[c-nsp] Policing Question

Frank Bulk frnkblk at iname.com
Fri Dec 7 23:49:05 EST 2007 

It appears that WRED is not supposed on the WS-X6748-GE-TX...the
"random-detect" command is not listed.

The closest is "wrr-queue random-detect", but the queue id's match up to "1
for the standard low-priority queue, 2 is for the standard high-priority
queue, and 3 is for strict priority", and I'm not doing any QoS that would
put packets in those queues.

Frank 

-----Original Message-----
From: Fred Reimer [mailto:freimer at ctiusa.com] 
Sent: Thursday, December 06, 2007 10:12 AM
To: frnkblk at iname.com; Paolo Lucente; Bill ford
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Policing Question

You want WRED then.  You are getting global TCP synchronization.  That's
where all of the TCP streams are transmitting and then you hit your maximum
bandwidth and packets get dropped from all streams.  So TCP will back off
and slow things down, on all streams.  Then they see that no more packets
are being dropped, so will crank up the throughput again (open up the
window), and your bandwidth will start going up again.  You eventually hit
your policing level and start all over again.

You want WRED where you selectively drop packets before you actually reach
the policing level.  This will slow some TCP streams down and even out the
aggregate bandwidth curve.  Then those streams will speed back up after a
bit, while you drop packets from other random streams.

What you probably have now is tail drop, where you are dropping all new
packets once you reach the maximum.  That causes the TCP window
synchronization.

You can read more here:

http://www.cisco.com/application/pdf/en/us/guest/products/ps4032/c2001/ccmig
ration_09186a008011dfed.pdf

I'd also recommend you do a search on Amazon for "Cisco qos" and order some
of the books on the subject.


Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697
 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Frank Bulk - iNAME
Sent: Wednesday, December 05, 2007 11:51 PM
To: 'Paolo Lucente'; Bill ford
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Policing Question

We have a 7609-S with a SUP720C and DFC3C's on our 10/100/1000 cards.  It
appears that we can't do shaping.  

Our first attempt at policing on the outbound shows that it's very choppy --
bursts of traffic 2 to 4x more than CIR, and then 0, and then back again. It
drops to 0, I believe, because the policer kciks in.  Is there any way to
smooth things out?

Frank

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paolo Lucente
Sent: Wednesday, December 05, 2007 5:14 AM
To: Bill ford
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Policing Question

Hi Bill,

Fred already correctly commented most of the points. Policing is
widely supported but shaping is hardware-dependent. FlexWANs and
SIPs for example support shaping. But the key point is you really
want to shape egress traffic to the customer to put in force an
SLA with them.

Also for egress shaping purposes you might also want to check
whether the SRR scheduling algorithm applies. I've personally
used it for smooth rate-limiting purposes on lower-range switches
(2960s); it works nicely but it's coarse grained (interface-wide)
and suspect it might not cope with your Etherchannel there.

Previous Bc/Be suggestions were OK for software-based policing;
going the PFC way (hardware-based QoS) then yours were correct:
Bc of 2000 bytes and Be of 4000 bytes - which generously take
into account a bucket replenishment of 4ms (which is recommended
to make sure the switch can sustain the configured rate, this is
also why you should modify it to 4000000 from 4194304; otherwise
you may need to raise Bc/Be values just a little bit).

Hope this helps.

