10-28-2010 12:50 AM - edited 03-04-2019 10:17 AM
Hi, I am trying to limit internet traffic fllooding the link by policing it but I cannot get it to match any packets on interface atm0.1.
Any ideas? Thanks
class-map match-any VOICE
match dscp ef
match dscp cs3
match dscp af41
match access-group name VOICE
match access-group name VOICE-CONTROL
policy-map POLICING_INBOUND
class VOICE
police cir 256000 bc 65536 be 65536
conform-action transmit
exceed-action transmit
violate-action transmit
class class-default
police 1408000 8000 8000 conform-action transmit exceed-action drop violate-action drop
interface ATM0.1 point-to-point
pvc 8/35
vbr-nrt 512 512
tx-ring-limit 2
encapsulation aal5mux ppp dialer
dialer pool-member 1
service-policy input POLICING_INBOUND
service-policy output VOICEWAN
sh policy-map interface atM 0.1 vc 8/35 input
ATM0.1: VC 8/35 -
Service-policy input: POLICING_INBOUND
Class-map: VOICE (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: dscp ef (46)
0 packets, 0 bytes
5 minute rate 0 bps
Match: dscp cs3 (24)
0 packets, 0 bytes
5 minute rate 0 bps
Match: dscp af41 (34)
0 packets, 0 bytes
5 minute rate 0 bps
Match: access-group name VOICE
0 packets, 0 bytes
5 minute rate 0 bps
Match: access-group name VOICE-CONTROL
0 packets, 0 bytes
5 minute rate 0 bps
police:
cir 256000 bps, bc 65536 bytes, be 65536 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
transmit
violated 0 packets, 0 bytes; actions:
transmit
conformed 0 bps, exceed 0 bps, violate 0 bps
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
police:
cir 1408000 bps, bc 8000 bytes, be 8000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps, violate 0 bps
10-28-2010 03:16 AM
Hello,
I'm sorry, but you have a problem understanding the QoS concept in general.
First, you try to match some packets that apparently are coming from your WAN connection. This is hard to do because you don't know if the provider trust the packets, remark them or just clear any marking that was applied. Maybe that's why you don't get any match.
Second, you apply policing on that VOICE class, which according to majority of the network engineer out there and Cisco, is wrong. You should never limit the voice packet with police. This will lead to voice degradation.
Third, you apply that policy inbound. The packet is already on your input interface. You cannot influence how it travel until there, but you just drop packets over a certain limit, established in the policy-map.
Don't get me wrong you can do inbound policing, but you have to define what you want to do, based on what destination (in the LAN) the packets arriving from WAN have. Please redefine your expectations from this configuration and let us know. "I'm trying to limit Internet traffic flooding the link" is not an explanation and logically is wrong. If somebody run a DDoS against you, the traffic is already on your interface, you don't have what to limit anymore. The limitation has to be done by the previous hop on the packet path.
Cheers,
Calin
10-28-2010 03:59 AM
Hi Callin,
Maybe a little more information might help I have attached a network map, basically I want to minimize the affect on inter-office voice from users downloading/ webrowing from the Internet.
I find that if I ask in too much detail I get no response so I was trying to be specific and break it down.
First, you try to match some packets that apparently are coming from your WAN connection. This is hard to do because you don't know if the provider trust the packets, remark them or just clear any marking that was applied. Maybe that's why you don't get any match.
There are three sites connected via vpn tunnels the packets are marked before leaving and arrive intact.
Second, you apply policing on that VOICE class, which according to majority of the network engineer out there and Cisco, is wrong. You should never limit the voice packet with police. This will lead to voice degradation.
The VOICE class is used egress service-policy output VOICEWAN I am just reusing it.
I am not dropping the voice (match and transmit), how else can I match all other unkown internet traffic?
Third, you apply that policy inbound. The packet is already on your input interface. You cannot influence how it travel until there, but you just drop packets over a certain limit, established in the policy-map.
Do I have any other option for unknown Internet traffic other than police it?
Cheers
10-28-2010 04:22 AM
Hello
Maybe a little more information might help I have attached a network map, basically I want to minimize the affect on inter-office voice from users downloading/ webrowing from the Internet.
I find that if I ask in too much detail I get no response so I was trying to be specific and break it down.
It's good to minimize, but the important details should be there
There are three sites connected via vpn tunnels the packets are marked before leaving and arrive intact.
Where your L3 interface? I assume on the tunnels. If you apply there an inbound rule that match the maked packets, can you see the counters increasing?
The VOICE class is used egress service-policy output VOICEWAN I am just reusing it.
You have a VOICE class that you use in the policy POLICING_INBOUND which is applied inboud to this interface. Am I missing something? I don't know what is your VOICEWAN policy, but for sure your use VOICE class all inbound..
interface ATM0.1 point-to-point
pvc 8/35
vbr-nrt 512 512
tx-ring-limit 2
encapsulation aal5mux ppp dialer
dialer pool-member 1
service-policy input POLICING_INBOUND
service-policy output VOICEWAN
Do I have any other option for unknown Internet traffic other than police it?
