[cisco-nas] IP CEF Problem

Pierre Nepveu pnepveu at videotron.net
Mon Jan 26 11:51:14 EST 2004 

hi Rommel,

from what I understand of what you said in earlier mails, "input" is what your
provider sends your way. Nothing you can do about it (short of having them
rate-limit at their end and buying more bandwith :-). 

Adjusting burst and extended-burst to Cisco's proposed values did as expected :
it increased your link performance (to saturation point). Your router already
started dropping packets 'randomly'. Individual TCP sessions will adjust. UDP
and ICMP will just suffer. If most of the incoming trafic is UDP and ICMP, it
will just hit a brick wall at your interface (and TCP sessions will suffer
more). You will see usage rate slightly over 2048 k. This is normal. However,
usage at your provider's interface may be much higher. "They" should also
implement CAR, otherwise they will send all UDP and ICMP that is destined to
you. You will drop it, but they will send it.

Do you have access to some kind of statistics from your provider at their
interface ?  It would surely be helpful to determine how much bandwith you
really require (if you can afford it).

On your side, you can check CAR statistics (this is an actual client circuit
where rate-limit is 3Mbps, 3000kbps) :
example#sh interface fas0/0 rate-limit
FastEthernet0/0 Port WAN
  Input
    matches: all traffic
      params:  3000000 bps, 562500 limit, 1125000 extended limit
      conformed 672983812 packets, 508583M bytes; action: transmit
      exceeded 229790 packets, 290799025 bytes; action: drop
      last packet: 68ms ago, current burst: 60 bytes
      last cleared 37w6d ago, conformed 177000 bps, exceeded 0 bps
  Output
    matches: all traffic
      params:  3000000 bps, 562500 limit, 1125000 extended limit
      conformed 581185898 packets, 164154M bytes; action: transmit
      exceeded 2183611 packets, 2848M bytes; action: drop
      last packet: 4ms ago, current burst: 0 bytes
      last cleared 37w6d ago, conformed 57000 bps, exceeded 0 bps

Have fun !

pn
cd /pub; more beer


Le 2004-01-26 à 18:51, Rommel Y. Catabian a écrit:

