limit mail bandwidth

ohassairi · ‎11-08-2016

Hello

we would like to limit mail server traffic between towerA and tower B that are connected via GRE tunnel 79.

i configured the following in the router that is in mail server side (hoping it will limit mail bw to 40Mbps).

access-list 195 permit ip host mailserver-ip any

class-map match-all email
match access-group 195
!
policy-map TUNNEL79
class email
police cir 40000000

!

interface Tunnel79

ip address x.x.x.x 255.255.255.0
tunnel source x.x.x.x
tunnel destination x.x.x.x
service-policy output TUNNEL79
end

my question: if many mail clients in remote tower are downloading emails from mail server, will the router give 40M for each session or for the whole email traffic?

actually i feel it gives 40M fro each client because using netflow we can see mail traffic can exceed 70M. but we need to limit all clients to 40M.

thanks

Georg Pauwen · ‎11-09-2016

Hello,

the policing rate is applied to all email traffic. I think your problem is that the policy is applied to a tunnel interface, and QoS cannot classify the traffic correctly anymore because the tunnel header is the same for all packets.

I am not sure if your software supports this, but try to configure 'qos pre-classify' on your tunnel interface. This causes packets to be classified before tunneling:

Router(config)# interface tunnel79
Router(config-if)# qos pre-classify

Joseph W. Doherty · ‎11-09-2016

NB: qos pre-classify is needed when using QoS on tunnel traffic on physical interface. I.e. policy should work, w/o qos pre-classify, on tunnel interface.

Joseph W. Doherty · ‎11-09-2016

The police statement applies to all traffic that matches the class. What do your ACL and show policy interface stats look like?

Actually, a policer (or shaper) allow the actual transmission rate to be at interface bandwidth. Their bandwidth settings are enforced when the traffic exceeds the Bc for the Tc. I.e. it's possible you might see > 40 Mbps, but if you're using typical policer defaults, Tc should be rather small. How are you "seeing" 70 Mbps?

BTW, police statement are rather "harsh", you might consider using a shape statement.

ohassairi · ‎11-09-2016

the access list:

WAN-R1#sho access-lists 195
Extended IP access list 195
10 permit ip host 172.20.x.24 any
20 permit ip host 172.20.x.25 any

the show policy:

WAN-R1#sho policy-map interface tunnel 79
Tunnel79

Service-policy output: TUNNEL79

Class-map: email (match-all)
197717629 packets, 161738155047 bytes
5 minute offered rate 310000 bps, drop rate 0000 bps
Match: access-group 195
police:
cir 40000000 bps, bc 1250000 bytes
conformed 197324592 packets, 161234562324 bytes; actions:
transmit
exceeded 393037 packets, 503592723 bytes; actions:
drop
conformed 303000 bps, exceeded 0000 bps

Class-map: class-default (match-any)
23539412426 packets, 31250696377345 bytes
5 minute offered rate 5889000 bps, drop rate 0000 bps
Match: any

i can see the 70M using netflow analyzer

Joseph W. Doherty · ‎11-10-2016

Your policy stats do show traffic matching the class, and those stats also show the policer has dropped packets. Unfortunately, this particular snapshot only shows 303 Kbps of traffic, so the policer isn't actively dropping any traffic. (I.e. we cannot confirm, with this stats, the policer drops at 40 Mbps, as desired.)