Re: interface rate-limit

techmail4sam · ‎08-18-2009

Hi,

How I can get virtual ethernet rate-limit/bandwidth/speed using cisco CLI?

So I can use it further in process of rate-limiting unnecessary traffic.

Thanks

D V

Nethaji Vinobaji · ‎08-18-2009

We can use policer for rate limiting on the Veth interfaces. Here are the sample commands to create and apply the policer to Veth interfaces:

This policy will rate-limit all the traffic that is coming from the VM via Veth interface 4 to 100 mbps.

mv-fcs-vsm# conf ter
mv-fcs-vsm(config)# policy-map rate-limit
mv-fcs-vsm(config-pmap-qos)# class class-default
mv-fcs-vsm(config-pmap-c-qos)# police cir 100 mbps
mv-fcs-vsm(config-pmap-c-qos)# exit
mv-fcs-vsm(config-pmap-qos)# exit

mv-fcs-vsm(config-if)# show policy-map rate-limit

Type qos policy-maps
====================

policy-map type qos rate-limit
class class-default
police cir 100 mbps bc 200 ms conform transmit violate drop

mv-fcs-vsm(config)# int v 4
mv-fcs-vsm(config-if)# service-policy input rate-limit

mv-fcs-vsm(config-if)# show policy-map interface

Vethernet4

Service-policy (qos) input: rate-limit
policy statistics status: enabled

    Class-map (qos):   class-default (match-any)
      0 packets
      police cir 100 mbps bc 200 ms
        conformed 0 bytes, 0 bps action: transmit
        violated 0 bytes, 0 bps action: drop

Thanks

Nethaji V

techmail4sam · ‎08-18-2009

Hi,

yes, this is another way we can set bandwidth of virtual interface.

But I want to rate-limit icmp traffic to minimize effect of ping flood.

For ex., If I assign 10 Mbps bandwidth using this method to veth 4.

and rate-limit icmp class traffic class_icmp.

n1000v(config-cmap-qos)# exit
n1000v(config)# policy-map policy_icmp
n1000v(config-pmap-qos)# class class-default
n1000v(config-pmap-c-qos)# police cir 10 mbps
n1000v(config-pmap-c-qos)# exit
n1000v(config-pmap-qos)# class class_icmp
n1000v(config-pmap-c-qos)# police cir percent 1 conform transmit violate drop
n1000v(config-pmap-c-qos)# exit
n1000v(config-pmap-qos)# exit

But even if class_icmp traffic exceeds 100 kbps ( 1% of 10 Mbps ), it doesn't drop packets.

Thanks,

D V

shanrama · ‎08-18-2009

Hi,

Could you check if the ICMP packets are getting classified ? You could check the qos statistics to confirm that . The cli for that is :

show policy-map interface <interface type> <interface #>.

In this case you would do show policy-map interface vethernet 4.

Thanks

-Shankar

techmail4sam · ‎08-19-2009

Hi,

Look at result of "show policy-map interface vethernet 3" command.

As you can see in bold letters, why some packets are dropped (1522238 bps < 10 mbps)?

Global statistics status : enabled

Vethernet3

Service-policy (qos) input: policy_all
policy statistics status: enabled

    Class-map (qos):   class-default (match-any)
      1119944 packets
      police cir 10 mbps bc 200 ms
        conformed 109748349 bytes, 1522238 bps action: transmit
        violated 6174 bytes, 60 bps action: drop

Service-policy (qos) output: policy_icmp
policy statistics status: enabled

    Class-map (qos):   class_icmp (match-all)
      1213385 packets
      Match: access-group acl_icmp_echo
      police cir percent 1 bc 200 ms
        conformed 118732782 bytes, 1737213 bps action: transmit
        violated 178948 bytes, 3307 bps action: drop

    Class-map (qos):   class-default (match-any)
      357 packets
      police cir 10 mbps bc 200 ms
        conformed 50922 bytes, 939 bps action: transmit
        violated 0 bytes, 0 bps action: drop

Thanks,

D V

tkuik · ‎08-19-2009

Good question! It is based upon your configured bc (committed burst) size and the burst of traffic received. Overall your policer is configured with a limit of 10 mbps and it can handle a burst of packets but only up to 200ms worth of data at the configured rate. Thus, you likely had a burst that resulted in a few dropped frames. The rate that is displayed is a sliding window over time so it is an average.

If you have traffic that is very bursty, you need to increase your bc to accommodate that.

Hope that clears it up!

Tim

Jason.White · ‎02-04-2011

Thank you for this post, it is very useful.

Do you know the correct syntax to apply one of these policies at the port-group level so it's applied to all vethernet devices?

tkuik · ‎02-04-2011

Jason,

The service-policy command is available on an interface and also on a port-profile. Thus, if it is applied to the port-profile, it will be applied to all veths that are inheriting from it.

Regards,

Tim