07-20-2006 03:13 AM
Hi,
My organization has a network with many remote sites connected through Layer-2 MPLS.
The hub site is a Cisco 6500 and the remote sites are 3550 switches. The MPLS links to the remote sites are of 10Mbps.
There is no configuration w.r.t MPLS on the 3550 switches.
The hub site provides Internet service and the requirement is to limit the use of Internet (http, ftp) traffic from the remote sites to not more than 2Mbps (out of 10Mbps).
My understanding is that QoS has to be applied for the outgoing traffic on the 3550 Gigabit ethernet switch ports connecting to the MPLS network so that outgoing Internet traffic is rate limited to 2Mbps.
Two tasks:
1. Classify internet traffic (http, ftp etc..)
2. Rate limit
Is this correct? Would there be any issues with the Service Provider?
Any sample configurations? Pls help.
07-20-2006 06:05 AM
if this is all layer 2 mpls, i believe you are using vpls or similar service offering (EoMpls?)
The traffic Qos shaping/policing can be configured on the 3550 remote location switches, inbound. It could be done on the 6500 with multiple classes, etc, but it would be more scalable to do it on the 3550's. The 3550 can classify and shape/police traffic per class, using the modular qos command line (mqc). I would use a nested policy to shape everything to 10mbps, then cut 2 mbps for http/ftp to 2mbps
such as,
class-map match-any internet
match protocol http
match protocol ftp
!
!
policy-map internet-shape
class internet
shape average 2000000
class class-default
fair-queue
policy-map internet-parent
class class-default
shape average 10000000
service-policy internet-shape
int vlan 301
service-policy output internet-parent
(this may not work on the vlan interface, you may need to place it on the port)
int f0/47
desc to lan client switch
service-policy output internet-parent
I'm sure you can also apply this policy to the outgoing traffic also.
Joe
07-22-2006 11:16 AM
Hi Joe,
Thanks for a detailed response. Yes, it is EoMPLS. The solution you gave is for the 3550 I guess. But, even with 12.2(25)SEE that is latest on CCO, I do not find "match protocol" and "shape" command on the 3550 switches.
Meanwhile, here is what I think is a solution.
Cisco6500---------MPLS Cloud-------Gi0/1-3550---------Internal LAN
Internal LAN 10.1.1.0 is on 3550 port Fa0/1. All Internet traffic has to go out of or come into Gi0/1 port on 3550.
----------------------------------------------------
mls qos
access-list 199 permit tcp 10.1.1.0 0.0.0.255 any eq 80
class-map INTERNET-CLASS
match access-group 199
policy-map INTERNET-POLICY
class INTERNET-CLASS
police 2000000 8000 exceed-action drop
interface Gi0/1
switchport mode access
service-policy input INTERNET-POLICY
-------------------------------------------------
Pls comment. Thanks.
07-23-2006 06:58 PM
I expected you read below doc. for the QoS for 3550.
http://www.cisco.com/en/US/products/hw/switches/ps646/products_tech_note09186a00800feff5.shtml
What I find the only problem as below, and the remaining commands show work (but I did not test it due to no equipment on hand).
class-map match-all INTERNET-CLASS
match access-group 199
Hope this helps.
07-23-2006 09:46 PM
Hi Jack,
Thanks for the doc. Yes, I read this page.
As there is no "match protocol" command, I believe the only way is to go for the "match access-group" command to classify the traffic.
I don't understand why you think the "match access-group" is a problem. Can you pls explain?
Here is the output on my switch:
3550#sh policy-map int gi1/0/1
GigabitEthernet1/0/1
Service-policy input: internet-traffic-policy
Class-map: internet-traffic-class (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 199
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
The other questions I have:
How to generate 2Mbps of traffic to check if my policy-map is working or not?
Also, should CEF be enabled on the switch/interface?
Thanks.
07-23-2006 10:15 PM
Sorry if I did not state it clear. What I check the command format and find it require a "match-all" parameter, so I assume there may be an issue. If it is working, just forget it.
You can use some free throughput test tool (e.g. QCheck) to connect a PC to this interface and another at antoher interface then run a tool call "iper" to generate the traffic at port 80. Check here :
http://www.ixiacom.com/products/performance_applications/pa_display.php?skey=pa_q_check
Or "Iperf" for similiar function.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide