[c-nsp] Policing Question
Paolo Lucente
pl+list at pmacct.net
Fri Dec 7 05:49:08 EST 2007
Hi Bill,
Considering an interval of 0.25ms your calculation is fine for
the 8Mbps Be. Though such calculation leaves no margin and you
really want to have some to be sure the switch can sustain the
rate.
The switch might even inform you that your burst value is not
legal as the minimum configurable burst interval is 4ms. Btw,
if you try not to specify any bursts, you should see the 6500
using a default interval of 250ms. So, don't go tight.
And good luck with both egress policing and the etherchannel.
Cheers,
Paolo
On Thu, Dec 06, 2007 at 06:34:32PM -0800, Bill ford wrote:
> Hi Paolo,
>
> Thanks for your feedback, much appreciated...
>
> As the max bandwidth for the customer is 8 Mbps, how does the the below policing values looks to you.
>
> police cir 4000000 bc 2000 be 2000 conform-action transmit exceed-action drop
>
> With burst configured to 2000, which going by CIR=bc/tc the CIR comes to 8 Mbps (max customer bandwidth) setting "be" would allow him to burst further, therefore kept bc and be values same.
>
> Also planning of applying on the etherchannel in both ingress and egress direction. Any issues you see with this configuration with , based on the rough sketch given earlier.
>
> Thanks in advance
>
> Bill
>
>
>
> Paolo Lucente <pl+list at pmacct.net> wrote: Hi Bill,
>
> Fred already correctly commented most of the points. Policing is
> widely supported but shaping is hardware-dependent. FlexWANs and
> SIPs for example support shaping. But the key point is you really
> want to shape egress traffic to the customer to put in force an
> SLA with them.
>
> Also for egress shaping purposes you might also want to check
> whether the SRR scheduling algorithm applies. I've personally
> used it for smooth rate-limiting purposes on lower-range switches
> (2960s); it works nicely but it's coarse grained (interface-wide)
> and suspect it might not cope with your Etherchannel there.
>
> Previous Bc/Be suggestions were OK for software-based policing;
> going the PFC way (hardware-based QoS) then yours were correct:
> Bc of 2000 bytes and Be of 4000 bytes - which generously take
> into account a bucket replenishment of 4ms (which is recommended
> to make sure the switch can sustain the configured rate, this is
> also why you should modify it to 4000000 from 4194304; otherwise
> you may need to raise Bc/Be values just a little bit).
>
> Hope this helps.
>
> Cheers,
> Paolo
>
> On Tue, Dec 04, 2007 at 10:42:15AM -0800, Bill ford wrote:
> >
> > Thanks Guys..
> >
> > So seeing the rough diagram depiction and Etherchannel between the Cat 3750 and Cat 6500, is it right to assume that Police will be applied to Etherchannel out direction and Shaping to Etherchannel in direction? Also there is no voice traffic.
> >
> > Etherchannel out Police
> > Etherchannel in shape
> >
> > (Internet)--Cat3750--(L3 Etherchannel)--Cat6500---Customer
> >
> > Also, can some through the bc and be values for both shaping and policing for cat 6500 with the below requirement.
> >
> > CIR of 4 Mbps and burst up to 8 Mb based on availability.
> >
> > Also check this URL link talking about burst rate calculation using policing on Cat 6500, looks a bit different than that on router especially with tc value mentioned as 0.00025 seconds. Paolo had given the calculation however based on this document it looks to be bit different on cat 6500.
> >
> > http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801c8c4b.shtml
> >
> > Thanks in advance for all your help.
> >
> > Cheers,
> >
> > Bill
> >
> >
> > Fred Reimer wrote: I believe Paolo was trying to say that you don't want to do just
> > policing for traffic to cap it at a maximum rate without having
> > shaping somewhere in the picture. It is recommended to use
> > policing for traffic such as VoIP, where you know the exact
> > bandwidths and you can police any traffic over those rates,
> > because the traffic should never exceed those rates. If you
> > police general traffic you will get TCP synchronization, which is
> > a bad thing. I'm assuming you don't do any CBWFQ preemptive
> > dropping. If you have to do this and can't shape you should at
> > least tell your customer that you will police at a given rate,
> > and Strongly recommend that they shape on their side of the
> > connection. Policing to 10Mbps on a 100Mbps connection is NOT
> > the same as having a 10Mbps connection. Shaping to 10Mbps on a
> > 100Mbps connection is not either, but it is a heck of a lot
> > closer.
> >
> > It also depends on what direction you plan on policing. In
> > general you should shape on the outbound and police on the
> > inbound, although you can police on the outbound also if you have
> > traffic that should be policed, like VoIP or other constant
> > bit-rate traffic. This, of course, depends on the capabilities
> > of the particular hardware you are doing. Cisco has manuals for
> > their hardware.
> >
> >
> > Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
> > Senior Network Engineer
> > Coleman Technologies, Inc.
