|
jeff6strings
34 posts
 |
We have a Cisco 3845 router and on the G0/0 interface we have our public switch with multiple public IP addresses (servers, routers, etc..) and on the S0/0 interface we have a DS3 Internet connection. I need to limit the bandwidth from the Internet (download) to one of the IP addresses on the G0/0 interface. I'm thinking of limiting to 256K and really need assistance with either a policy map or something equivalent. |
|
bluepackets
25 posts
 |
Is this to limit it at all times or only when you're under congestion? In general, I don't think you're going to be able to implement ingress per-destination shaping or policing with a policy-map on that router. I believe that feature is actually not available on many Cisco platforms (I believe the GSR and CRS do support it). If it's limiting under congestion, one way you can do it is via egress per-destination shaping or policing on that Gi0/0 interface towards the switch. Another issue is the fact that while your internet bandwidth is a DS3 or lower, the Gi0/0 interface is obviously 1000Mbps. If it's only used for Internet sourced traffic, you can shape the whole interface at 45Mbps (to ingest queuing when you hit that), then do further shaping under that to 256kbps for the traffic to that destination. If other traffic is traversing that Gi0/0 interface, you're going to have to use a 3 tier hierarchical policy, so that local, non-Internet traffic gets first, non-bottlenecked access to the media, other Internet traffic gets second, 45mbps-bottlenecked access to the media, and then finally, traffic toward that destination gets the rest. I believe you can do this on IOS 15 code. Another way you can get around the per-destination ingress shaping or policing limitation is to do a nifty little trick (I think this is how Cisco suggests doing a similar feature on ASRs). If you have enough interfaces, create two VRFs, say, VRF-InternetOutside and VRF-InternetInside, put the S0/0 interface into VRF-InternetOutside, another interface into VRF-InternetOutside, connect this interface to another on the same box which is in VRF-InternetInisde, and then finally put Gi0/0 into VRF-InternetOutside. You'll obviously have to configure your routing for this, but it should be pretty simple (the implementation is, the architectural design changes might not be!). Then, you can do per-destination egress shaping or policing internal to your box easily with the artificial 45mbps congestion point for the whole aggregate, then specifically to 256kbps for that address. This will only really be effective if the traffic is TCP based, as it will throttle back. If it's UDP, then what will happen is you'll waste aggregate Internet bandwidth and then just drop it before it's forwarded to the host. Finally, a third way is to create a subinterface on that Gi0/0 which is only used for that host. Put the host in the same VLAN on the switch and trunk it over and then do egress shaping or policing on that subinterface to 256kbps. |
|
jeff6strings
34 posts
|
Bluepackets, I greatly appreciate the detailed reply and with your information we are going to consider one of the solutions. Our biggest problem is video down from the Internet to an IP address which is an outside address for NAT for an inside subnet. We are thinking the video bandwidth on the DS3 will be consumed until it hits any controls on the router on our side defeating the purpose of the controls such as policy maps, etc.. |
|
mkomon
35 posts
 |
Bluepackets, there is no such thing as ingress shaping. Shaping can only be done on egress, policing on both ways. If the IP of the client that uses too much bandwith is known and static in time, it should be fairly easy to shape traffic for that host. You can match not only on destination IP but also on TCP ports and possibly video source (using NBAR, in class map configured with "match protocol …") or anything else that can help you specify the malicious traffic. Also WFQ queuing strategy in conjunction with shaping could help as well - but there is no simple way to configure this. It would requre good knowledge of the traffic traversing the router, WFQ and some tuning. |
|
jeff6strings
34 posts
|
mkomon, |
|
bluepackets
25 posts
|
mkomon: While on most platforms inbound shaping is not possible, it is available on the Cisco GSR (12k) and CRS platforms as I suggested. For a reference (see sections: Configuring Traffic Shaping and Traffic Shaping for an Input Interface on Cisco IOS XR Software: Example): http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.2/qos/configuration/guide/qc32cong.html#wp1020873 |
|
mkomon
35 posts
|
Hmmm interesting, thanks for pointing that out. I have always been taught shaping is not possible on the inbound direction but it seems it may be, depending on the HW platform architecture. Unfortunately I was not able to find any other documentation for such feature so I have no idea how inbound shaping is supposed to work. Do you have any details you could share? Thanks. |
|
bluepackets
25 posts
|
mkomon: Input shaping works pretty much the same as ouput shaping: traffic is put through a software queue averaged around a configured rate before being transmitted (in this, case onto the devices bus as opposed to onto a transmission media). The reason why most platforms don't support it is simply because the interfaces don't have the required software queues for ingress traffic. If you can get your hands on the slides from the Cisco Live "Designing Multipoint WAN QoS" breakout session (https://www.ciscolive365.com/connect/sessionDetail.ww?SESSION_ID=2893 has all the details, plus the slides if you have the credentials), it actually goes into detail about the VRF solution I proposed for doing "ingress" shaping on non-supported devices. |
Viewing 1 - 8 of 8
- 1