If you have the 3 sites under your control here is what I would do:
- mark the packets as close as you can to the network edge (access-switches if it possible)
- on the WAN routers, you apply traffic prioritization meaning that from the total available bandwidth you reserver a certain amount for different traffic classes (e.g. 25% for voice traffic, 25% business traffic and 50% for the rest). You can do this with CBWFQ. In this way you enforce your policies only when then bandwidth is fully utilized (so, users can surf on the Internet, using the full banwidth, but as soon as you have voice traffic or business traffic this will have priority and will be forwarded before the regular user traffic)
- you apply the above step policy, outbound on the WAN interface.
Giving your expectations I think this is the best approach. As least for starting. Then you can polish your rules.
Cheers,
Calin
10-28-2010 04:45 AM
Hi Calin,
Thanks for your help. Yes I will try to ask better questions.
Here are some missing bits of information does this help?
class-map match-any VOICE
match dscp ef
match dscp cs3
match dscp af41
match access-group name VOICE
match access-group name VOICE-CONTROL
policy-map VOICEWAN
class VOICE
priority percent 33
class RemoteSupport
bandwidth percent 42
class to-B
shape average 457000
class to-A
shape average 457000
class class-default
fair-queue
crypto map IPSECVPN 10 ipsec-isakmp
description L2L VPN to A XXX.228.57.63
set peer XXX.228.57.63
set transform-set IPSECVPN
set pfs group2
match address 120
qos pre-classify
crypto map IPSECVPN 11 ipsec-isakmp
description L2L VPN to XXX.151.83.99 B
set peer XXX.151.83.99
set transform-set IPSECVPN
set pfs group2
match address 121
qos pre-classify
Cheers
Brett
10-28-2010 05:02 AM
OK, now we are getting somewhere
The class and policy map looks ok. Try to stick with the prioritization first (use only priority and bandwidth statements). Apply it outbound and check if you have some matched packets. If you are marking correctly in the LAN, then you'll see there some increasing counters.
Cheers,
Calin
10-28-2010 05:23 AM
Hi Calin,
The outbound policy is working and voice is good and not affected while copying files between sites.
The problem is when say a person at site A browses an Internet site with lots of big graphics while talking on the phone to site b. The voice breaks-up a bit while loading the page.
#show policy-map interface atM 0.1 output
ATM0.1: VC 8/35 -
Service-policy output: VOICEWAN
queue stats for all priority classes:
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 130925/16002360
Class-map: VOICE (match-any)
130925 packets, 16002360 bytes
5 minute offered rate 48000 bps, drop rate 0 bps
Match: dscp ef (46)
129640 packets, 15297520 bytes
5 minute rate 47000 bps
Match: dscp cs3 (24)
1285 packets, 704840 bytes
5 minute rate 0 bps
Match: dscp af41 (34)
0 packets, 0 bytes
5 minute rate 0 bps
Match: access-group name VOICE
0 packets, 0 bytes
5 minute rate 0 bps
Match: access-group name VOICE-CONTROL
0 packets, 0 bytes
5 minute rate 0 bps
Priority: 33% (168 kbps), burst bytes 4470, b/w exceed drops: 0
Class-map: RemoteSupport (match-any)
2209 packets, 285086 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name RDP
2209 packets, 285086 bytes
5 minute rate 0 bps
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 2209/285086
bandwidth 42% (215 kbps)
Class-map: to-B (match-all)
591 packets, 82066 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 121
Match: not class-map match-any VOICE
Match: dscp ef (46)
0 packets, 0 bytes
5 minute rate 0 bps
Match: dscp cs3 (24)
0 packets, 0 bytes
5 minute rate 0 bps
Match: dscp af41 (34)
0 packets, 0 bytes
5 minute rate 0 bps
Match: access-group name VOICE
0 packets, 0 bytes
5 minute rate 0 bps
Match: access-group name VOICE-CONTROL
0 packets, 0 bytes
5 minute rate 0 bps
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 591/82066
shape (average) cir 457000, bc 11425, be 11425
target shape rate 457000
Class-map: to-A (match-all)
5315 packets, 649338 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 120
Match: not class-map match-any VOICE
Match: dscp ef (46)
0 packets, 0 bytes
5 minute rate 0 bps
Match: dscp cs3 (24)
0 packets, 0 bytes
5 minute rate 0 bps
Match: dscp af41 (34)
0 packets, 0 bytes
5 minute rate 0 bps
Match: access-group name VOICE
0 packets, 0 bytes
5 minute rate 0 bps
Match: access-group name VOICE-CONTROL
0 packets, 0 bytes
5 minute rate 0 bps
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 5315/649338
shape (average) cir 457000, bc 11425, be 11425
target shape rate 457000
Class-map: class-default (match-any)
18933 packets, 2630752 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops/flowdrops) 0/0/0/0
(pkts output/bytes output) 18933/2630752
Fair-queue: per-flow queue limit 16
Thanks for the help
Brett
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide