Bandwidth throttling via QoS

Ricky S · ‎03-26-2013

Hi folks, I am fairly new to the world of QoS. Although I have a basic understanding of what it is, I don't have any real experience in implementing it in production network. We have a new requirement between two of our major offices located in Chicago and Toronto where they will be replicating large amount of data between each other on a nightly basis. We checked with the vendor of the replication software/server and there is no way to throttle the bandwidth usage in software. They said this is usually done via QoS.

I'm wondering if anyone can shine some light as to how I can configure my routers in both offices to throttle the bandwidth usage for traffic between these two specific servers. Would I need to use ACLs to do the QoS?

Bilal Nawaz · ‎03-26-2013

One of the quickest solutions is this, and works pretty well imho. Use ACL's to class the traffic (this can be extended ACL's I believe too) e.g. if i wanted to limit to 3mb up and down, you can do this e.g. for servers 10.0.0.1, 172.16.0.1 from and towards each other:

### To match the traffic

ip access-list extended ACL_3Mbps

permit ip host 10.0.0.1 host 172.16.0.1

permit ip host 172.16.0.1 host 10.0.0.1

!

### Class the traffic

class-map Link_3Mbps

match access-group ACL_3Mbps

!

### Apply policy against the class (type of traffic specified by your class-map)

policy-map Policy_3Mbps

class Link_3Mbps

police 3000000 8000 exceed-action drop (8000 is the burst rate)

!

interface gigabitethernet1/0

### Applies the policies inbound and outbound, both directions

service-policy input Policy_3Mbps

service-policy output Policy_3Mbps

Where the ACL is you can specify source and destination or just source or source and port depending on how you configure your ACL.

Hope this helps.

Link for your reference:

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpoli_ps1835_TSD_Products_Configuration_Guide_Chapter.html#wp1006389

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Ricky S · ‎03-26-2013

Perfect. I will test that out and report back. Thanks Bilal. Much appreciated.

Ricky S · ‎03-26-2013

Hi Bilal, thanks once again. One question I do have is why do we need to apply the service policy both for inbound and outbound traffic? Wouldn't the outbound traffic be policed by the inbound rule on the other side?

Both offices are connecting to each other over an IPSEC tunnel. I am going to apply the service policy on the tunnel interface on each side.

Bilal Nawaz · ‎03-26-2013

Hi Rick, I only stated inbound and outbound as an example. But if you have this applied outbound in both directions you should be fine.

I'm not sure about applying to the tunnel interfaces - should work since the sources will be coming from the tunnel interfaces, I've never tried that before. Let us know how it goes

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Ricky S · ‎04-10-2013

Hi Bilal, I ran into a small issue as I was testing the above solution you recommended. Router doesn't have the service-policy input option. Below is what I see.

RTRCOREQ9002(config)#int tunnel 0

RTRCOREQ9002(config-if)#service-policy ?

type type of the policy-map

RTRCOREQ9002(config-if)#service-policy type ?

access-control access-control specific policy-map

RTRCOREQ9002(config-if)#service-policy type access-control input Policy_20Mbps

policy map should be of same type

Bilal Nawaz · ‎04-10-2013

Hello, what router are you configuring on? I'm not so sure about the options you have here, I haven't seen them before. Could you kindly show the options you get when you do this please:

RTRCOREQ9002(config-if)#service-policy type policy-map ?

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Ricky S · ‎04-11-2013

Configuring it on a Cisco 2951 running 2951-universalk9-mz.SPA.151-4.M5.bin

It doesn't give me the policy-map option (see below)

RTRCOREQ9001(config-if)#service-policy type ?
access-control access-control specific policy-map

RTRCOREQ9001(config-if)#service-policy type policy-map ?
% Unrecognized command

Ricky S · ‎04-11-2013

Also note I am configuring this on a tunnel interface, if that makes any difference.

Bilal Nawaz · ‎04-11-2013

Hi Rick,

I was able to do this:

NPEVG01#show ver

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(4)M1, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Compiled Tue 14-Jun-11 19:25 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)

SQPNPEVG01 uptime is 8 weeks, 6 days, 23 hours, 22 minutes

System returned to ROM by reload at 15:47:53 UTC Thu Feb 7 2013

System restarted at 15:49:12 UTC Thu Feb 7 2013

System image file is "flash0:c2900-universalk9-mz.SPA.151-4.M1.bin"

Last reload type: Normal Reload

Last reload reason: Reload Command

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

NPEVG01#show run int t0

Building configuration...

Current configuration : 95 bytes

!

interface Tunnel0

no ip address

service-policy input TEST

service-policy output TEST

end

My config looks like this:

class-map match-all TEST

match access-group name ACL_TEST

!

policy-map TEST

class TEST

police cir 3000000 bc 8000

conform-action transmit

exceed-action drop

!

ip access-list extended ACL_TEST

permit ip any any

!

interface Tunnel0

no ip address

service-policy input TEST

service-policy output TEST

Let me know if this is the template you are using.

Hope this helps.

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Ricky S · ‎04-11-2013

That's interesting, same still doesn't working for me on the Tunnel interfaces. I was able to configure it on the LAN interface and that seems to be working now.

Thanks for your assistance.

Joseph W. Doherty · ‎03-27-2013

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

As Bilal has shown, one option is to police or rate-limit the replication traffic.

Another technique is to use QoS to prioritize traffic. In this case, you might de-prioritize the replication traffic.

The big difference between the two techniques, policing traffic limits the replication rate even when there's available bandwidth. Further, if you increase the limit to you might be adverse to other traffic.

Depending on your replication service requirement are, sometimes even background bandwidth reservation is sufficient.

e.g.

policy-map Sample

class-map replication

bandwidth percent 1

In the above, you'll need to define how replication is matched. It might be by hosts, other packets characteristics or some combination.

Unlike policing, which can be used in or out, prioritization can only be used outbound (i.e. you configure it on both sides' egress).

Ricky S · ‎03-27-2013

Hi Joseph, thanks for the post. I will look into the QoS as it definitely sounds interesting.

paul driver · ‎04-11-2013

Hello
Personally i would police ingress from your lan and shape on your wan interface ( only necessary when rate-limiting your wan link)

another way has joseph has suggested is to mark your server to server traffic and other traffic (acl is possible) and give them a percentage (total max off my head i think is 99%) need to have at 1% for class deafult which if isnt used would be shared between thee two defined classes you specify.

res
paul

Sent from Cisco Technical Support Android App

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Ricky S · ‎04-11-2013

Paul thanks. I was able to configure it on the LAN interface and it seems to be working. Can you please let me know what you mean by "shape on your WAN interface"? I have applied the policing service-policy on the inbout traffic from the LAN side on both routers and that seems to be working. Is there anything else that I should do on the WAN interface?