[nsp] Weird Problem - 6509 rate limiting

Church, Chuck cchurch at wamnetgov.com
Wed Mar 17 08:30:49 EST 2004 

Paul,

	'inbound' or 'outbound' refers to the traffic on a particular interface, not a type of interface.  Say port 1 faces a customer you want to limit to 1 meg upload, 4 meg download.  You can rate-limit to 4 megs total output on port 1 (which is supported).  But limiting the upload can't be done on port 1, since it's input.  So you need to track port 1's traffic (via an access list) and use that as part of an outbound rate-limiting statement on an upstream-facing interface.  Of course it gets tricky if you've got multiple upstream-facing interfaces that are being load balanced.  The 'in' and 'out' method involves policy routing or static routing the inbound traffic towards another VLAN interface, where you can then use an outbound rate-limit statement without affecting other traffic flows.  My experience with this has been using hybrid, but I think outbound is fully supported in native as well.  HTH.

Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Wam!Net Government Services - Design & Implementation Team
13665 Dulles Technology Dr. Ste 250
Herndon, VA 20171
Office: 703-480-2569
Cell: 703-819-3495
cchurch at wamnetgov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=index&search=cchurch%40wamnetgov.com

> -----Original Message-----
> From: Paul Stewart [mailto:pauls at nexicom.net]
> Sent: Wednesday, March 17, 2004 7:25 AM
> To: 'Ian Cox'; cisco-nsp at puck.nether.net
> Subject: RE: [nsp] Weird Problem - 6509 rate limiting
> 
> 
> Hmmmm.... 
> 
> I've spent a lot of time researching this overnight and have some
> questions...  Thank you for all the answers (as much as I 
> don't like some of
> them)
> 
> One of the postings said that it can only be applied to an inbound
> interface?  These VLAN's are serving traffic out to customers 
> so is this
> considered an outbound interface?  If that is true, does the police
> statement limit traffic in *both* directions?  I'm confused as to what
> defines an interface as an outbound or inbound interface... 
> These VLAN's
> that I'm trying to find a way to limit bandwidth on obviously have
> inbound/outbound traffic on them.... Some serve traffic out 
> to customers and
> one is our pipe to the outside world bringing traffic in (did 
> I just answer
> my own question?)
> 
> For example I have gotten to this point now:
> 
> gw-cust-nrtco#sh mls qos ip Vlan205
>    [In] Policy map is PUC_Testing_Port-Inbound
>  QoS Summary [IP]:      (* - shared aggregates, Mod - switch 
> module, F -
> install error)
> 
> Int            Mod Dir Cl-map DSCP AgId Trust FlId   AgForward-Pk
> AgPoliced-Pk
> --------------------------------------------------------------
> --------------
> ----
> Vl205            1 I fiber256k  0    1   dscp    0              0
> 0
> 
> The policy-map is this:
> 
> policy-map PUC_Testing_Port-Inbound
>   class fiber256k
>      police 256000 10000 10000 conform-action transmit 
> exceed-action drop
> 
> The map is fiber256k which looks like this:
> 
> class-map match-all fiber256k
>   match access-group 105
> 
> access-list 105 permit ip any any
> 
> Interface:
> 
> interface Vlan205
>  ip address 216.xxx.xxx.xxx 255.255.255.252
>  service-policy input PUC_Testing_Port-Inbound
> 
> Am I heading in the right direction at all with this?  I have 
> no way of
> testing this for quite some time unfortunately...
> 
> When I try to apply a service-policy output 
> PUC_Testing_Port-Outbound it
> gives me:
> 
> gw-cust-nrtco(config-if)#service-policy output 
> PUC_Testing_Port-Outbound
> QoS: Vlan205 doesn't support policy PUC_Testing_Port-Outbound 
> for class
> fiber256k in Out direction
> 
> Which kind of seems to bring me back to a problem again....
> 
> I thought I had found a missing part in the config as I did 
> *not* have mls
> qos vlan-based on the Ethernet interface but it doesn't 
> appear to have made
> any difference...:(
> 
> interface FastEthernet3/1
>  mls qos vlan-based
>  switchport
>  switchport trunk encapsulation isl
>  switchport trunk allowed vlan 2,50,99,200-205
>  switchport mode trunk
>  no cdp enable
> 
> 
> Failing that, 
> 
> There was a discussion about using several ethernet ports to 
> "loop" the
> traffic at which point traffic policing could be applied (if 
> I understood
> that correctly)... Anyone have a sample config for this?  We 
> have lots of
> extra ports on the 10/100 card so if that's the best method 
> to make this
> work I'm game to try it but need some help if someone could 
> spare a few
> minutes :)
> 
> Also, does the version of IOS that we are running play any 
> relevance?  We
> are running c6sup22-jk2sv-mz.121-20.E2.bin ?  Is there any 
> features in the
> 12.2.x train, OR in perhaps different feature version that 
> could help me?
> 
> If we converted the chassis to hybrid catos/ios will this create the
> possibility to doing traffic limiting better?  I can convert 
> the chassis but
> perfer the native ios if possible....
> 
> Sorry for all the questions. I'm kinda desperate as I have to 
> leave this
> site tomorrow morning so hoping to have this resolved before 
> then... Wasn't
> planning on surprises...;)
> 
> Thanks very much.. Appreciate everyone's help...
> 
> Paul
> 
> 
> -----Original Message-----
> From: Ian Cox [mailto:icox at cisco.com] 
> Sent: Tuesday, March 16, 2004 4:11 PM
> To: Paul Stewart; cisco-nsp at puck.nether.net
> Subject: Re: [nsp] Weird Problem - 6509 rate limiting
> 
> 
> 
> "match any" is not supported. You have to create at ip access 
> list with 
> match ip any any to do what you want to do.
> 
> 
> Ian
> 
> At 11:30 AM 3/16/2004 -0500, Paul Stewart wrote:
> >I'm hoping someone has come across this or that I've done something
> >stupid...;)
> >
> >We have installed a 6509 at a remote site today.  It's a 
> really simple 
> >setup.. 2 sup2/msfc2 engines, 1 10/100 card.
> >
> >Port 3/1 has some vlan's on it to customers and also one of 
> the vlan's 
> >is a p2p lan extension to our core router at another location.  
> >Everything is working fine on the device, vlan's are up and passing 
> >traffic, switchports are up etc. etc..
> >
> >Our problem is with rate limiting the vlan's.  Traditionally I have 
> >used "rate-limit input xxxxx" on each vlan to limit them to their 
> >amount of bandwidth purchased.  The old 3662 router did this 
> just fine 
> >as a subinterface on the FastE
> >
> >Things are a little different on the 6509 as the rate-limit command 
> >isn't supported (even though it shows up on a command).  
> When trying to 
> >use  it I
> >get:
> >
> >Rate-limit command is not supported in hardware  use service-policy 
> >command
> >
> >This 6509 is running native ios version 12.1(20)E2
> >(c6sup22-jk2sv-mz.121-20.E2.bin)
> >
> >Why is it not supported by the hardware??
> >
> >So, I try creating a service-policy:
> >
> >class-map match-all fiber_customers
> >   match any
> >
> >policy-map PUC
> >   class fiber_customers
> >      police 1000000 15000 15000 conform-action transmit 
> exceed-action 
> >drop
> >
> >gw-cust-nrtco(config-if)#service-policy input PUC
> >QoS: match type in class fiber_customers not supported on Vlan106
> >QoS: policy PUC actions for class fiber_customers are not 
> supported on 
> >Vlan106
> >QoS: match type in class fiber_customers not supported on Vlan106
> >QoS: match type in class fiber_customers not supported on Vlan106
> >
> >
> >
> >Can anyone help?
> >
> >gw-cust-nrtco#sh mls qos
> >   QoS is enabled globally
> >   Microflow policing is enabled globally
> >Vlan or Portchannel(Multi-Earl) policies supported: Yes
> >
> >
> >  ----- Module [1] -----
> >   QoS global counters:
> >     Total packets: 40374
> >     IP shortcut packets: 0
> >     Packets dropped by policing: 0
> >     IP packets with TOS changed by policing: 104
> >     IP packets with COS changed by policing: 0
> >     Non-IP packets with COS changed by policing: 0
> >
> >Thanks in advance,
> >
> >Paul
> >
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list