[c-nsp] shaping outbound

Arie Vayner (avayner) avayner at cisco.com
Sun Dec 25 13:02:55 EST 2011


If I read your request correctly, you are not an ISP, but just want to manage your site's ISP connection... Right?
If this is true, you most likely do not want to police your class-default...

You should most likely police any specific class with traffic that is known to overload the link (for example downloads, YouTube, etc) but let the other kinds of traffic be able to burst to the full line speed (assuming they are not overloading it constantly).
If your link is 50M (like you state), and you apply the below policy, on average, your link would never get to over 30Mbps...

BTW, if you have abusive UDP applications (very rare in normal Internet environments) than "it's too late" to police, even though it is not completely useless, as the final effect would be that the specific UDP based application, which in reality needs (let's say) 20Mbps, but you allow it only 10Mbps, would starve for bandwidth, and the users would not get the actual thing to work properly. So if they are "your" users (for example if you are the IT person at the same company), you would eventually get a call ;-)


-----Original Message-----
From: Dan Letkeman [mailto:danletkeman at gmail.com] 
Sent: Saturday, December 24, 2011 23:35
To: Arie Vayner (avayner)
Cc: cisco-nsp
Subject: Re: [c-nsp] shaping outbound

Ok, so my solution would look something like this:

class-map match-any application
 match protocol http

policy-map inbound
 class application
  police 10000000 1000000....
 class class-default
  police 20000000 2000000....

interface g0/1
 service-policy input inbound

And this would police http traffic to 10mbps and all other traffic to 20mbps.

Are there any recommendations on the police command to limit the about of drops I get from doing this?

I do have an ASA5520 in front of this router, is there any way of utilizing that to shape the traffic?


On Sat, Dec 24, 2011 at 3:06 PM, Arie Vayner (avayner) <avayner at cisco.com> wrote:
> Dan,
> On the ingress direction,  you can apply a policer on specific 
> classes, and limit the rate.
> As you are most likely talking about TCP based applications, policing 
> them would make the applications regulate their download rate.
> Arie
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman
> Sent: Saturday, December 24, 2011 22:49
> To: cisco-nsp
> Subject: [c-nsp] shaping outbound
> Hello,
> I'm confused as to when and where it is possible to shape traffic.  I 
> have a 50Mbps internet connection from our ISP and I would like to 
> shape some of the download traffic using our 2821.  Here is what I have setup:
> lan users ----- g0/0 - 2821 - g0/1 ------internet
> Currently I have no way of limiting someone from using up the entire 
> pipe.  My thought was to add a policy-map in the outbound direction on 
> the G0/0 interface and shape based on NBAR protocols or something like 
> that.   Apparently this is not the correct way to do this....If I 
> apply a policy-map in the outbound direction on G0/1 this helps 
> nothing because it only shapes the upload traffic which is minimal at 
> peak times.
> Any idea on how to go about this?  Or Am I stuck with buying a 
> ridiculously expensive packet shaper or something of the sorts?
> Thanks,
> Dan.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list