dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
9133
Manta
Premium Member
join:2003-11-04
UK

Manta

Premium Member

Traffic shaping question

I'm somewhat new (read: clueless) to traffic shaping and I'm hoping someone can point me in the right direction before I go messing around with a production environment.

Problem: Currently the mail traffic eats up most/all of the bandwidth a lot of the time [damn spammers] and this results in webserver performance looking poor.

Situation: I've got a Cisco 7204VXR with a managed 2Mbps SDSL connection to the internet. The SDSL line is handled by a Cisco 878, that I have no access to, and handed off as ethernet. The 7204VXR has a collection of FastEthernet and Ethernet ports with a machine or group of machines hanging off each active port.

Solution?: I had thought to set up traffic shaping on the outbound interface of the 7204VXR to shape the max outgoing to 2Mbps and then as a child-policy to shape the different sources so that mail traffic has a guaranteed minimum of 512kbps and is allow to burst up to the full 2Mbps if nothing else is using it. The same for webserver traffic and other sources. Each of these sources is on a different IP so that should make categorising them easier.

I understand that I can only really affect outbound traffic and don't really have a lot of say over inbound. Does this all sound sensible/possible? or should I be looking at a different route?

Many thanks,

Gareth
meta
join:2004-12-27
00000

meta

Member

That sounds sensible, im not sure how much of a performance gain you are going to see though. If your inbound pipe is clogged with crap from spammers, that would delay (or in some cases drop) legit website get/post requests. QOS needs to be approached on both sides of a bottleneck for maximum effect.

Your approach sounds feasable using a nested shaping policy (parent shape 2meg, child "bandwidth" 512k, next child X, next child Y).

When implementing QOS on a production environment, the best approach i can offer is to create the class-maps appropriately, then when creating the policy map, leave the actions off (dont use the shape or bandwidth commands, just use class CLASS_WHATEVER) that way it will match packets, show you that it is getting a relatively close to correct number of hits, and you will know that they are correct before you start actually mangling the traffic.

You might attempt to control the inbound congestion with a simple policer. Controlling the inbound mail volume might also improve performance.

Ill try to edit with a couple class-maps and parend/child policy-map in a minute.
Manta
Premium Member
join:2003-11-04
UK

Manta

Premium Member

Thanks, I like the idea of matching without acting to test it's working, I'll definately try that.

The incoming mail volume is limited by the number of active incoming sessions that the smtp server will accept before giving "busy" but the transfer speed each session runs at can be quite high as it's just set to fair-queue at the moment. If I can throttle the smtp when required to allow the webserver to breathe, it should alleviate the problem.....the smtp is generally machine to machine so won't notice the slow-down but the http is a person sitting waiting for the page to load and is going to moan if it takes longer than it takes them to think of a suitable curse for having to wait 0.4 seconds.
meta
join:2004-12-27
00000

1 edit

meta

Member

Below is the end to end config (i just tested it in my lab). Obviously i just made up some classes to match with ACLs, however it should be fairly straightforward. If you can classify the packets you want to throw in each bucket with an ACL, you should be in good shape.

conf t
 
ip access-list extended ACL_MATCH_SMTP
 permit tcp any any eq 25
 deny ip any any
exit
ip access-list extended ACL_MATCH_HTTP
 permit tcp any any eq 80
 deny ip any any
exit
ip access-list extended ACL_MATCH_HTTPS
 permit tcp any any eq 443
 deny ip any any
exit
ip access-list extended ACL_MATCH_SERVERGROUP4
 permit ip any 3.11.0.128 0.0.0.64
 permit ip 3.11.0.128 0.0.0.64 any
 deny ip any any
exit
 
class-map match-all CLASS_MAIL
  match access-group name ACL_MATCH_SMTP
 exit
class-map match-any CLASS_WEB
  match access-group name ACL_MATCH_HTTP
  match access-group name ACL_MATCH_HTTPS
 exit
class-map match-all CLASS_SERVERGROUP4
  match access-group name ACL_MATCH_SERVERGROUP4
 exit
 
policy-map POLICY_CHILD_SHAPE_2M
  class CLASS_MAIL
   bandwidth 512
  class CLASS_WEB
   bandwidth 1024
  class CLASS_SERVERGROUP4
   bandwidth 256
  class class-default
    fair-queue
   exit
 exit
 
policy-map POLICY_PARENT_SHAPE_2M
  class class-default
    shape average 2000000
    service-policy POLICY_CHILD_SHAPE_2M
   exit
 exit
 
int fa0/0
  service-policy output POLICY_PARENT_SHAPE_2M
 exit
 
alias exec diff show archive config differences nvram:startup-config system:running-config
 
end
 
diff
 
wr
 

I added a little bonus command alias (diff) i think it got truncated because of line length limits on this forum, so be careful when copy/pasting. The full command is:
"alias exec diff show archive config differences nvram:startup-config system:running-config"
I generally run it before and after every configuration to validate the changes. Its the best you can do in most IOS devices for config rollback without spending a bunch of cash on bloated complicated config mgmt software.

As i said before, just leave the bandwidth and shape commands out and you should see packets matching accordingly. You will want to use the "show policy-map interface fa0/0" command to validate that packets leaving are going via the correct buckets, and that there are no major drops, etc. Lots of good info in show policy-map int.

Cisco_3725#show policy-map int fa0/0 
 FastEthernet0/0 
 
  Service-policy output: POLICY_PARENT_SHAPE_2M
 
    Class-map: class-default (match-any)
      27 packets, 2534 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any 
      Traffic Shaping
           Target/Average   Byte   Sustain   Excess    Interval  Increment
             Rate           Limit  bits/int  bits/int  (ms)      (bytes)  
          2000000/2000000   12500  50000     50000     25        6250     
 
        Adapt  Queue     Packets   Bytes     Packets   Bytes     Shaping
        Active Depth                         Delayed   Delayed   Active
        -      0         27        2534      0         0         no
 
      Service-policy : POLICY_CHILD_SHAPE_2M
 
        Class-map: CLASS_MAIL (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: access-group name ACL_MATCH_SMTP
          Queueing
            Output Queue: Conversation 73 
            Bandwidth 512 (kbps)Max Threshold 64 (packets)
            (pkts matched/bytes matched) 0/0
        (depth/total drops/no-buffer drops) 0/0/0
 
        Class-map: CLASS_WEB (match-any)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: access-group name ACL_MATCH_HTTP
            0 packets, 0 bytes
            5 minute rate 0 bps
          Match: access-group name ACL_MATCH_HTTPS
            0 packets, 0 bytes
            5 minute rate 0 bps
          Queueing
            Output Queue: Conversation 74 
            Bandwidth 1024 (kbps)Max Threshold 64 (packets)
            (pkts matched/bytes matched) 0/0
        (depth/total drops/no-buffer drops) 0/0/0
 
        Class-map: CLASS_SERVERGROUP4 (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: access-group name ACL_MATCH_SERVERGROUP4
          Queueing
            Output Queue: Conversation 75 
            Bandwidth 256 (kbps)Max Threshold 64 (packets)
            (pkts matched/bytes matched) 0/0
        (depth/total drops/no-buffer drops) 0/0/0
 
        Class-map: class-default (match-any)
          27 packets, 2534 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: any 
          Queueing
            Flow Based Fair Queueing
            Maximum Number of Hashed Queues 64 
        (total queued/total drops/no-buffer drops) 0/0/0
 
Manta
Premium Member
join:2003-11-04
UK

Manta

Premium Member

Excellent, thanks for that. I'll give that a try and see what happens.

Two questions though:

The 'bandwidth' command. Say I set bandwidth of class CLASS_MAIL to 512. Will that shape it to a maximum of 512 or will it allow it to use any unused bandwidth but guarantee a minimum of 512?

Shape Average: Is it best to use 'average' rather than 'max' when the line is a max of 2Mbps? I'm just concerned that an average of 2Mbps would contain some rates in excess of 2Mbps that would get dropped... or am I getting the wrong idea about 'average'?

Many thanks,

Gareth
meta
join:2004-12-27
00000

4 edits

meta

Member

1) BANDWIDTH is the keyword to specify the minimum bandwidth guarantee for a class. The traffic will be guaranteed 512kbps of bandwidth, burstable to the full 2meg at which time it will be shaped down to 2meg.
There are other commands you can use here that mean different things.

2) shape average is the prefered method of shaping, the alternative being shape peak which i have never seen used in production. The words used are sometimes not the most clear, cisco has good definitions on their site, but regardless i would stick with shape average.
average      configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]],
             send out Bc only per interval
peak         configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]],
             send out Bc+Be per interval 
 
Usually excess traffic wont be dropped unless the upstream device has a strict 1 bucket policer applied, it should just be queued. Since we are shaping to 2meg the queueing on the upstream device should be very very minimal.

I need to hit the exercise bike before running into work. Ill try to check back in a couple hours for replies/questions/concerns.