Cheers,
Paolo

On Tue, Dec 04, 2007 at 10:42:15AM -0800, Bill ford wrote:
>
> Thanks Guys..
>
> So seeing the rough diagram depiction and Etherchannel between the Cat
3750 and Cat 6500, is it right to assume that Police will be applied to
Etherchannel out direction and Shaping to Etherchannel in direction? Also
there is no voice traffic.
>
> Etherchannel out Police
> Etherchannel in shape
>
> (Internet)--Cat3750--(L3 Etherchannel)--Cat6500---Customer
>
> Also, can some through the bc and be values for both shaping and policing
for cat 6500 with the below requirement.
>
> CIR of 4 Mbps and burst up to 8 Mb  based on availability.
>
> Also check this URL link talking about burst rate calculation using
policing on Cat 6500, looks a bit different than that on router especially
with tc value mentioned as 0.00025 seconds. Paolo had given the calculation
however based on this document it looks to be bit different on cat 6500.
>
>
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note0918
6a00801c8c4b.shtml
>
> Thanks in advance for all your help.
>
> Cheers,
>
> Bill
>
>
> Fred Reimer <freimer at ctiusa.com> wrote: I believe Paolo was trying to say
that you don't want to do just
> policing for traffic to cap it at a maximum rate without having
> shaping somewhere in the picture.  It is recommended to use
> policing for traffic such as VoIP, where you know the exact
> bandwidths and you can police any traffic over those rates,
> because the traffic should never exceed those rates.  If you
> police general traffic you will get TCP synchronization, which is
> a bad thing.  I'm assuming you don't do any CBWFQ preemptive
> dropping.  If you have to do this and can't shape you should at
> least tell your customer that you will police at a given rate,
> and Strongly recommend that they shape on their side of the
> connection.  Policing to 10Mbps on a 100Mbps connection is NOT
> the same as having a 10Mbps connection.  Shaping to 10Mbps on a
> 100Mbps connection is not either, but it is a heck of a lot
> closer.
>
> It also depends on what direction you plan on policing.  In
> general you should shape on the outbound and police on the
> inbound, although you can police on the outbound also if you have
> traffic that should be policed, like VoIP or other constant
> bit-rate traffic.  This, of course, depends on the capabilities
> of the particular hardware you are doing.  Cisco has manuals for
> their hardware.
>
>
> Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
> Senior Network Engineer
> Coleman Technologies, Inc.
> 954-298-1697
>
>
>
>
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of Bill ford
> > Sent: Tuesday, December 04, 2007 12:40 PM
> > To: Paolo Lucente
> > Cc: cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] Policing Question
> >
> > Hi Paolo,
> >
> > Let me just summarize the scenario maybe it was not clear.
> >
> > Find below a short depiction.
> >
> > ----(Internet)---Cat3750---(L3 Etherchannel)----Cat6500----
> > Customer
> >
> > Planning to apply bandwidth restriction(policing) on the L3
> > Etherchannel between 3750G and Cat 6500. Maybe this will
> > clear up the confusion a bit.
> >
> >
> > Also check this URL link talking about burst rate
> > calculation using policing on Cat 6500.
> >
> > http://www.cisco.com/en/US/products/hw/switches/ps700/produc
> > ts_tech_note09186a00801c8c4b.shtml
> >
> > Any insight on this will be great..
> >
> > Cheers,
> >
> > Bill
> >
> > Paolo Lucente
>  wrote: Hi Bill,
> >
> > 1)
> >
> > i would recommend you to police ingress traffic from the
> > customer
> > and shape egress traffic to the customer. This gives you
> > several
> > benefits including ease of configuration your side (limited
> > to the
> > 6509 box only) and smooth congestion management.
> >
> > If it's an un-managed CE solution advice your customer he
> > has to
> > shape egress traffic on his CPE. This is to avoid TCP
> > traffic from
> > performing very badly when hitting your policer.
> >
> > 2)
> >
> > I believe it's the shaping Tc value you are referring to -
> > but your
> > question is about policing. I would point the following two
> > values:
> > Bc = (CIR/8)*1.5 = 786000; Be = 2*Bc = 1572000. This is
> > basing on a
> > 4 Mbps CIR. Remember Bc/Be are expressed in bytes. Moreover
> > because
> > you want them to be able to burst beyond their CIR, you
> > don't want
> > the "exceed-action drop" action there. You can simply
> > replace it
> > with a "transmit" to make it working - but it wouldn't
> > really have
> > sense: you want to mark the excess burst to be able to
> > handle it
> > differently in periods of congestion.
> >
> > 3)
> >
> > If i understood correctly the etherchannel is a backbone
> > link (P-P)
> > so the question doesn't reaply apply. Btw, as far as i'm
> > aware there
> > shouldn't be any problems.
> >
> > Cheers,
> > Paolo
> >
> > On Tue, Dec 04, 2007 at 01:38:21AM -0800, Bill ford wrote:
> > > Guys,
> > >
> > >
> > > Need your help on this...
> > >
> > >
> > >
> > > Here is the  scenario:
> > >
> > >  We have a Catalyst 6509 with Sup  720+Policy Feature Card
> > 3 connected to the Internet gateway Switch (catalyst
> > 3750G). We are running Layer 3 etherchannel between the Cat
> > 6509 and Cat  3750G.
> > >
> > >  We need to restrict the bandwidth  for one of the
> > customer.
> > >
> > >  Requirement is as  follows:
> > >
> > >  CIR of 4 Mbps and burst up to 8 Mb  based on
> > availability.
> > >
> > >  Thinking of using policing with ACLs  based on the public
> > IP address range on the customer, however few questions
> > here.
> > >
> > >  1) Is it advisable to do Policing  only on the Cat 6509s
> > in both direction and avoid do any changes on the Cat
> > 3750G. Is this the right way?
> > >
> > >  2) What should be the CIR, bc and be  values to provide
> > double the burst than CIR based on avaliability?
> > >
> > >  Is the below statement correct? I  believe Tc value for
> > Cat 6509s is 0.00025 seconds, calculation is based on  that.
> > >
> > >  police cir 4194304 bc 2000 be 4000  conform-action
> > transmit exceed-action drop violate-action  drop
> > >
> > >  3) Is there any issues applying  Policing on L3
> > etherchannels in both ways on Cat  6509s?
> > >
> > >  Any help will be  appreciated.
> > >  Thanks in advance,
> > >
> > > Bill
> >
> >
> >
> >
> > ---------------------------------
> > Get easy, one-click access to your favorites.  Make Yahoo!
> > your homepage.
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
>
> ---------------------------------
> Be a better sports nut! Let your teams follow you with Yahoo Mobile. Try
it now.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list