Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
865
Views
0
Helpful
4
Replies

Best practices for rate-limiting

sebastien3
Level 4
Level 4

‎11-28-2020 03:22 AM

Hello,

I'm looking for the best practices to limit user throughput on interface/vlan connected behind Catalyst 3750X.

What can you advise me ?

Currently I use the following configuration to limit the port of the vlan50 on the 3750X-12S-E (See diagram 1):

interface GigabitEthernet1/0/5
 description VLAN50
 switchport access vlan 50
 switchport nonegotiate
 srr-queue bandwidth limit 50
 service-policy input RATE_500Mbps
!
policy-map RATE_500Mbps
 class class-default
  police 500000000 1000000 exceed-action drop
!

design1

Labels:
0 Helpful
4 Replies 4

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎11-28-2020 06:16 AM

Best practice, I would say, would not to limit a user's bandwidth.

What your doing should do the trick on a 3750, although you're shaping egress and policing ingress, behavior is a bit different between the two, but I believe that's what you stuck with on that platform.

0 Helpful

sebastien3
Level 4
Level 4
In response to Joseph W. Doherty

‎11-28-2020 06:53 AM

Hi Joseph,

 

Best practice, I would say, would not to limit a user's bandwidth.

Disagree with you! There are cases where it is required to have a controlled bandwidth...

 

What your doing should do the trick on a 3750, although you're shaping egress and policing ingress, behavior is a bit different between the two, but I believe that's what you stuck with on that platform.

OK ! On the ASR it is not possible to rate-limit if I understood correctly.

On 3750 how do you determine the correct value of "Normal burst bytes" ?

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to sebastien3

‎11-28-2020 02:20 PM

"There are cases where it is required to have a controlled bandwidth..."

I agree, in fact, while responding I almost added that as an "except for".  But, that should be more on the abnormal side.  Otherwise, if restricting bandwidth to users was a typical need, there would not be much need for the growth of access ports from shared 10 Mbps to switched 10g.  If you consider such a need, rate limiting users, the exception, you might now agree it is not a "best practice", and because an exceptional need is often unique too.  Again, to be clear, I didn't intend to imply there's no need, just that it's not a best practice.  (Of course, feel free to disagree with this too.  It's only my not so IMHO - laugh.)

On an ASR, you find you should be able to police ingress or egress.

How to determine "normal burst bytes", is the same whether a 3750 or not.  What you what to emulate is an interface, of a certain bandwidth, with a certain FIFO queue size.  I.e. given the same traffic, you will obtain the same egress transit volume (although not the same egress transit results).

There might be some calculation to compute such, but if so, I'm unaware of it.

Usually, we just go for some target Tc value, usually in the range of 10 to 25ms.

Here's some information, you might start with, on calculating Bc:

Bc in policing 

How to calculate Bc 

Determing Proper Bc 

0 Helpful

sebastien3
Level 4
Level 4
In response to Joseph W. Doherty

‎11-30-2020 04:05 AM

@Joseph W. Doherty wrote:

"There are cases where it is required to have a controlled bandwidth..."

I agree, in fact, while responding I almost added that as an "except for".  But, that should be more on the abnormal side.  Otherwise, if restricting bandwidth to users was a typical need, there would not be much need for the growth of access ports from shared 10 Mbps to switched 10g.  If you consider such a need, rate limiting users, the exception, you might now agree it is not a "best practice", and because an exceptional need is often unique too.  Again, to be clear, I didn't intend to imply there's no need, just that it's not a best practice. 

I completely agree with you on this

 

On an ASR, you find you should be able to police ingress or egress.

Yes you have to use a policy-map. With an ISR I can directly use the rate-limit input / output command which is not possible on the ASR ...

 

How to determine "normal burst bytes", is the same whether a 3750 or not. What you what to emulate is an interface, of a certain bandwidth, with a certain FIFO queue size

On routers, I use the following formula for NB: CAR x (1/8) x1.5

On 3750 this value of NB it'is not possible, 1000000 bytes is the max.

 

Now I use 200 Mbps Bandwidth Limit, 5 ms Burst Duration = 200 000 0000 x 0.005 / 8 = 125 000 bytes for NB

 

policy-map 200M
 class class-default
  police 200000000 125000 exceed-action drop
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card