RYC> Hi,
RYC> I configured the rate-limit as advised but I exceeded (just now) the 2048000
RYC> limit.
RYC> Is there anything I missed in the configuration?
RYC> 
RYC> Regards,
RYC> 
RYC> Rommel
RYC> 
RYC> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
RYC> interface FastEthernet0/0
RYC>  description **Ethernet Connection to REACH**
RYC>  ip address 203.190.70.86 255.255.255.252
RYC>  ip nat outside
RYC>  rate-limit input 2048000 384000 768000 conform-action transmit
RYC> exceed-action drop
RYC>  rate-limit output 2048000 384000 768000 conform-action transmit
RYC> exceed-action drop
RYC>  no ip mroute-cache
RYC>  duplex auto
RYC>  speed auto
RYC>  fair-queue
RYC>  no cdp enable
RYC> 
RYC> FastEthernet0/0 is up, line protocol is up
RYC> 
RYC>   5 minute input rate 2076000 bits/sec, 564 packets/sec
RYC>   5 minute output rate 615000 bits/sec, 701 packets/sec
RYC>      80981176 packets input, 1042153441 bytes
RYC>      Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
RYC>      9 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
RYC>      0 watchdog
RYC> 
RYC> 
RYC> 
RYC> ----- Original Message ----- 
RYC> From: "Pierre Nepveu" <pnepveu at videotron.net>
RYC> To: "Rommel Y. Catabian" <rommel.catabian at eaccelera.com>
RYC> Cc: <cisco-nas at puck.nether.net>
RYC> Sent: Sunday, January 25, 2004 3:46 AM
RYC> Subject: Re: [cisco-nas] IP CEF Problem
RYC> 
RYC> 
RYC> Rommel,
RYC> 
RYC>  >  rate-limit input 2048000 4000 4000 conform-action transmit exceed-action
RYC> drop
RYC> 
RYC> your values for burst and extended-burst are way too low and will result in
RYC> decreased actual thruput when the rate limiting kicks in. I have tested
RYC> different values and the Cisco recommended values really do work best.
RYC> | Cisco recommends the following values for the normal and extended burst
RYC> | parameters:
RYC> |
RYC> | normal burst = configured rate * (1 byte)/(8 bits) * 1.5 seconds
RYC> | extended burst = 2 * normal burst
RYC> 
RYC> The above comes from the following document :
RYC> "Policing and Shaping Overview-Cisco IOS Software Releases 12.2 Mainline"
RYC> http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800bd8ed.html
RYC> 
RYC> Using the Cisco recommended values, your config should be :
RYC> 
RYC>  rate-limit input  2048000 384000 768000 conform-action transmit
RYC> exceed-action drop
RYC>  rate-limit output 2048000 384000 768000 conform-action transmit
RYC> exceed-action drop
RYC> 
RYC> HTH,
RYC> 
RYC> -------------------------------------------------------------------
RYC> Pierre Nepveu, CCNP                    tel: +1 514.380-4289
RYC> Administrateur de reseau                    +1 888.INFOVTL x 4289
RYC> Ingenierie / Acces Internet            fax: +1 514 899-8452
RYC> Videotron Telecom Ltee (VTL) - Montreal (Quebec), Canada
RYC> -------------------------------------------------------------------
RYC> 
RYC> 
RYC> Le 2004-01-24 à 12:31, Gert Doering a écrit:
RYC> 
RYC> GD> Hi,
RYC> GD>
RYC> GD> On Sat, Jan 24, 2004 at 07:28:05PM +0800, Rommel Y. Catabian wrote:
RYC> GD> > As i read it, i need to enable "IP CEF" on the router (Cisco3660)
RYC> which also
RYC> GD> > double as a Remote Access Server, to make rate-limiting work. However,
RYC> GD> > the problem is our dial-up connections become slower when I enable ip
RYC> cef.
RYC> GD>
RYC> GD> CEF is not required for rate-limiting.
RYC> GD>
RYC> GD> > CISCO-3660-NAS2#sh version
RYC> GD> > Cisco Internetwork Operating System Software
RYC> GD> > IOS (tm) 3600 Software (C3660-IS-M), Version 12.2(2)T4,  RELEASE
RYC> SOFTWARE
RYC> GD> > (fc3)
RYC> GD>
RYC> GD> ... but this is something you might want to upgrade anyway.  It's "T",
RYC> and
RYC> GD> the number in brackets is way too low...  there is at least one serious
RYC> GD> security vulnerability in this IOS version, which entitles you to a free
RYC> GD> upgrade.
RYC> GD>
RYC> GD> > interface FastEthernet0/0
RYC> GD> >  description **UPLINK CONNECTION**
RYC> GD> >  ip address 203.190.xx.xx 255.255.255.252
RYC> GD> >  ip nat outside
RYC> GD> >  rate-limit input 2048000 4000 4000 conform-action transmit
RYC> exceed-action drop
RYC> GD>
RYC> GD> Why *input*?
RYC> GD>
RYC> GD> You want to do traffic-shaping for *output*.
RYC> GD>
RYC> GD> (Also, traffic-shaping is more gentle to the packets than
RYC> rate-limiting).
RYC> GD>
RYC> GD> gert
RYC> GD>
RYC> GD> -- 
RYC> GD> USENET is *not* the non-clickable part of WWW!
RYC> GD>
RYC> //www.muc.de/~gert/
RYC> GD> Gert Doering - Munich, Germany
RYC> gert at greenie.muc.de
RYC> GD> fax: +49-89-35655025
RYC> gert at net.informatik.tu-muenchen.de
RYC> GD> _______________________________________________
RYC> GD> cisco-nas mailing list
RYC> GD> cisco-nas at puck.nether.net
RYC> GD> https://puck.nether.net/mailman/listinfo/cisco-nas
RYC> GD>
RYC> 
RYC> 
RYC>

More information about the cisco-nas mailing list