[c-nsp] Policing Question
Fred Reimer
freimer at ctiusa.com
Tue Dec 4 14:03:41 EST 2007
It would help if standard terminology were used. In and out
refer to traffic ingress and egress from a particular interface.
They can't apply to an Etherchannel connection, but do apply to
either end of the Etherchannel connection (with opposite
meanings, out on one end is in on the other). With that said,
you can't shape on the inbound direction. You can only shape on
the outbound, and different hardware has different capabilities.
Since the 6500 is a hardware based switch, it may not even have
usable shaping capabilities (all the queues are hardware queues).
Plus, you need to define what direction you want this shaping or
policing (customer bandwidth limiting for lack of a better term)
to occur. Is it from the customer to the Internet, or from the
Internet to the customer, or both. You'll also need to take a
look at the QoS capabilities of the particular modules you have
in that 6500. Some of the modules have O.K. QoS capabilities,
and some of them don't as far as QoS is concerned. Plus, if you
are using DEC (Distributed EtherChannel) you'll need to watch out
for the consistency checking done as far as QoS capabilities of
individual ports before they are allowed in the channel.
Something like no mls qos consistency-check rings a bell.
HTH,
Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697
> -----Original Message-----
> From: Bill ford [mailto:billyford_11 at yahoo.com]
> Sent: Tuesday, December 04, 2007 1:42 PM
> To: Fred Reimer; Paolo Lucente
> Cc: cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] Policing Question
>
>
> Thanks Guys..
>
> So seeing the rough diagram depiction and Etherchannel
> between the Cat 3750 and Cat 6500, is it right to assume
> that Police will be applied to Etherchannel out direction
> and Shaping to Etherchannel in direction? Also there is no
> voice traffic.
>
> Etherchannel out Police
> Etherchannel in shape
>
> (Internet)--Cat3750--(L3 Etherchannel)--Cat6500---Customer
>
> Also, can some through the bc and be values for both shaping
> and policing for cat 6500 with the below requirement.
>
> CIR of 4 Mbps and burst up to 8 Mb based on availability.
>
> Also check this URL link talking about burst rate
> calculation using policing on Cat 6500, looks a bit
> different than that on router especially with tc value
> mentioned as 0.00025 seconds. Paolo had given the
> calculation however based on this document it looks to be
> bit different on cat 6500.
>
> http://www.cisco.com/en/US/products/hw/switches/ps700/produc
> ts_tech_note09186a00801c8c4b.shtml
>
> Thanks in advance for all your help.
>
> Cheers,
>
> Bill
>
>
> Fred Reimer <freimer at ctiusa.com> wrote:
>
> I believe Paolo was trying to say that you don't want
> to do just
> policing for traffic to cap it at a maximum rate
> without having
> shaping somewhere in the picture. It is recommended to
> use
> policing for traffic such as VoIP, where you know the
> exact
> bandwidths and you can police any traffic over those
> rates,
> because the traffic should never exceed those rates.
> If you
> police general traffic you will get TCP
> synchronization, which is
> a bad thing. I'm assuming you don't do any CBWFQ
> preemptive
> dropping. If you have to do this and can't shape you
> should at
> least tell your customer that you will police at a
> given rate,
> and Strongly recommend that they shape on their side
> of the
> connection. Policing to 10Mbps on a 100Mbps connection
> is NOT
> the same as having a 10Mbps connection. Shaping to
> 10Mbps on a
> 100Mbps connection is not either, but it is a heck of
> a lot
> closer.
>
> It also depends on what direction you plan on
> policing. In
> general you should shape on the outbound and police on
> the
> inbound, although you can police on the outbound also
> if you have
> traffic that should be policed, like VoIP or other
> constant
> bit-rate traffic. This, of course, depends on the
> capabilities
> of the particular hardware you are doing. Cisco has
> manuals for
> their hardware.
>
>
> Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
> Senior Network Engineer
> Coleman Technologies, Inc.
> 954-298-1697
>
>
>
>
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of Bill ford
> > Sent: Tuesday, December 04, 2007 12:40 PM
> > To: Paolo Lucente
> > Cc: cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] Policing Question
> >
> > Hi Paolo,
> >
> > Let me just summarize the scenario maybe it was not
> clear.
> >
> > Find below a short depiction.