> > 954-298-1697
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > > bounces at puck.nether.net] On Behalf Of Bill ford
> > > Sent: Tuesday, December 04, 2007 12:40 PM
> > > To: Paolo Lucente
> > > Cc: cisco-nsp at puck.nether.net
> > > Subject: Re: [c-nsp] Policing Question
> > >
> > > Hi Paolo,
> > >
> > > Let me just summarize the scenario maybe it was not clear.
> > >
> > > Find below a short depiction.
> > >
> > > ----(Internet)---Cat3750---(L3 Etherchannel)----Cat6500----
> > > Customer
> > >
> > > Planning to apply bandwidth restriction(policing) on the L3
> > > Etherchannel between 3750G and Cat 6500. Maybe this will
> > > clear up the confusion a bit.
> > >
> > >
> > > Also check this URL link talking about burst rate
> > > calculation using policing on Cat 6500.
> > >
> > > http://www.cisco.com/en/US/products/hw/switches/ps700/produc
> > > ts_tech_note09186a00801c8c4b.shtml
> > >
> > > Any insight on this will be great..
> > >
> > > Cheers,
> > >
> > > Bill
> > >
> > > Paolo Lucente
> > wrote: Hi Bill,
> > >
> > > 1)
> > >
> > > i would recommend you to police ingress traffic from the
> > > customer
> > > and shape egress traffic to the customer. This gives you
> > > several
> > > benefits including ease of configuration your side (limited
> > > to the
> > > 6509 box only) and smooth congestion management.
> > >
> > > If it's an un-managed CE solution advice your customer he
> > > has to
> > > shape egress traffic on his CPE. This is to avoid TCP
> > > traffic from
> > > performing very badly when hitting your policer.
> > >
> > > 2)
> > >
> > > I believe it's the shaping Tc value you are referring to -
> > > but your
> > > question is about policing. I would point the following two
> > > values:
> > > Bc = (CIR/8)*1.5 = 786000; Be = 2*Bc = 1572000. This is
> > > basing on a
> > > 4 Mbps CIR. Remember Bc/Be are expressed in bytes. Moreover
> > > because
> > > you want them to be able to burst beyond their CIR, you
> > > don't want
> > > the "exceed-action drop" action there. You can simply
> > > replace it
> > > with a "transmit" to make it working - but it wouldn't
> > > really have
> > > sense: you want to mark the excess burst to be able to
> > > handle it
> > > differently in periods of congestion.
> > >
> > > 3)
> > >
> > > If i understood correctly the etherchannel is a backbone
> > > link (P-P)
> > > so the question doesn't reaply apply. Btw, as far as i'm
> > > aware there
> > > shouldn't be any problems.
> > >
> > > Cheers,
> > > Paolo
> > >
> > > On Tue, Dec 04, 2007 at 01:38:21AM -0800, Bill ford wrote:
> > > > Guys,
> > > >
> > > >
> > > > Need your help on this...
> > > >
> > > >
> > > >
> > > > Here is the scenario:
> > > >
> > > > We have a Catalyst 6509 with Sup 720+Policy Feature Card
> > > 3 connected to the Internet gateway Switch (catalyst
> > > 3750G). We are running Layer 3 etherchannel between the Cat
> > > 6509 and Cat 3750G.
> > > >
> > > > We need to restrict the bandwidth for one of the
> > > customer.
> > > >
> > > > Requirement is as follows:
> > > >
> > > > CIR of 4 Mbps and burst up to 8 Mb based on
> > > availability.
> > > >
> > > > Thinking of using policing with ACLs based on the public
> > > IP address range on the customer, however few questions
> > > here.
> > > >
> > > > 1) Is it advisable to do Policing only on the Cat 6509s
> > > in both direction and avoid do any changes on the Cat
> > > 3750G. Is this the right way?
> > > >
> > > > 2) What should be the CIR, bc and be values to provide
> > > double the burst than CIR based on avaliability?
> > > >
> > > > Is the below statement correct? I believe Tc value for
> > > Cat 6509s is 0.00025 seconds, calculation is based on that.
> > > >
> > > > police cir 4194304 bc 2000 be 4000 conform-action
> > > transmit exceed-action drop violate-action drop
> > > >
> > > > 3) Is there any issues applying Policing on L3
> > > etherchannels in both ways on Cat 6509s?
> > > >
> > > > Any help will be appreciated.
> > > > Thanks in advance,
> > > >
> > > > Bill
> > >
> > >
> > >
> > >
> > > ---------------------------------
> > > Get easy, one-click access to your favorites. Make Yahoo!
> > > your homepage.
> > > _______________________________________________
> > > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> >
> >
> > ---------------------------------
> > Be a better sports nut! Let your teams follow you with Yahoo Mobile. Try it now.
>
>
>
> ---------------------------------
> Never miss a thing. Make Yahoo your homepage.
More information about the cisco-nsp
mailing list