Have a good day, good luck, etc...
Manta
Premium Member
join:2003-11-04
UK

Manta

Premium Member

Thanks DeepBlackMag, that's amazingly helpful. I'll try to have a play with those tomorrow and see what breaks! ;-D

Gareth
RolteC
The Need for Speed
join:2001-05-20
New York, NY

RolteC

Member

This is a great thread, learned a good amount from it myself.

Now here is a question concerning this:

What if you want to limit a specific ACL match, or ip, to a specific amount of bandwidth and to never allow it to go over that? Like if I have a 1024Kbps line, and I only want to give PC1 512Kbps at max, is this possible?
cooldude9919
join:2000-05-29

1 edit

cooldude9919

Member

said by RolteC:

This is a great thread, learned a good amount from it myself.

Now here is a question concerning this:

What if you want to limit a specific ACL match, or ip, to a specific amount of bandwidth and to never allow it to go over that? Like if I have a 1024Kbps line, and I only want to give PC1 512Kbps at max, is this possible?
You can police or shape within a child policy. So something like this,

policy-map child
class pc1
police rate 512000
class pc2
bandwidth 256
class pc3
bandwidth 256

policy-map parent
class clss-default
shape average 1000000
service-policy child

something along those lines should work.
peterhohngae
join:2009-08-22
Santa Ana, CA

1 edit

peterhohngae to Manta

Member

to Manta
wow, this forums is brilliant. I'm learning so much from this site. I'm going to try to absorb as much info as possible. Love it!

-------
Manta
Premium Member
join:2003-11-04
UK

Manta

Premium Member

Ok, I've got my shaping in place and I'm going to monitor it for a while and see what breaks!

Just one thing I found when I was doing it. If you specifty the classes without limits like this:

policy-map qos-child-shape2mbps
  class qos-class-A
  class qos-class-B
  class qos-class-C
  class qos-class-D
  class class-default   
    fair-queue   
    
policy-map qos-shape2mbps
  class class-default   
    service-policy qos-child-shape2mbps
 

When you come to assign it to an interface it complains that you can't mix queue based child policy with a non queue based parent policy. I'm sure there's a better way to get round this but I just applied the "shape average 2000000" to the parent policy and then it would let me bind it to the interface. That let me shape the whole lot to 2Mbps but not specify different percentages of bandwidth to limit the child classes to.
Manta

Manta

Premium Member

I've got things in place but I'm seeing drops on class-default which currently has 1% bandwidth left over to it as there shouldn't be much that I've not accounted for. How can I see what's getting matched as class-default or what gets dropped?

Many thanks,

Gareth

#show policy-map int e1/0
 Ethernet1/0
 
  Service-policy output: qos-shape2mbps
 
    Class-map: class-default (match-any)
      7671636 packets, 3016294295 bytes
      5 minute offered rate 664000 bps, drop rate 0 bps
      Match: any
      Queueing
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/630/0
      (pkts output/bytes output) 7786687/2978337788
      shape (average) cir 2000000, bc 8000, be 8000
      target shape rate 2000000
 
      Service-policy : qos-child-shape2mbps
 
        Class-map: qos-class-A (match-all)
          3442332 packets, 1595931722 bytes
          5 minute offered rate 609000 bps, drop rate 0 bps
          Match: access-group name qos-A
          Queueing
          queue limit 64 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 1200299/600617793
          bandwidth 50% (1000 kbps)
 
        Class-map: qos-class-B (match-all)
          867955 packets, 1021028679 bytes
          5 minute offered rate 24000 bps, drop rate 0 bps
          Match: access-group name qos-B
          Queueing
          queue limit 64 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 265245/288039303
          bandwidth 25% (500 kbps)
 
        Class-map: qos-class-C (match-all)
          2849491 packets, 269400743 bytes
          5 minute offered rate 1000 bps, drop rate 0 bps
          Match: access-group name qos-C
          Queueing
          queue limit 64 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 988081/87217990
          bandwidth 12% (240 kbps)
 
        Class-map: qos-class-D (match-all)
          4444 packets, 1402105 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: access-group name qos-D
          Queueing
          queue limit 64 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 158/74236
          bandwidth 12% (240 kbps)
 
        Class-map: class-default (match-any)
          507415 packets, 128531026 bytes
          5 minute offered rate 7000 bps, drop rate 0 bps
          Match: any
          Queueing
          queue limit 64 packets
          (queue depth/total drops/no-buffer drops/flowdrops) 0/630/0/630
          (pkts output/bytes output) 5332904/2002388466
          Fair-queue: per-flow queue limit 16
 
 
meta
join:2004-12-27
00000

meta

Member

There are probablly several ways, can you post the full QOS config? (ACLs, class-maps, policy-maps, interface config in that order)
On a side note, usually i would reccomend against naming objects like that. Its really important that your configuration be self-documenting so that someone (usually you) can come back in 6 or 8 months and remember what access-list 44 was actually doing.
Manta
Premium Member
join:2003-11-04
UK

Manta

Premium Member

Thanks DeepBlackMag. That's a fair point on the naming, I have trouble remembering what I was doing 6 to 8 minutes ago, let alone months! Most of my ACL's are heavily remarked and the names of things are more descriptive but for the sake of obfuscating who's live system this is, I've replaced the descriptive part with A/B/C/D

I have a number of VPN tunnels to other sites from this system. They're all tunnel interfaces running GRE which is then tunneled over IPSEC. It gives me the convenience of having an interface for each such connection so I can quickly and easily see what's up and what's down. I've added 'qos pre-classify' to all of these as shown.

ip access-list extended qos-A
 permit ip host x.y.z.46 any
ip access-list extended qos-B
 permit ip host x.y.z.48 any
ip access-list extended qos-D
 permit ip host 10.0.0.7 any
 permit ip host 10.0.0.9 any
ip access-list extended qos-C
 permit ip host x.y.z.18 any
!
class-map match-all qos-class-D
 match access-group name qos-D
class-map match-all qos-class-A
 match access-group name qos-A
class-map match-all qos-class-B
 match access-group name qos-B
class-map match-all qos-class-C
 match access-group name qos-C
!
!
policy-map qos-child-shape2mbps
 class qos-class-A
    bandwidth percent 50
 class qos-class-B
    bandwidth percent 25
 class qos-class-C
    bandwidth percent 12
 class qos-class-D
    bandwidth percent 12
 class class-default
    fair-queue
policy-map qos-shape2mbps
 class class-default
    shape average 2000000
  service-policy qos-child-shape2mbps
!
!
interface Ethernet1/0
 description Outside interface
 bandwidth 2048
 ip address x.y.z.34 255.255.255.248
 ip access-group outside-ingress in
 ip access-group outside-egress out
 ip nat outside
 ip virtual-reassembly
 duplex half
 ntp disable
 no cdp enable
 crypto map vpn-tunnel
 service-policy output qos-shape2mbps
!
interface Tunnel200
 description GRE Tunnel carried over IPSEC
 ip unnumbered Loopback200
 ip tcp adjust-mss 1440
 qos pre-classify
 keepalive 3 3
 tunnel source Loopback200
 tunnel destination 192.168.200.100
 
meta
join:2004-12-27
00000

1 edit

meta

Member

Create an acl to exclude known traffic: (yes, KNOWN traffic is permitted WITHOUT LOGGING, while traffic NOT known is logged by the last line)

ip access-list extended ACL_LOG_UNKNOWN
 permit ip host x.y.z.46 any   
 permit ip host x.y.z.48 any   
 permit ip host 10.0.0.7 any   
 permit ip host 10.0.0.9 any   
 permit ip host x.y.z.18 any   
 permit ip any any log-input
end
 
Then apply that in on the LAN interface. Providing you have terminal monitor enabled, you should start seeing packets going through that will hit the class-default of your service policy (the log entry at the end of the ACL).
AJR2
join:2009-03-18
Alabaster, AL

AJR2 to Manta

Member

to Manta
Instead of matching against ACLs in your class-maps, you might want to consider using NBAR.

NBAR allows you to match specific protocols by using the "match protocol protocol-name" command under your class-map config.

For example:

class-map match-any Mail
match protocol smtp

For more info on NBAR: »www.cisco.com/en/US/docs ··· p1003102
meta
join:2004-12-27
00000

1 edit

meta

Member

Contrary to popular belief, the protocol definitions used in NBAR (for all their CPU-sucking goodness) are generally something stupid like "match tcp port 22".

This obfucation has caused me great pains in the past trying to classify traffic where the Cisco protocol definition was weak or poorly constructed.

In fact, below is how im customizing NBAR on one set of routers:
STL-R3745#show run | I nbar
ip nbar port-map ssh tcp 22 22714 
ip nbar port-map irc tcp 6667 64313 
ip nbar port-map secure-http tcp 443 444 61803 
ip nbar custom msrdp tcp 3389 3388  
ip nbar custom ventrilo tcp 3784