> >
> > ----(Internet)---Cat3750---(L3 Etherchannel)----
> Cat6500----
> > Customer
> >
> > Planning to apply bandwidth restriction(policing) on
> the L3
> > Etherchannel between 3750G and Cat 6500. Maybe this
> will
> > clear up the confusion a bit.
> >
> >
> > Also check this URL link talking about burst rate
> > calculation using policing on Cat 6500.
> >
> >
> http://www.cisco.com/en/US/products/hw/switches/ps700/produc
> > ts_tech_note09186a00801c8c4b.shtml
> >
> > Any insight on this will be great..
> >
> > Cheers,
> >
> > Bill
> >
> > Paolo Lucente wrote: Hi Bill,
> >
> > 1)
> >
> > i would recommend you to police ingress traffic from
> the
> > customer
> > and shape egress traffic to the customer. This gives
> you
> > several
> > benefits including ease of configuration your side
> (limited
> > to the
> > 6509 box only) and smooth congestion management.
> >
> > If it's an un-managed CE solution advice your
> customer he
> > has to
> > shape egress traffic on his CPE. This is to avoid
> TCP
> > traffic from
> > performing very badly when hitting your policer.
> >
> > 2)
> >
> > I believe it's the shaping Tc value you are
> referring to -
> > but your
> > question is about policing. I would point the
> following two
> > values:
> > Bc = (CIR/8)*1.5 = 786000; Be = 2*Bc = 1572000. This
> is
> > basing on a
> > 4 Mbps CIR. Remember Bc/Be are expressed in bytes.
> Moreover
> > because
> > you want them to be able to burst beyond their CIR,
> you
> > don't want
> > the "exceed-action drop" action there. You can
> simply
> > replace it
> > with a "transmit" to make it working - but it
> wouldn't
> > really have
> > sense: you want to mark the excess burst to be able
> to
> > handle it
> > differently in periods of congestion.
> >
> > 3)
> >
> > If i understood correctly the etherchannel is a
> backbone
> > link (P-P)
> > so the question doesn't reaply apply. Btw, as far as
> i'm
> > aware there
> > shouldn't be any problems.
> >
> > Cheers,
> > Paolo
> >
> > On Tue, Dec 04, 2007 at 01:38:21AM -0800, Bill ford
> wrote:
> > > Guys,
> > >
> > >
> > > Need your help on this...
> > >
> > >
> > >
> > > Here is the scenario:
> > >
> > > We have a Catalyst 6509 with Sup 720+Policy
> Feature Card
> > 3 connected to the Internet gateway Switch (catalyst
> > 3750G). We are running Layer 3 etherchannel between
> the Cat
> > 6509 and Cat 3750G.
> > >
> > > We need to restrict the bandwidth for one of the
> > customer.
> > >
> > > Requirement is as follows:
> > >
> > > CIR of 4 Mbps and burst up to 8 Mb based on
> > availability.
> > >
> > > Thinking of using policing with ACLs based on the
> public
> > IP address range on the customer, however few
> questions
> > here.
> > >
> > > 1) Is it advisable to do Policing only on the Cat
> 6509s
> > in both direction and avoid do any changes on the
> Cat
> > 3750G. Is this the right way?
> > >
> > > 2) What should be the CIR, bc and be values to
> provide
> > double the burst than CIR based on avaliability?
> > >
> > > Is the below statement correct? I believe Tc value
> for
> > Cat 6509s is 0.00025 seconds, calculation is based
> on that.
> > >
> > > police cir 4194304 bc 2000 be 4000 conform-action
> > transmit exceed-action drop violate-action drop
> > >
> > > 3) Is there any issues applying Policing on L3
> > etherchannels in both ways on Cat 6509s?
> > >
> > > Any help will be appreciated.
> > > Thanks in advance,
> > >
> > > Bill
> >
> >
> >
> >
> > ---------------------------------
> > Get easy, one-click access to your favorites. Make
> Yahoo!
> > your homepage.
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-
> nsp/
>
>
>
> ________________________________
>
> Be a better sports nut! Let your teams follow you with Yahoo
> Mobile. Try it now.
> <http://us.rd.yahoo.com/evt=51731/*http://mobile.yahoo.com/s
> ports;_ylt=At9_qDKvtAbMuh1G1SQtBI7ntAcJ>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3080 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20071204/63373124/attachment.bin
More information about the cisco-nsp
mailing list