Solved: Traffic limiting/shaping

someusername · ‎09-01-2021

Hi!

I wonder if the following is possible:

Have let's say 13 hosts in one VLAN.
The total WAN bandwidth is 100mbps symmetric, it should not be exceeded.

10 hosts should be able to reach maximum 15mbps each, but all 10 of them should not exceed 60mbps together.

2 hosts should be able to reach maximum 50mbps each

1 host should be able to reach maximum 100mbps

All of them together should not exceed 100mbps.

I do not have a router yet(so nowhere to test right now), will be looking to get something used, that can handle ~200mbps WAN link, like 3945.

I would be happy if this is doable on a switch level entirely.

Joseph W. Doherty · ‎09-06-2021

No, for 100 Mbps, duplex, you have 200 aggregate.

Remember, one link's in is another link's out. I.e. you need to process only up to 200 Mbps in (assuming there's only traffic to/from the WAN link).

Regarding your question about the 39xx ISRs, yes a 3925E or 3945E should be able to handle your 100 WAN link. However, it's your possible bandwidth increase and VPN that makes it a bit more "iffy", although at least the 3945E does, indeed, look like it can meet those needs too. (Oops on my part - sorry to have overlooked those routers.)

With ISRs before the 4K series (although it's more of the same when you use a 4K with its "boost" license), your "mileage" could very much vary based on your traffic mix and configuration. Because of that, Cisco recommendations tend to be very conservative, trying to avoid you running short on router performance before you expected too. The Whitepaper tries to clarify expected performance under different usages. Knowing this, you can sometimes go "smaller" than Cisco recommends, and all will be fine.

Ideally, you could try your candidate router, for about a week, seeing how it really behaves with your traffic and configuration, with a return option if the router is inadequate.

View solution in original post

Joseph W. Doherty · ‎09-01-2021

Don't believe any Cisco switch could support such a complex tiered shaping policy.

Unlikely any Cisco router could do so either, although I might be mistaken. It also makes a difference whether your overall 100 Mbps aggregate could be achieved using a physical 100 Mbps interface or whether you need to shape for that too. (Cisco, I recall [?], doesn't support more than 3 tiers, and I also recall [?] often has restrictions on multiple levels of shaping.)

Logically on a physical 100 Mbps port, you would want:

class-map match-any !name class-map
match !match referencing an ACL

policy-map 100mbps-port
class 50mbps-host1
shape average 50000000
class 50mbps-host2
shape average 50000000
class 60mbps-agg
shape average 60000000
service-policy 15mbps-hosts

policy-map 15mbps-hosts
class 15mbps-host1
shape average 15000000
.
.
class 15mbps-host10
shape average 15000000

!in the above, your 100 Mbps host will fall into (the implicit) class-default, and be limited, by interface, to 100 Mbps

!if a gig interface, we need to change to:

policy-map 100mbps-agg
class class-default
shape average 100000000
service-policy

policy-map 100mbps-hosts
class 50mbps-host1
shape average 50000000
class 50mbps-host2
shape average 50000000
class 60mbps-agg
shape average 60000000
service-policy 15mbps-hosts

policy-map 15mbps-hosts
class 15mbps-host1
shape average 15000000
.
.
class 15mbps-host10
shape average 15000000

!again, your 100 Mbps will be in class-default and now limited, by policy-map 100mbps-agg, to 100 Mbps (this latter policy taking the place of the physical 100 Mbps port).

I recall [?] some platforms will support shapers at two levels, but don't recall any supporting shapers at three levels.

someusername · ‎09-02-2021

Thank you for the detailed answer Joseph!

1. Ideally I prefer to shape the 100mbps, as the WAN bandwidth could be upgraded in the future.

2. I want to avoid limiting via switch interface (speed command), as the maximum bandwidth on each host may change.

3. A combination of rules in switch and router is doable if necessary.

Please explain why the configuration you posted will not do the job(or did I understand wrong)?

By shapers on 2 levels do you mean this part?:

-----

class 60mbps-agg
shape average 60000000
service-policy 15mbps-hosts

---

policy-map 15mbps-hosts
class 15mbps-host1
shape average 15000000

-----

Joseph W. Doherty · ‎09-02-2021

#1 & 2 Well, then you can use a 3 tier policy (assuming it supports shaping on 3 tiers) and/or shape for your single host at 100 Mbps. Keep in mind, like anything else, we can try to minimize "maintenance", but custom QoS generally also incurs some on-going maintenance.

#3 Generally, "switches'" QoS support is much less than found on (software based) "routers". Where you may need to deploy QoS depends both on your QoS needs and the features of the platform. Often you obtain the most benefit from QoS where there's a major reduction of bandwidth, like from a LAN to WAN.

"Please explain why the configuration you posted will not do the job(or did I understand wrong)?"

(Logically) they should do the job. Again, unsure what your platform will (physically) support/allow.

"By shapers on 2 levels do you mean this part?:"

Yes.

someusername · ‎09-02-2021

Thank you Joseph!

Currently I have pfsense installed, but I can get a Cisco router. I am not quite sure which models would be suitable for my needs. I prefer to go for the cheapest solution, second hand, that would run such a setup without loss of performance, due to budget constraint so. I have about 30 hosts with a total of about 60 IPs that would fall under the shapers. No NAT, very little to none host to host communication. The router would need to support a VPN connection from the internet to a local management VLAN.

I can search for models, but can you tell me what should I look for in the specifications?

Also, if a Cisco switch can handle one tier of the shaping, I would need a catalyst/nexus, right? - would that help?

Joseph W. Doherty · ‎09-02-2021

Nexus, if used, would likely not be "cheap". Further, many of those are weak in QoS support (even compared to Catalysts).

As to model of a router, much would depend on volume of traffic you expect/need it to process. Number of hosts, rarely means much.

someusername · ‎09-02-2021

Thank you Joseph,

Is the below info enough?

Currently the internet is100mbps symmetric. In the future it may become 150-200mbps. Most of the time it is fully or nearly fully utilized.

Little to none host to host traffic in the network.

The VPN for the private vlan may see 2-3 concurrent connections at most, for management purposes. Once in a while an iso of 1-5 gb might be send through the VPN connection.

I think that's about it. No routing protocols, only static route. No DHCP.

Joseph W. Doherty · ‎09-02-2021

Ok, for Cisco routers, for aggregate bandwidth of up to half a gig, you're looking at the 4K series of ISRs. Again, even used, they wouldn't be so cheap.

Small Cisco switches that can easily handle your bandwidth would be much, much less expensive, but they don't have feature like VPN and light QoS capabilities.

There are some new lightweight routers, like the 1100 series, but I'm not familiar with all the capabilities (or capacities).

someusername · ‎09-06-2021

Hello Joseph,

I am sorry, I was quite busy the past few days and did not have time to search. I do not believe I will be allowed budget for ISR 4000 unfortunately.

While searching I found this topic: https://community.cisco.com/t5/routing/3945-throughput-question/td-p/2629736

and this link from there: https://community.cisco.com/legacyfs/online/legacy/2/7/8/139872-white_paper_c11_595485.pdf

Would not 3925e/3945e work according to the very last graph in the above document?

For the 4000 series I understood that aggregate throughput is for the entire chassis. So 100mbps symmetric WAN link at full usage equals 400mbps aggregated throughput. Have I understood it correctly?

Thank you!

Joseph W. Doherty · ‎09-06-2021

No, for 100 Mbps, duplex, you have 200 aggregate.

Remember, one link's in is another link's out. I.e. you need to process only up to 200 Mbps in (assuming there's only traffic to/from the WAN link).

Regarding your question about the 39xx ISRs, yes a 3925E or 3945E should be able to handle your 100 WAN link. However, it's your possible bandwidth increase and VPN that makes it a bit more "iffy", although at least the 3945E does, indeed, look like it can meet those needs too. (Oops on my part - sorry to have overlooked those routers.)

With ISRs before the 4K series (although it's more of the same when you use a 4K with its "boost" license), your "mileage" could very much vary based on your traffic mix and configuration. Because of that, Cisco recommendations tend to be very conservative, trying to avoid you running short on router performance before you expected too. The Whitepaper tries to clarify expected performance under different usages. Knowing this, you can sometimes go "smaller" than Cisco recommends, and all will be fine.

Ideally, you could try your candidate router, for about a week, seeing how it really behaves with your traffic and configuration, with a return option if the router is inadequate.

someusername · ‎09-06-2021

Thank you very much for your time and effort Joseph!

I will read more on QoS/policies and will get funding for a 3945e.