To Police or to Shape

Similar Messages

• Rate Limit Traffic on Router

  Is it possible to limit bandwidth between two IPs using ACL or policy map. Like for example i want to limit 50% file sharing traffic coming or going to an IP 172.19.60.50

  Hello,
  You can rate limit the traffic using Traffic Policing or traffic shapping and YES you can match based on the flow of the traffic
  Looking for some Networking Assistance? 
  Contact me directly at [email protected]
  I will fix your problem ASAP.
  Cheers,
  Julio Carvajal Segura
  http://laguiadelnetworking.com

• How do you tell if a 3750 interface is shaping or policing traffic?

  We have an Avaya PBX Medpro board plugged into a 3750 port with the following configuration:
  interface FastEthernet1/0/4
  description PBX Medpro-1
  switchport access vlan 10
  switchport mode access
  duplex full
  speed 100
  srr-queue bandwidth share 10 10 60 20
  srr-queue bandwidth shape 10 0 0 0
  mls qos trust dscp
  auto qos voip trust
  Everything was working fine until the PBX call level went above 110 calls (G-711) which pushed the interface to more than 10mbps. When this happened random calls out of that medpro became garbled and after lots of troubleshooting we came to the conclusion that the default auto qos settings where the problem.
  Default auto qos puts these statements on an interface:
  srr-queue bandwidth share 10 10 60 20
  srr-queue bandwidth shape 10 0 0 0
  ...which means that queue 1 will allow for 10mbps of traffic and then shaping will kick in.
  Adding the line 'priority-queue out' to the interface disables the 10mbps limitation of queue 1 and instead forces the interface to process every packet that goes into the priority queue before anything else.
  My question is - is there a 'show' command that we can use to see shaping at work? On router ports with a service policy that has shaping or policing on it you can see the shaping/policing in real time with 'show policy....'
  What about on the 3750 switch ports?

  Thanks for responding. We work with DSCP so I tried your example on the port a medpro is connected to, but with DSCP, as in:
  int f0/15
  description Medpro-1
  switchport access vlan 12
  mls qos dscp 46
  srr-queue bandwidth share 10 10 60 20
  srr-queue bandwidth shape 10 0 0 0
  auto qos voip trust
  This is the output of 'sh mls qos int f0/15'
  #sh mls qos int f0/15
  FastEthernet0/15
  trust state: not trusted
  trust mode: not trusted
  trust enabled flag: ena
  COS override: dis
  default COS: 0
  DSCP Mutation Map: Default DSCP Mutation Map
  Trust device: none
  qos mode: port-based
  Note - it doesn't show that 'mls qos dscp 46' did anything. Also it won't take the command 'mls qos dscp override', so how do I tell to mark incoming packets to DSCP 46?

• Traffic policing question on Cisco ASR 1001

  Hi Experts,
  I have a request to setup aggregated traffic policing on a Cisco ASR 1001 router for multiple networks within a router.
  Lets say I have a router with several subinterfaces:
  interface GigabitEthernet0/2
   description WAN
   ip address x.x.x.x x.x.x.x
  interface GigabitEthernet0/1.70
   description Lan_1
   encapsulation dot1Q 70
   ip address 192.168.55.1 255.255.255.0
  interface GigabitEthernet0/1.80
   description LAN_2
   encapsulation dot1Q 80
   ip address 192.168.56.1 255.255.255.0
  interface GigabitEthernet0/1.90
   description Servers
   encapsulation dot1Q 90
   ip address 172.16.10.1 255.255.255.0
  I have a WAN link 100Mbit/s and I need to police traffic, so that I have 30Mbit/s for servers (GigabitEthernet0/1.90) and the rest 70Mbit I want to share between Interface Lan_1 and LAN_2. The Idea is that I need 70Mbit/s equally shared between two interfaces, so that I have fair policing on both iunterfaces. What is the best way to achieve this?
  Many Thanks

  Hello
  The below configuration is a possible option, Its provides policing inbound from the clients interfaces and LLQ priority queung on the wan interface for the servers and  shaping values from LAN1 & 2 traffic is set to 35MB.each.
  Notice nothing is defined for the default class, however i am on the understanding this is given by default 1% of Hqos implementations.
  Maybe others on here could review to verify any problems with this post and share their thoughts?
  ip access-list extended SRVS_acl
   permit ip 172.16.10.0 0.0.0.255 any
  ip access-list extended LAN1_acl
   permit ip 192.168.55.0 0.0.0.255 any
  ip access-list extended LAN2_acl
   permit ip 192.168.56.0 0.0.0.255 any
  class-map match-all SRVS_CM
   match access-group name SRVS_acl
  class-map match-all LAN_1_CM
   match access-group name  LAN1_acl
  class-map match-all LAN_2_CM
   match access-group name LAN2_acl
  policy-map SRVS_PM
   class SRVS_CM
      police 30720000 conform-action transmit exceed-action drop
  policy-map LAN_2_PM
   class LAN_2_CM
      police 35840000 conform-action transmit 
  policy-map LAN_1_PM
   class LAN_1_CM
      police 35840000 conform-action transmit 
  interface GigabitEthernet0/1.70
  service-policy input LAN_1_PM
  interface GigabitEthernet0/1.90
   service-policy input SRVS_PM
  interface GigabitEthernet0/1.80
   service-policy input LAN_2_PM
  policy-map WAN_CHILD
   class SRVS_CM
    priority 30720
   class LAN_1_CM
    shape average 35840000
   class LAN_2_CM
    shape average 35840000
   class class-default
    fair-queue
  policy-map WAN_PARENT
   class class-default
    shape average 102400000
    service-policy WAN_CHILD
  int  GigabitEthernet0/2
  bandwidth 102400
  service-policy output WAN_PARENT
  res
  Paul

• Cisco ASA 8.6.1 Shape Command Invalid

  Tried setting up a Shape Policy and it states its invalid.  Worked fine on my 5520, just curious if anyone else might know why its coming as invalid now                  
  ciscoasa(config-pmap-c)# shape
                                            ^
  ERROR: % Invalid input detected at '^' marker.
  ciscoasa(config-pmap-c)# shape ?
  ERROR: % Unrecognized command

  100% sure, this is on asa 8.6.1
  ciscoasa(config)# policy-map shaper
  ciscoasa(config-pmap)# policy-map shaper
  ciscoasa(config-pmap)# class class-default
  ciscoasa(config-pmap-c)# ?
  MPF policy-map class configuration commands:
    exit             Exit from MPF class action configuration mode
    help             Help for MPF policy-map class/match submode commands
    no               Negate or set default values of a command
    police           Rate limit traffic for this class
    priority         Strict scheduling priority for this class
    quit             Exit from MPF class action configuration mode
    set              Set connection values
    user-statistics  configure user statistics for identity firewall
    csc              Content Security and Control service module
    flow-export      Configure filters for NetFlow events
    inspect          Protocol inspection services
    ips              Intrusion prevention services
  ciscoasa(config-pmap-c)# shape average ?
  ERROR: % Unrecognized command
  ciscoasa(config-pmap-c)# shape average
                             ^
  ERROR: % Invalid input detected at '^' marker.
  ciscoasa(config-pmap-c)#
  The downfall here for me is that I need to use shape for outgoing traffic and limit it, the connect speed with the fiber box is 100Mbit, police polocy doesnt work, using police people downloading off the FTP server get under 1KB per second (Acts like a duplex issue), using shaper always made it work perfect by limiting the upload to 60MBit

• Bandwidth and Police command

  I have seen this config in one of the examples in cisco site
  policy-map mqcp
  class hub
  bandwidth 200
  police cir 5000000
  Please help in understanding the bandwidth and police command setting in this example

  Bandwidth is a Queing mechanism (class based Weighted Fair Queing) where in the bandwidth specified is reserved for the traffic when there is congestion. Policing is like Committed access rate(CAR) which sizes ur bandwidth(doesnt shape).

• Traffic Shape in ethernet - C3750Metro

  I have a scenario where, one hub site which is connected to metro ether MAN at 1Gbps and spoke sites are connected to metro ether MAN at 100Mbps, in these remote sites variable bandwidths are agreed with service provider: 20Mbps, 40Mbps, etc.
  I only want to configure "traffic shape" in my Catalysts because if I don't, these Catalyst use max. speed to transmit (100Mbps when 20Mbps is only permitted) and the network drops my excess traffic.
  I don't want to configure anymore (different QoS for differents services, etc.)
  Which is the best, and more elegant, way to do it?
  Thanks.

  access-list 1 permit any
  class-map match_metro
  match access-group 1
  policy-map match_metro
  class metro_class
  police 20000000 2000000 exceed-action drop
  interface whatever
  service-policy input match_metro
  This is a just a sample config to achieve what you want, you should check the following link for a more thorough explanation.
  Traffic shaping allows you to shape output traffic (egress traffic) on a per-physical port basis. Ucode monitors output traffic to verify that it conforms to the rate configured on the switch router. When excess traffic comes into the switch, the output side of the processor interface applies back pressure and queues the excess traffic in the switch fabric.
  http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a0080476087.html

• NBAR, Netflow, QoS Policing, 6500s, IOS 12.1(26)E7, and MARS

  Hello. I'm having trouble seeing the forest OR the trees, and I'd appreciate some help from someone who has a better field view than myself. We're upgrading our internet connection to 200MB and management is wanting to upgrade our Packet Shaper to meet the new bandwidth. (The Packet Shaper shows top talkers, top protocols, and rate limits protocols or users.) I'm trying to make the argument that we can do this w/ existing tools (nbar, netflow, QoS policing, and MARS), at the same time I'm trying to make the argument that we need to have our supervisors (currently SUP2 MSFC2) on a 3-4 year upgrade cycle.
  To get to the 12.2 IOS, I'd require a memory or sup upgrade. What I am hoping for is someone who has gone down this road who knows what I'm lacking in 12.1 code, or if in fact I can do it all here.
  While it is self-evident to most in IT why we need to regularly upgrade equipment, I'm having difficulty making this argument to management with hard facts. I'm guessing they'd still be running Windows for Workgroups to save money...but that's another story.
  My plan is to use Netflow and MARS to track top users and top protocols. It appears that I lose some mgt functionality w/ MARS in conjunction w/ IOS 12.1, but I am currently unclear if I lose any tracking capability. (MARS is new to us and awaiting install.)
  Then, I hope to use NBAR to identify all the latest P2P traffic and police it appropriately w/ QoS tools.
  Does my thinking sound solid? Will I be able to pull this off w/ 12.1? If not, what do I need that I lack in 12.1?
  Thank you for your time,
  Joshua

  Hi,
  First of all - you need to be clear that although MARS uses netflow data, it uses it for the purpose of identifying security issues. If you want to use netflow for reporting and/or accounting purposes MARS isn't the tool you need, try one of the following freeware netflow tools:
  http://www.cisco.com/warp/public/732/Tech/nmp/netflow/partners/freeware/index.shtml
  or one of the following commercial tools:
  http://www.cisco.com/warp/public/732/Tech/nmp/netflow/partners/commercial/index.shtml
  The freeware ones are generally more difficult to set up but once running are just as good as the commercial ones.
  However, this means you need two netflow destinations - one for MARS and one for your netflow tool, and this feature is called "Netflow Multiple Export Destinations" and initially appeared at 12.1(3)T, but it seems to be VERY platform specific - for example, because we only run GD software on our 3660's we had to upgrade to 12.3(20) to get it.
  Looking at the Feature Navigator for SUP2/MSFC2 it appears that you need at least 12.2(18)SXF6 to get this feature so that might help your case.
  I'd personally keep the PacketShaper for it's reporting capability if nothing else (IOS can do the job, but not as elegantly as the PacketShaper).
  HTH - plz rate if useful.
  Andrew.

