Limit bandwidth for streaming

ivarstrandberg · ‎02-25-2011

Hi.

The Nordic World Ski Championships 2011 is upon us, and NRK, the national broadcaster of Norway, is offering HD streaming via the Akamai network.

I run a network with 5000 users. Our internet bandwidth is usually 300mbps, but we've increased it to 500mbps for the duration of the Ski Championship. Sadly, that did not help, because of the HD streaming.

The internet link is delivered on a fiber trunk with many other VLANs, and my first piece of equipment in the chain is a Cisco 3560G (C3560-IPBASEK9-M), Version 12.2(46)SE). A port on the 3560G is then set to switchport access vlan "internet-vlan", and that port is connected to a routed port on my Cisco 6509-Sup720-10G ( (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXH3a). The 6500 then routes the traffic to a Cisco ASA 5520 (running 8.2(4)).

What I'd like to do, is to limit the total bandwidth of all conversations between our IPs and the nearest Akamai IP-range, which is 195.18.221.128/25.

How can I achieve that? I've tried to read the QoS chapter from the manual of the 3560G 12.2(46), but QoS is very complex stuff =)

Latchum Naidu · ‎02-25-2011

Hi,

Hope you have a seperate Vlan's for Network 195.18.221.128/25. If you have then it would be possible to allocate bandwidth under the vlan's

See the below two individual steps may help in your scenario.

STEP-1:

Apply rate-limit on each L3 vlan interface in your 2851
Example (for 1024kbits for vlan 2):

Router# conf t
Router(config)# int vlan 2
Router(config-if)#rate-limit input 1000000 187500 375000 conform-action transmit exceed-action drop
Router(config-if)#rate-limit output 1000000 187500 375000 conform-action transmit exceed-action drop

STEP-2:

Policy a specific VLAN number on VLAN interface.

class-map vlan5
match vlan 5
match class-map class-default

policy-map vlan5-limit
class vlan5
police 2000000 250000 exceed-action drop

int vlan5
service-policy input vlan5-limit

After you apply this configuration, the traffic with VLAN 5 coming from any will be policed at 2Mbps.

Hope this will help you.

Please rate the helpfull posts.
Regards,
Naidu.

ivarstrandberg · ‎02-25-2011

Hi.

I don't have a 2851. The 6500 does not support the rate-limit command on any of it's interfaces.

IAN WHITMORE · ‎02-25-2011

There are a few ways of doing this. Rate-limiting, shaping or policing. Here is a good guide on the difference between shaping & policing:

http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a00800a3a25.shtml

In your case I think you might be better with shaping but you can give them all a try if you wish and see what works best.

This is an example:

access-list 100 permit tcp any 195.18.221.128 255.255.255.128 eq 80

#permits any of your hosts to akamai only on port 80. If you also need https or other ports you will have to add additional lines to the ACL.

class-map akamai
match access-group 100

policy-map akamai
class akamai
shape peak <mean-rate [burst-size [excess-burst-size]]>

interface g0/0

service policy ouput akamai

The rest of the traffic should fall into the class class-default (by default) and pass through normally.

Then you need to apply the policy to the interface using the service-policy command. It might be best to do this on the 6500 so that the akamai traffic is not saturating the rest fo the links between the 6500 and the ASA etc. but then I guess you have fiber everywhere so really you could apply it elsewhere. Just make sure when applying the service policy you get the direction right input|output depending on where you apply it.

Reference:

http://www.cisco.com/en/US/docs/ios/12_2/qos/command/reference/qrfcmd5.html#wp1064737

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfmcli2.html#wpxref72106

There is a lot of information in Cisco on this. Just look for the command reference guides if you have an doubts. And really when you get used to it, it makes sense. Also, I recommend you read it, because if you are managing the network, you will need to know how to troubleshoot this stuff

HTH.

Ian

ivarstrandberg · ‎02-25-2011

Routed interface connected to internet:

6500(config-if)#service-policy input akamai

shape peak command is not supported for this interface

Configuration failed!

Routed SVI connected to ASA 5520:

6500(config-if)#service-policy output akamai

shape peak command is not supported for this interface

Configuration failed!

or switched interface connected to ASA 5520:

6500(config-if)#service-policy output akamai

MQC features are not supported in output direction for this interface

Seems like the 6500 does not support shape peak on its interfaces...I've tried both an SVI and a routed interface on the supervisor.

Any thoughts?

Message was edited by: ivarstrandberg

IAN WHITMORE · ‎02-25-2011

Try changing the shape peak for #police

eg. police bps [burst-normal] [burst-max] conform-action action exceed-action action [violate-action action]

police 160000000 (20mb) conform-action transmit exceed-action drop

Of course the downside is that people will complain about poor quality if packets get dropped, as opposed to complaining about it being really slow (or maybe they will just complain about both).

HTH.

Ian

IAN WHITMORE · ‎02-25-2011

You can also try the rate-limit commands that Latchum described, but the MQC is the preferred way and more versatile. Imagine if you want to classify different types of traffic in the future and asign bandwidth. You just creat more classes and assign/polic what you want per traffic class. Of course if you have no intention of doing this, the rate-limit commands will work fine.

Regards,

Ian

ivarstrandberg · ‎02-25-2011

Hi.

The 6500 won't accept the rate limit command on any of it's interface types. Why is that?

I've made a policy with policing instead of shaping now, and applied it inbound on the routed supervisor interface which is connected to the internet VLAN.

This is the config:

mls netflow interface

no mls flow ip

no mls flow ipv6

mls qos <----- I entered this command now, because I haven't enabled QoS on the 6500 earlier. The other mls commands are default, I believe.

mls cef error action reset

!

class-map match-all akamai

match access-group 100

!

policy-map akamai

class akamai

police 200000000 conform-action transmit exceed-action drop

!

interface GigabitEthernet5/3

vrf forwarding ISP

ip address x.x.x.x 255.255.255.252

ipv6 address x:x:x:x::x/64

ipv6 nd ra suppress

service-policy input akamai

!

access-list 100 remark *** akamai ***

access-list 100 permit ip 195.18.221.128 0.0.0.127 any

!

end

Output from "show policy-map interface gi5/3 input":

GigabitEthernet5/3

Service-policy input: akamai

class-map: akamai (match-all)

Match: access-group 100

police :

200000000 bps 6250000 limit 6250000 extended limit

Earl in slot 5 :

6854987323 bytes

5 minute offered rate 79901344 bps

aggregate-forwarded 6854987323 bytes action: transmit

exceeded 0 bytes action: drop

aggregate-forward 88666056 bps exceed 0 bps

Class-map: class-default (match-any)

27373 packets, 2396790 bytes

5 minute offered rate 16000 bps, drop rate 0 bps

Match: any

27373 packets, 2396790 bytes

5 minute rate 16000 bps

Does this look correct?

IAN WHITMORE · ‎02-25-2011

I don't think you can put rate-limit commands on an SVI but I thought you could on a physical interface? Hmmm...

At least you got your access-list the right way around (I put it the wrong way around..oops...gotta watch those things). Are you sure you want to permit all IP and not just some ports?

Other than that it looks alright. If you want to check you got lower the bps to something really low on your police statement and then issue again the show policy-map and see if you get drops (you should if you are doing a lot of streaming at the time and you lower it enoiugh).

Regards,

Ian

Please rate heplful posts.