Monday, April 13, 2009

CCIE ALU - Traffic Control

Foreward: An ALU is an Autonomous Learning Unit, you can read this post to learn more about them.

 



 

Question:

In addition to the 1.1.3.0/24 subnet on R3's FastEthernet0/0 interface, there is also a subnet 1.1.33.0/24, which contains several high bandwidth users.  These users have been receiving very large HTTP downloads across the Serial1/3 interface.  Limit HTTP responses destined to the 1.1.33.0/24 subnet to 512kbit/sec.  All configuration must be done on R3.

 

 

Highlight below for the solution:

 

Solution:

R3:

ip access-list extended HTTP_TO_1.1.33

 permit tcp any eq www 1.1.33.0 0.0.0.255

!

class-map match-all HTTP_TO_1.1.33

 match access-group name HTTP_TO_1.1.33

!

policy-map QOS1

 class HTTP_TO_1.1.33

    police 512000

 class class-default

!

interface Serial1/3

 service-policy input QOS1

 

 

Confirmation:

Rack1R3(config-if)#do sh policy-map int            

 Serial1/3

 

  Service-policy input: QOS1

 

    Class-map: HTTP_TO_1.1.33 (match-all)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: access-group name HTTP_TO_1.1.33

      police:

          cir 512000 bps, bc 16000 bytes

        conformed 0 packets, 0 bytes; actions:

          transmit

        exceeded 0 packets, 0 bytes; actions:

          drop

        conformed 0 bps, exceed 0 bps

 

    Class-map: class-default (match-any)

      11 packets, 1088 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: any

 

 

Explanation:

Since all configuration must be done on R3, we must use policing because only the very high-end Cisco  routers can perform shaping inbound.  We create a class that matches TCP traffic with a source port of 80 and any destination port, since the HTTP request is a very small packet going out Serial1/3, and the HTTP response is the very large packet coming in Serial1/3.

 

One important point to remember is this method of traffic control is ineffective for controlling UDP traffic streams since the traffic has already traversed the serial link between R2 and R3 by the time policing on R3 is enforced.  This method of policing on the "far end" is effective when controlling TCP traffic because the applications will set their sliding window to a size that will approximate 512kbit/sec.

 

If you are not 100% familiar with TCP, sliding windows, and all aspects of TCP retransmission, please read the following site for a great tutorial:  http://www.rhyshaden.com/tcp.htm

 

I highly encourage you to be extremely consistent in the way you name access-lists, class-maps, policy-maps, or other items you create in the IOS.  You are free to create any system you would like, but my general guidelines are to make your variables in all capital letters so they stand out in your show commands.  I also like to name items according to the section they were created for.  For example, if item 4.5 in the QOS section of a test requires me to create an access-list, I will name the access-list QOS4.5.  Or if I need to make a numbered ACL, I will number it 45 or 145 depending if I need a standard or extended access-list.

 

 

DocCD items to reference:

Configuration Guide (Class-Based Weighted Fair Queueing Configuration Task List)

class-map

policy-map

police

ip access-list  (Named Access-Lists)

service-policy in

No comments:

Post a Comment