Manta Premium Member join:2003-11-04 UK |
Manta
Premium Member
2009-Aug-20 7:09 am
Traffic shaping questionI'm somewhat new (read: clueless) to traffic shaping and I'm hoping someone can point me in the right direction before I go messing around with a production environment.
Problem: Currently the mail traffic eats up most/all of the bandwidth a lot of the time [damn spammers] and this results in webserver performance looking poor.
Situation: I've got a Cisco 7204VXR with a managed 2Mbps SDSL connection to the internet. The SDSL line is handled by a Cisco 878, that I have no access to, and handed off as ethernet. The 7204VXR has a collection of FastEthernet and Ethernet ports with a machine or group of machines hanging off each active port.
Solution?: I had thought to set up traffic shaping on the outbound interface of the 7204VXR to shape the max outgoing to 2Mbps and then as a child-policy to shape the different sources so that mail traffic has a guaranteed minimum of 512kbps and is allow to burst up to the full 2Mbps if nothing else is using it. The same for webserver traffic and other sources. Each of these sources is on a different IP so that should make categorising them easier.
I understand that I can only really affect outbound traffic and don't really have a lot of say over inbound. Does this all sound sensible/possible? or should I be looking at a different route?
Many thanks,
Gareth |
|
|
meta
Member
2009-Aug-20 7:43 am
That sounds sensible, im not sure how much of a performance gain you are going to see though. If your inbound pipe is clogged with crap from spammers, that would delay (or in some cases drop) legit website get/post requests. QOS needs to be approached on both sides of a bottleneck for maximum effect.
Your approach sounds feasable using a nested shaping policy (parent shape 2meg, child "bandwidth" 512k, next child X, next child Y).
When implementing QOS on a production environment, the best approach i can offer is to create the class-maps appropriately, then when creating the policy map, leave the actions off (dont use the shape or bandwidth commands, just use class CLASS_WHATEVER) that way it will match packets, show you that it is getting a relatively close to correct number of hits, and you will know that they are correct before you start actually mangling the traffic.
You might attempt to control the inbound congestion with a simple policer. Controlling the inbound mail volume might also improve performance.
Ill try to edit with a couple class-maps and parend/child policy-map in a minute. |
|
Manta Premium Member join:2003-11-04 UK |
Manta
Premium Member
2009-Aug-20 7:50 am
Thanks, I like the idea of matching without acting to test it's working, I'll definately try that.
The incoming mail volume is limited by the number of active incoming sessions that the smtp server will accept before giving "busy" but the transfer speed each session runs at can be quite high as it's just set to fair-queue at the moment. If I can throttle the smtp when required to allow the webserver to breathe, it should alleviate the problem.....the smtp is generally machine to machine so won't notice the slow-down but the http is a person sitting waiting for the page to load and is going to moan if it takes longer than it takes them to think of a suitable curse for having to wait 0.4 seconds. |
|
1 edit |
meta
Member
2009-Aug-20 8:09 am
Below is the end to end config (i just tested it in my lab). Obviously i just made up some classes to match with ACLs, however it should be fairly straightforward. If you can classify the packets you want to throw in each bucket with an ACL, you should be in good shape. conf t
ip access-list extended ACL_MATCH_SMTP
permit tcp any any eq 25
deny ip any any
exit
ip access-list extended ACL_MATCH_HTTP
permit tcp any any eq 80
deny ip any any
exit
ip access-list extended ACL_MATCH_HTTPS
permit tcp any any eq 443
deny ip any any
exit
ip access-list extended ACL_MATCH_SERVERGROUP4
permit ip any 3.11.0.128 0.0.0.64
permit ip 3.11.0.128 0.0.0.64 any
deny ip any any
exit
class-map match-all CLASS_MAIL
match access-group name ACL_MATCH_SMTP
exit
class-map match-any CLASS_WEB
match access-group name ACL_MATCH_HTTP
match access-group name ACL_MATCH_HTTPS
exit
class-map match-all CLASS_SERVERGROUP4
match access-group name ACL_MATCH_SERVERGROUP4
exit
policy-map POLICY_CHILD_SHAPE_2M
class CLASS_MAIL
bandwidth 512
class CLASS_WEB
bandwidth 1024
class CLASS_SERVERGROUP4
bandwidth 256
class class-default
fair-queue
exit
exit
policy-map POLICY_PARENT_SHAPE_2M
class class-default
shape average 2000000
service-policy POLICY_CHILD_SHAPE_2M
exit
exit
int fa0/0
service-policy output POLICY_PARENT_SHAPE_2M
exit
alias exec diff show archive config differences nvram:startup-config system:running-config
end
diff
wr
I added a little bonus command alias (diff) i think it got truncated because of line length limits on this forum, so be careful when copy/pasting. The full command is: "alias exec diff show archive config differences nvram:startup-config system:running-config" I generally run it before and after every configuration to validate the changes. Its the best you can do in most IOS devices for config rollback without spending a bunch of cash on bloated complicated config mgmt software. As i said before, just leave the bandwidth and shape commands out and you should see packets matching accordingly. You will want to use the "show policy-map interface fa0/0" command to validate that packets leaving are going via the correct buckets, and that there are no major drops, etc. Lots of good info in show policy-map int. Cisco_3725#show policy-map int fa0/0
FastEthernet0/0
Service-policy output: POLICY_PARENT_SHAPE_2M
Class-map: class-default (match-any)
27 packets, 2534 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Traffic Shaping
Target/Average Byte Sustain Excess Interval Increment
Rate Limit bits/int bits/int (ms) (bytes)
2000000/2000000 12500 50000 50000 25 6250
Adapt Queue Packets Bytes Packets Bytes Shaping
Active Depth Delayed Delayed Active
- 0 27 2534 0 0 no
Service-policy : POLICY_CHILD_SHAPE_2M
Class-map: CLASS_MAIL (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name ACL_MATCH_SMTP
Queueing
Output Queue: Conversation 73
Bandwidth 512 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
Class-map: CLASS_WEB (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name ACL_MATCH_HTTP
0 packets, 0 bytes
5 minute rate 0 bps
Match: access-group name ACL_MATCH_HTTPS
0 packets, 0 bytes
5 minute rate 0 bps
Queueing
Output Queue: Conversation 74
Bandwidth 1024 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
Class-map: CLASS_SERVERGROUP4 (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name ACL_MATCH_SERVERGROUP4
Queueing
Output Queue: Conversation 75
Bandwidth 256 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
Class-map: class-default (match-any)
27 packets, 2534 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Queueing
Flow Based Fair Queueing
Maximum Number of Hashed Queues 64
(total queued/total drops/no-buffer drops) 0/0/0
|
|
Manta Premium Member join:2003-11-04 UK |
Manta
Premium Member
2009-Aug-20 8:17 am
Excellent, thanks for that. I'll give that a try and see what happens.
Two questions though:
The 'bandwidth' command. Say I set bandwidth of class CLASS_MAIL to 512. Will that shape it to a maximum of 512 or will it allow it to use any unused bandwidth but guarantee a minimum of 512?
Shape Average: Is it best to use 'average' rather than 'max' when the line is a max of 2Mbps? I'm just concerned that an average of 2Mbps would contain some rates in excess of 2Mbps that would get dropped... or am I getting the wrong idea about 'average'?
Many thanks,
Gareth |
|
4 edits |
meta
Member
2009-Aug-20 8:34 am
1) BANDWIDTH is the keyword to specify the minimum bandwidth guarantee for a class. The traffic will be guaranteed 512kbps of bandwidth, burstable to the full 2meg at which time it will be shaped down to 2meg. There are other commands you can use here that mean different things. 2) shape average is the prefered method of shaping, the alternative being shape peak which i have never seen used in production. The words used are sometimes not the most clear, cisco has good definitions on their site, but regardless i would stick with shape average. average configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]],
send out Bc only per interval
peak configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]],
send out Bc+Be per interval
Usually excess traffic wont be dropped unless the upstream device has a strict 1 bucket policer applied, it should just be queued. Since we are shaping to 2meg the queueing on the upstream device should be very very minimal. I need to hit the exercise bike before running into work. Ill try to check back in a couple hours for replies/questions/concerns. Have a good day, good luck, etc... |
|
Manta Premium Member join:2003-11-04 UK |
Manta
Premium Member
2009-Aug-20 9:37 am
Thanks DeepBlackMag, that's amazingly helpful. I'll try to have a play with those tomorrow and see what breaks! ;-D
Gareth |
|
RolteCThe Need for Speed join:2001-05-20 New York, NY |
RolteC
Member
2009-Aug-21 9:27 am
This is a great thread, learned a good amount from it myself.
Now here is a question concerning this:
What if you want to limit a specific ACL match, or ip, to a specific amount of bandwidth and to never allow it to go over that? Like if I have a 1024Kbps line, and I only want to give PC1 512Kbps at max, is this possible? |
|
1 edit |
said by RolteC:This is a great thread, learned a good amount from it myself. Now here is a question concerning this: What if you want to limit a specific ACL match, or ip, to a specific amount of bandwidth and to never allow it to go over that? Like if I have a 1024Kbps line, and I only want to give PC1 512Kbps at max, is this possible? You can police or shape within a child policy. So something like this, policy-map child class pc1 police rate 512000 class pc2 bandwidth 256 class pc3 bandwidth 256 policy-map parent class clss-default shape average 1000000 service-policy child something along those lines should work. |
|
1 edit |
to Manta
wow, this forums is brilliant. I'm learning so much from this site. I'm going to try to absorb as much info as possible. Love it!
------- |
|
Manta Premium Member join:2003-11-04 UK |
Manta
Premium Member
2009-Aug-25 12:53 pm
Ok, I've got my shaping in place and I'm going to monitor it for a while and see what breaks! Just one thing I found when I was doing it. If you specifty the classes without limits like this: policy-map qos-child-shape2mbps
class qos-class-A
class qos-class-B
class qos-class-C
class qos-class-D
class class-default
fair-queue
policy-map qos-shape2mbps
class class-default
service-policy qos-child-shape2mbps
When you come to assign it to an interface it complains that you can't mix queue based child policy with a non queue based parent policy. I'm sure there's a better way to get round this but I just applied the "shape average 2000000" to the parent policy and then it would let me bind it to the interface. That let me shape the whole lot to 2Mbps but not specify different percentages of bandwidth to limit the child classes to. |
|
Manta |
Manta
Premium Member
2009-Aug-26 8:49 am
I've got things in place but I'm seeing drops on class-default which currently has 1% bandwidth left over to it as there shouldn't be much that I've not accounted for. How can I see what's getting matched as class-default or what gets dropped? Many thanks, Gareth #show policy-map int e1/0
Ethernet1/0
Service-policy output: qos-shape2mbps
Class-map: class-default (match-any)
7671636 packets, 3016294295 bytes
5 minute offered rate 664000 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/630/0
(pkts output/bytes output) 7786687/2978337788
shape (average) cir 2000000, bc 8000, be 8000
target shape rate 2000000
Service-policy : qos-child-shape2mbps
Class-map: qos-class-A (match-all)
3442332 packets, 1595931722 bytes
5 minute offered rate 609000 bps, drop rate 0 bps
Match: access-group name qos-A
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 1200299/600617793
bandwidth 50% (1000 kbps)
Class-map: qos-class-B (match-all)
867955 packets, 1021028679 bytes
5 minute offered rate 24000 bps, drop rate 0 bps
Match: access-group name qos-B
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 265245/288039303
bandwidth 25% (500 kbps)
Class-map: qos-class-C (match-all)
2849491 packets, 269400743 bytes
5 minute offered rate 1000 bps, drop rate 0 bps
Match: access-group name qos-C
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 988081/87217990
bandwidth 12% (240 kbps)
Class-map: qos-class-D (match-all)
4444 packets, 1402105 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name qos-D
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 158/74236
bandwidth 12% (240 kbps)
Class-map: class-default (match-any)
507415 packets, 128531026 bytes
5 minute offered rate 7000 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops/flowdrops) 0/630/0/630
(pkts output/bytes output) 5332904/2002388466
Fair-queue: per-flow queue limit 16
|
|
|
meta
Member
2009-Aug-26 8:13 pm
There are probablly several ways, can you post the full QOS config? (ACLs, class-maps, policy-maps, interface config in that order) On a side note, usually i would reccomend against naming objects like that. Its really important that your configuration be self-documenting so that someone (usually you) can come back in 6 or 8 months and remember what access-list 44 was actually doing. |
|
Manta Premium Member join:2003-11-04 UK |
Manta
Premium Member
2009-Aug-27 3:46 am
Thanks DeepBlackMag. That's a fair point on the naming, I have trouble remembering what I was doing 6 to 8 minutes ago, let alone months! Most of my ACL's are heavily remarked and the names of things are more descriptive but for the sake of obfuscating who's live system this is, I've replaced the descriptive part with A/B/C/D I have a number of VPN tunnels to other sites from this system. They're all tunnel interfaces running GRE which is then tunneled over IPSEC. It gives me the convenience of having an interface for each such connection so I can quickly and easily see what's up and what's down. I've added 'qos pre-classify' to all of these as shown. ip access-list extended qos-A
permit ip host x.y.z.46 any
ip access-list extended qos-B
permit ip host x.y.z.48 any
ip access-list extended qos-D
permit ip host 10.0.0.7 any
permit ip host 10.0.0.9 any
ip access-list extended qos-C
permit ip host x.y.z.18 any
!
class-map match-all qos-class-D
match access-group name qos-D
class-map match-all qos-class-A
match access-group name qos-A
class-map match-all qos-class-B
match access-group name qos-B
class-map match-all qos-class-C
match access-group name qos-C
!
!
policy-map qos-child-shape2mbps
class qos-class-A
bandwidth percent 50
class qos-class-B
bandwidth percent 25
class qos-class-C
bandwidth percent 12
class qos-class-D
bandwidth percent 12
class class-default
fair-queue
policy-map qos-shape2mbps
class class-default
shape average 2000000
service-policy qos-child-shape2mbps
!
!
interface Ethernet1/0
description Outside interface
bandwidth 2048
ip address x.y.z.34 255.255.255.248
ip access-group outside-ingress in
ip access-group outside-egress out
ip nat outside
ip virtual-reassembly
duplex half
ntp disable
no cdp enable
crypto map vpn-tunnel
service-policy output qos-shape2mbps
!
interface Tunnel200
description GRE Tunnel carried over IPSEC
ip unnumbered Loopback200
ip tcp adjust-mss 1440
qos pre-classify
keepalive 3 3
tunnel source Loopback200
tunnel destination 192.168.200.100
|
|
1 edit |
meta
Member
2009-Aug-27 6:12 pm
Create an acl to exclude known traffic: (yes, KNOWN traffic is permitted WITHOUT LOGGING, while traffic NOT known is logged by the last line) ip access-list extended ACL_LOG_UNKNOWN
permit ip host x.y.z.46 any
permit ip host x.y.z.48 any
permit ip host 10.0.0.7 any
permit ip host 10.0.0.9 any
permit ip host x.y.z.18 any
permit ip any any log-input
end
Then apply that in on the LAN interface. Providing you have terminal monitor enabled, you should start seeing packets going through that will hit the class-default of your service policy (the log entry at the end of the ACL). |
|
AJR2 join:2009-03-18 Alabaster, AL |
to Manta
Instead of matching against ACLs in your class-maps, you might want to consider using NBAR. NBAR allows you to match specific protocols by using the "match protocol protocol-name" command under your class-map config. For example: class-map match-any Mail match protocol smtp
For more info on NBAR: » www.cisco.com/en/US/docs ··· p1003102 |
|
1 edit |
meta
Member
2009-Aug-27 10:29 pm
Contrary to popular belief, the protocol definitions used in NBAR (for all their CPU-sucking goodness) are generally something stupid like "match tcp port 22". This obfucation has caused me great pains in the past trying to classify traffic where the Cisco protocol definition was weak or poorly constructed. In fact, below is how im customizing NBAR on one set of routers: STL-R3745#show run | I nbar
ip nbar port-map ssh tcp 22 22714
ip nbar port-map irc tcp 6667 64313
ip nbar port-map secure-http tcp 443 444 61803
ip nbar custom msrdp tcp 3389 3388
ip nbar custom ventrilo tcp 3784
|
|