[c-nsp] traffic policing on 7600

Jiří Procházka jiri.prochazka at superhosting.cz
Thu Sep 30 17:11:08 EDT 2010 

Hi,

I'm trying to limit outgoing traffic from our PE router (7606, 12.2(33)SRD4) 
from 'whatever' source (inside our network) to transit lines.

This router is the only one with active full BGP feeds, so whole traffic 
flowing to transit is going through this box.

What am I trying to accomplish is an option to limit exact source IPs to 
certain bandwidth to _all_ transit lines togehter.

(note: All lines which I would like to shape are terminated in the same 
card, WS-X6708-10GE)


So far I'm only able to shape (police to be precise) each one outgoing 
interface (SVI) separately. All physical interfaces are L2 switched, routed 
over SVI's.

Each transit connection is ended in different vlan & SVI.


I'm policing only one transit connection so far, with following settings ->

! classify traffic
ip access-list standard acl_cust_funpower
permit 88.86.x.x 0.0.0.31

! class map
class-map match-all class_shape_funpower
  match access-group name acl_cust_funpower

! policy map
policy-map policy_shape_transit1
  class class_shape_funpower
    police cir 5000000
     conform-action transmit
     exceed-action drop

! service applied to SVI
interface Vlan31
 description TRANZIT-1
 ip address 149.6.x.x 255.255.255.248
 ip flow ingress
 ip flow egress
 load-interval 30
 service-policy output policy_shape_transit1
end


This is of course working without any problem. But how can I achieve state 
that _ALL_ transit traffic generated by some IP will be policed to certain 
traffic level?
Limiting each transit connection in proportion to total number of transit 
lines is not an option :-).


Solutions which I tried but did not succeed ->

1) All physical transit ports in one shared L2 segment (VLAN).

Not secure. Not applicable because of
a) MAC limit which some (most :) ) operators have.
b) more tagged vlans with more BGP sessions over MPLS. vlan mapping could be 
a solution, but again, a) is a problem

2) Use of PVLAN (thus eliminating spreading of MACs)
Here I stucked on limitation of VTP1 (which we use).. it's unable to 
transmit informations over PVLANS..
I'm still thinking of this and PVLAN is imho the hottest candidate which 
could help me solve this issue.


Thank you for any suggestions!




Jiri Prochazka

More information about the cisco-nsp mailing list