to use:1) the drop-threshold rx/tx commands. If I understand them correctly, these determine the mapping of DSCPs to queues and thresholds. How should one use this setting in this context? Do the values I'm using make sense?
2) the policed-dscp-map command. Am I right in thinking that the most a packet would be policed is once, or could a packet be moved from queue to queue?
3) the wred command. Do the values I'm using make sense?
4) the acl commands to set the DSCP to different priorities, then map the DSCPs to different queues/thresholds. Does the method and/or values I'm using make sense?
Most of the material from Cisco does not give enough examples, or rules of thumb to start from. Any help you give would be greatly appreciated.
Thanks.
-John
John Center Villanova University
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:58 EDT