Re: QoS Policing giving more bandwidth than it should

petes · ‎05-06-2011

I'm working in my lab trying to do proof of concept for traffic policing on the ASA 5510 running 8.0(4). I have two laptops running Ubuntu one on the outside and one on the inside. Both laptops have 100Mbps interfaces. My tests consists of downloading a file from one laptop using HTTP. Without any QoS I can see speeds close to 100Mbps which I would expect. On a side note, try using XP and you won't come close to those speeds. Anyhow, I implement policing using the config below and expect to see the max rate on the laptops during the transfer max out close to the CIR. However, I see speeds much higher on the laptops.

When I set the CIR to 10000 bps with bc at 1500 bytes I get speeds that range from 300Kbps to 700Kbps. I would expect to see speeds max out at the CIR which would be 10Kbps.

I'm having a hard time understanding why my numbers don't match. I would really appreciate it if somebody could "dumb this down" for me.

FYI...the download is going from the inside to the outside.

Relevent Config.

access-list nonvoice extended permit ip any any

priority-queue inside
queue-limit 488
tx-ring-limit 8
priority-queue outside

class-map qos-restricted
match access-list nonvoice

policy-map qos-policy
class qos-restricted
police input 10000

service-policy qos-policy interface outside

Output from the show service-policy police command:

Interface outside:
Service-policy: qos-policy
    Class-map: qos-restricted
      Input police Interface outside:
        cir 10000 bps, bc 1500 bytes
        conformed 4377 packets, 291037 bytes; actions: transmit
        exceeded 3126 packets, 206316 bytes; actions: drop
        conformed 9992 bps, exceed 6552 bps

varrao · ‎05-06-2011

Hi Pete,

The configuration needs some changes, kindly go through this document, this should clarify all your questions:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml#rate

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao

petes · ‎05-11-2011

Varun,

Thanks for your reply. I've went through the document and I still don't understand why my traffic is not adhering to the specified rate limits. Is there a specific section of that document that answers that question? It seems simple, classify the traffic, apply a policy to the traffic (rate limit) and then apply it to an interface. I just don't understand why the lab results don't match the rate limit speeds.

Pete

varrao · ‎05-11-2011

Hi Pete,

Kindly let me know your requirements with a brief description again, i understand that you are trying to rate limit the download speed to 10 kbps, also please provide me the outputs from current configuration:

show service-policy

show run policy-map

show run class-map

I'll give it a hsot tomorrow in my lab, and let you knowt the correct config.

Thanks,

Varun

Thanks,
Varun Rao

petes · ‎05-12-2011

Yes, I want to limit traffic between two host to no more than 10kbps. Here are the configs you requested.

show run service-policy:

service-policy global_policy global
service-policy qos-policy interface outside

show run policy-map:

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map qos-policy
class qos-restricted
police input 1000000
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp

show run class-map:

class-map qos-restricted
match access-list nonvoice
class-map inspection_default
match default-inspection-traffic
class-map Voice-IN
match access-list VOIP-Classification

varrao · ‎05-12-2011

Thanks for the info, i'll get back to you on this tomorrow, in the meanwhile could you also provide the access-list that you have created for qos, you may give me dummy ip's.

Regards,

Varun

Thanks,
Varun Rao

petes · ‎05-12-2011

access-list nonvoice extended permit ip any any

Basically I just have two hosts right now that I'm using to see if I can control the speed with. Once I can control the speed with those two hosts then I will introduce additional hosts and modify the ACL accordingly to control the speed for traffic between host 1 and host 2 and then provide priority for communication between host 3 and host 4. That's for later on down the road. I am just confused as to why my hosts are restricted to the bandwidth limitations specified with the police command.