Monday, April 13, 2009

CCIE ALU - Traffic Control

Foreward: An ALU is an Autonomous Learning Unit, you can read this post to learn more about them.




In addition to the subnet on R3's FastEthernet0/0 interface, there is also a subnet, which contains several high bandwidth users.  These users have been receiving very large HTTP downloads across the Serial1/3 interface.  Limit HTTP responses destined to the subnet to 512kbit/sec.  All configuration must be done on R3.



Highlight below for the solution:




ip access-list extended HTTP_TO_1.1.33

 permit tcp any eq www


class-map match-all HTTP_TO_1.1.33

 match access-group name HTTP_TO_1.1.33


policy-map QOS1

 class HTTP_TO_1.1.33

    police 512000

 class class-default


interface Serial1/3

 service-policy input QOS1




Rack1R3(config-if)#do sh policy-map int            



  Service-policy input: QOS1


    Class-map: HTTP_TO_1.1.33 (match-all)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: access-group name HTTP_TO_1.1.33


          cir 512000 bps, bc 16000 bytes

        conformed 0 packets, 0 bytes; actions:


        exceeded 0 packets, 0 bytes; actions:


        conformed 0 bps, exceed 0 bps


    Class-map: class-default (match-any)

      11 packets, 1088 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: any




Since all configuration must be done on R3, we must use policing because only the very high-end Cisco  routers can perform shaping inbound.  We create a class that matches TCP traffic with a source port of 80 and any destination port, since the HTTP request is a very small packet going out Serial1/3, and the HTTP response is the very large packet coming in Serial1/3.


One important point to remember is this method of traffic control is ineffective for controlling UDP traffic streams since the traffic has already traversed the serial link between R2 and R3 by the time policing on R3 is enforced.  This method of policing on the "far end" is effective when controlling TCP traffic because the applications will set their sliding window to a size that will approximate 512kbit/sec.


If you are not 100% familiar with TCP, sliding windows, and all aspects of TCP retransmission, please read the following site for a great tutorial:


I highly encourage you to be extremely consistent in the way you name access-lists, class-maps, policy-maps, or other items you create in the IOS.  You are free to create any system you would like, but my general guidelines are to make your variables in all capital letters so they stand out in your show commands.  I also like to name items according to the section they were created for.  For example, if item 4.5 in the QOS section of a test requires me to create an access-list, I will name the access-list QOS4.5.  Or if I need to make a numbered ACL, I will number it 45 or 145 depending if I need a standard or extended access-list.



DocCD items to reference:

Configuration Guide (Class-Based Weighted Fair Queueing Configuration Task List)




ip access-list  (Named Access-Lists)

service-policy in

1 comment:

  1. This is a good post. Thanks for sharing with us, Excellent work and i really appreciate to your work. if you want to get one of the best CCIE Enterprise Training. then visit our website.