[c-nsp] Policing Question
Fred Reimer
freimer at ctiusa.com
Tue Dec 4 13:08:52 EST 2007
I believe Paolo was trying to say that you don't want to do just
policing for traffic to cap it at a maximum rate without having
shaping somewhere in the picture. It is recommended to use
policing for traffic such as VoIP, where you know the exact
bandwidths and you can police any traffic over those rates,
because the traffic should never exceed those rates. If you
police general traffic you will get TCP synchronization, which is
a bad thing. I'm assuming you don't do any CBWFQ preemptive
dropping. If you have to do this and can't shape you should at
least tell your customer that you will police at a given rate,
and Strongly recommend that they shape on their side of the
connection. Policing to 10Mbps on a 100Mbps connection is NOT
the same as having a 10Mbps connection. Shaping to 10Mbps on a
100Mbps connection is not either, but it is a heck of a lot
closer.
It also depends on what direction you plan on policing. In
general you should shape on the outbound and police on the
inbound, although you can police on the outbound also if you have
traffic that should be policed, like VoIP or other constant
bit-rate traffic. This, of course, depends on the capabilities
of the particular hardware you are doing. Cisco has manuals for
their hardware.
Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Bill ford
> Sent: Tuesday, December 04, 2007 12:40 PM
> To: Paolo Lucente
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Policing Question
>
> Hi Paolo,
>
> Let me just summarize the scenario maybe it was not clear.
>
> Find below a short depiction.
>
> ----(Internet)---Cat3750---(L3 Etherchannel)----Cat6500----
> Customer
>
> Planning to apply bandwidth restriction(policing) on the L3
> Etherchannel between 3750G and Cat 6500. Maybe this will
> clear up the confusion a bit.
>
>
> Also check this URL link talking about burst rate
> calculation using policing on Cat 6500.
>
> http://www.cisco.com/en/US/products/hw/switches/ps700/produc
> ts_tech_note09186a00801c8c4b.shtml
>
> Any insight on this will be great..
>
> Cheers,
>
> Bill
>
> Paolo Lucente <pl+list at pmacct.net> wrote: Hi Bill,
>
> 1)
>
> i would recommend you to police ingress traffic from the
> customer
> and shape egress traffic to the customer. This gives you
> several
> benefits including ease of configuration your side (limited
> to the
> 6509 box only) and smooth congestion management.
>
> If it's an un-managed CE solution advice your customer he
> has to
> shape egress traffic on his CPE. This is to avoid TCP
> traffic from
> performing very badly when hitting your policer.
>
> 2)
>
> I believe it's the shaping Tc value you are referring to -
> but your
> question is about policing. I would point the following two
> values:
> Bc = (CIR/8)*1.5 = 786000; Be = 2*Bc = 1572000. This is
> basing on a
> 4 Mbps CIR. Remember Bc/Be are expressed in bytes. Moreover
> because
> you want them to be able to burst beyond their CIR, you
> don't want
> the "exceed-action drop" action there. You can simply
> replace it
> with a "transmit" to make it working - but it wouldn't
> really have
> sense: you want to mark the excess burst to be able to
> handle it
> differently in periods of congestion.
>
> 3)
>
> If i understood correctly the etherchannel is a backbone
> link (P-P)
> so the question doesn't reaply apply. Btw, as far as i'm
> aware there
> shouldn't be any problems.
>
> Cheers,
> Paolo
>
> On Tue, Dec 04, 2007 at 01:38:21AM -0800, Bill ford wrote:
> > Guys,
> >
> >
> > Need your help on this...
> >
> >
> >
> > Here is the scenario:
> >
> > We have a Catalyst 6509 with Sup 720+Policy Feature Card
> 3 connected to the Internet gateway Switch (catalyst
> 3750G). We are running Layer 3 etherchannel between the Cat
> 6509 and Cat 3750G.
> >
> > We need to restrict the bandwidth for one of the
> customer.
> >
> > Requirement is as follows:
> >
> > CIR of 4 Mbps and burst up to 8 Mb based on
> availability.
> >
> > Thinking of using policing with ACLs based on the public
> IP address range on the customer, however few questions
> here.
> >
> > 1) Is it advisable to do Policing only on the Cat 6509s
> in both direction and avoid do any changes on the Cat
> 3750G. Is this the right way?
> >
> > 2) What should be the CIR, bc and be values to provide
> double the burst than CIR based on avaliability?
> >
> > Is the below statement correct? I believe Tc value for
> Cat 6509s is 0.00025 seconds, calculation is based on that.
> >
> > police cir 4194304 bc 2000 be 4000 conform-action
> transmit exceed-action drop violate-action drop
> >
> > 3) Is there any issues applying Policing on L3
> etherchannels in both ways on Cat 6509s?
> >
> > Any help will be appreciated.
> > Thanks in advance,
> >
> > Bill
>
>
>
>
> ---------------------------------
> Get easy, one-click access to your favorites. Make Yahoo!
> your homepage.
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3080 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20071204/660be698/attachment.bin
More information about the cisco-nsp
mailing list