[c-nsp] Policing Question

Bill ford billyford_11 at yahoo.com
Thu Dec 6 21:34:32 EST 2007


Hi Paolo,

Thanks for your feedback, much appreciated...

As the max bandwidth for the customer is 8 Mbps, how does the the below policing values looks to you.

police cir 4000000 bc 2000 be 2000  conform-action transmit exceed-action drop

With burst configured to 2000, which going by CIR=bc/tc the CIR comes to 8 Mbps (max customer bandwidth) setting "be" would allow him to burst further, therefore kept bc and be values same.

Also planning of applying on the etherchannel in both ingress and egress direction. Any issues you see with this configuration with , based on the rough sketch given earlier.

Thanks in advance 

Bill



Paolo Lucente <pl+list at pmacct.net> wrote: Hi Bill,

Fred already correctly commented most of the points. Policing is
widely supported but shaping is hardware-dependent. FlexWANs and
SIPs for example support shaping. But the key point is you really
want to shape egress traffic to the customer to put in force an
SLA with them.

Also for egress shaping purposes you might also want to check
whether the SRR scheduling algorithm applies. I've personally
used it for smooth rate-limiting purposes on lower-range switches
(2960s); it works nicely but it's coarse grained (interface-wide)
and suspect it might not cope with your Etherchannel there. 

Previous Bc/Be suggestions were OK for software-based policing;
going the PFC way (hardware-based QoS) then yours were correct:
Bc of 2000 bytes and Be of 4000 bytes - which generously take
into account a bucket replenishment of 4ms (which is recommended
to make sure the switch can sustain the configured rate, this is
also why you should modify it to 4000000 from 4194304; otherwise
you may need to raise Bc/Be values just a little bit).

Hope this helps.

Cheers,
Paolo

On Tue, Dec 04, 2007 at 10:42:15AM -0800, Bill ford wrote:
> 
> Thanks Guys..
> 
> So seeing the rough diagram depiction and Etherchannel between the Cat 3750 and Cat 6500, is it right to assume that Police will be applied to Etherchannel out direction and Shaping to Etherchannel in direction? Also there is no voice traffic.
> 
> Etherchannel out Police
> Etherchannel in shape
> 
> (Internet)--Cat3750--(L3 Etherchannel)--Cat6500---Customer
> 
> Also, can some through the bc and be values for both shaping and policing for cat 6500 with the below requirement. 
> 
> CIR of 4 Mbps and burst up to 8 Mb  based on availability.
> 
> Also check this URL link talking about burst rate calculation using policing on Cat 6500, looks a bit different than that on router especially with tc value mentioned as 0.00025 seconds. Paolo had given the calculation however based on this document it looks to be bit different on cat 6500.
> 
> http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801c8c4b.shtml
> 
> Thanks in advance for all your help.
> 
> Cheers,
> 
> Bill
> 
> 
> Fred Reimer  wrote: I believe Paolo was trying to say that you don't want to do just
> policing for traffic to cap it at a maximum rate without having
> shaping somewhere in the picture.  It is recommended to use
> policing for traffic such as VoIP, where you know the exact
> bandwidths and you can police any traffic over those rates,
> because the traffic should never exceed those rates.  If you
> police general traffic you will get TCP synchronization, which is
> a bad thing.  I'm assuming you don't do any CBWFQ preemptive
> dropping.  If you have to do this and can't shape you should at
> least tell your customer that you will police at a given rate,
> and Strongly recommend that they shape on their side of the
> connection.  Policing to 10Mbps on a 100Mbps connection is NOT
> the same as having a 10Mbps connection.  Shaping to 10Mbps on a
> 100Mbps connection is not either, but it is a heck of a lot
> closer.
> 
> It also depends on what direction you plan on policing.  In
> general you should shape on the outbound and police on the
> inbound, although you can police on the outbound also if you have
> traffic that should be policed, like VoIP or other constant
> bit-rate traffic.  This, of course, depends on the capabilities
> of the particular hardware you are doing.  Cisco has manuals for
> their hardware.
> 
> 
> Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
> Senior Network Engineer
> Coleman Technologies, Inc.
> 954-298-1697
> 
> 
> 
> 
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of Bill ford
> > Sent: Tuesday, December 04, 2007 12:40 PM
> > To: Paolo Lucente
> > Cc: cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] Policing Question
> > 
> > Hi Paolo,
> > 
> > Let me just summarize the scenario maybe it was not clear.
> > 
> > Find below a short depiction.
> > 
> > ----(Internet)---Cat3750---(L3 Etherchannel)----Cat6500----
> > Customer
> > 
> > Planning to apply bandwidth restriction(policing) on the L3
> > Etherchannel between 3750G and Cat 6500. Maybe this will
> > clear up the confusion a bit.
> > 
> > 
> > Also check this URL link talking about burst rate
> > calculation using policing on Cat 6500.
> > 
> > http://www.cisco.com/en/US/products/hw/switches/ps700/produc
> > ts_tech_note09186a00801c8c4b.shtml
> > 
> > Any insight on this will be great..
> > 
> > Cheers,
> > 
> > Bill
> > 
> > Paolo Lucente 
>  wrote: Hi Bill,
> > 
> > 1)
> > 
> > i would recommend you to police ingress traffic from the
> > customer
> > and shape egress traffic to the customer. This gives you
> > several
> > benefits including ease of configuration your side (limited
> > to the
> > 6509 box only) and smooth congestion management.
> > 
> > If it's an un-managed CE solution advice your customer he
> > has to
> > shape egress traffic on his CPE. This is to avoid TCP
> > traffic from
> > performing very badly when hitting your policer.
> > 
> > 2)
> > 
> > I believe it's the shaping Tc value you are referring to -
> > but your
> > question is about policing. I would point the following two
> > values:
> > Bc = (CIR/8)*1.5 = 786000; Be = 2*Bc = 1572000. This is
> > basing on a
> > 4 Mbps CIR. Remember Bc/Be are expressed in bytes. Moreover
> > because
> > you want them to be able to burst beyond their CIR, you
> > don't want
> > the "exceed-action drop" action there. You can simply
> > replace it
> > with a "transmit" to make it working - but it wouldn't
> > really have
> > sense: you want to mark the excess burst to be able to
> > handle it
> > differently in periods of congestion.
> > 
> > 3)
> > 
> > If i understood correctly the etherchannel is a backbone
> > link (P-P)
> > so the question doesn't reaply apply. Btw, as far as i'm
> > aware there
> > shouldn't be any problems.
> > 
> > Cheers,
> > Paolo
> > 
> > On Tue, Dec 04, 2007 at 01:38:21AM -0800, Bill ford wrote:
> > > Guys,
> > >
> > >
> > > Need your help on this...
> > >
> > >
> > >
> > > Here is the  scenario:
> > >
> > >  We have a Catalyst 6509 with Sup  720+Policy Feature Card
> > 3 connected to the Internet gateway Switch (catalyst
> > 3750G). We are running Layer 3 etherchannel between the Cat
> > 6509 and Cat  3750G.
> > >
> > >  We need to restrict the bandwidth  for one of the
> > customer.
> > >
> > >  Requirement is as  follows:
> > >
> > >  CIR of 4 Mbps and burst up to 8 Mb  based on
> > availability.
> > >
> > >  Thinking of using policing with ACLs  based on the public
> > IP address range on the customer, however few questions
> > here.
> > >
> > >  1) Is it advisable to do Policing  only on the Cat 6509s
> > in both direction and avoid do any changes on the Cat
> > 3750G. Is this the right way?
> > >
> > >  2) What should be the CIR, bc and be  values to provide
> > double the burst than CIR based on avaliability?
> > >
> > >  Is the below statement correct? I  believe Tc value for
> > Cat 6509s is 0.00025 seconds, calculation is based on  that.
> > >
> > >  police cir 4194304 bc 2000 be 4000  conform-action
> > transmit exceed-action drop violate-action  drop
> > >
> > >  3) Is there any issues applying  Policing on L3
> > etherchannels in both ways on Cat  6509s?
> > >
> > >  Any help will be  appreciated.
> > >  Thanks in advance,
> > >
> > > Bill
> > 
> > 
> > 
> > 
> > ---------------------------------
> > Get easy, one-click access to your favorites.  Make Yahoo!
> > your homepage.
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 
>        
> ---------------------------------
> Be a better sports nut! Let your teams follow you with Yahoo Mobile. Try it now.


       
---------------------------------
Never miss a thing.   Make Yahoo your homepage.


More information about the cisco-nsp mailing list