• ASR 1006 shaping\policing on port-channel interfaces

  Hello
  I encountered a problem - ASR 1006 ignores shaping\policing configuration on a port-channel interfaces.
  If I configure:
  policy-map Shaping
   class class-default
    shape average 100000
  interface TenGigabitEthernet0/0/0
   no ip address
   channel-group 1 mode active
  interface Port-channel1.10
   encapsulation dot1Q 10
   ip address 1.0.0.1 255.255.255.0
   service-policy output Shaping
  With such configuration shaping doesn't work. But it works on ordinary tenGigabit interfaces...
  I've tried several ios xe versions.. no changes
  Are there any ristrictions with shaping on Port-channel interfaces?

  Hi,
  Traditional QoS will not work for etherchannels. Please read to find suitable config for your case.
  http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_mqc/configuration/xe-3s/qos-mqc-xe-3s-book/qos-eth-int.html#GUID-6137A7B8-B2D1-4024-8AC9-E7EBEDD868C6

• Traffic Policing on Service Provider Edge router.

  Hi,
  I'm confused about the traffic policing on service provider edge router. Suppose I have taken internet bandwidth from my ISP and he says that they will give me 100 Mbps bandwidth burstable upto 1Gbps. What does that mean? what is burstable here?
  I would appreiciate if anyone from service provider organization, can give a output of their edge router's running config. I just have to understand how the police our traffic. Here I'm talking about the Internet leased lines.

  This is probably something you will have to get your service provider to answer. Different service providers use the term burst in a different context. Some SP's are "NICE' and will setup no policer or shaper and will purely monitor the link for fair use allowing you to exceed what you have purchased as long as you don’t abuse the privilege. Other Serves providers may setup a dual rate policer with a CIR and a PIR to achieve the same. a 3rd scenario is as explained above where the SP will setup a policer for 100Mb/s and then calculate the burst value at 1/8 of a second (or less in some cases) which allows your traffic to burst to full line rate for that time slice,
  There are other scenarios but the point I’m trying to make is that service providers don’t all do this the same way which is why you should ask them what they mean and how long your traffic would be allowed to burst to line rate.
  PJ

• QPM Shaping and Nested Policies

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  I'm getting ready for a QPM deployment and I have come across some issues in testing.
  I have an Ethernet interface which I need to apply a shaper so I can limit the egress traffic sent to our WAN provider. Then do CB queuing under the shaper.
  It looks like I do this via nested polices, but the documentation isn't too clear on how I use the nested policy I create. I think the policies in the nested policies would be the children policies, but it's not really clear. Does anyone have any experience with this?
  Also when I attempt to create a shaper it will not allow me to enter a CIR above 154400Kbps and I need a shaper for 200000Kbps. Is there a setting somewhere to increase the limit?
  Thanks for any help,
  Joe

  Hi,
  Is this occurring on all devices? What kind of device is having the problem?
  Just on Cisco 3845 that has level 3 policies applied
  QPM limitation is 12 classes per interface so you could be running into a bug
  I have qpm 4.1.5 installed where this bug should be resolved?
  Show ver and screenshot in attachment.
  Thank you,
  Ivana

• QoS Settings to Match SP Policer

  Hi,
  My SP has an ingress policer specifying 100mbps CIR and 256kbps Bc.
  When I try to configure a shaper to match this requirement, I cannot specify a Bc value smaller than 400000, as the Tc cannot be less than 4ms. For example,
  OFFICE-01(config-pmap-c)#policy-map policy-map QoS-Outbound-100M
   OFFICE-01(config-pmap-c)#class class-default
    OFFICE-01(config-pmap-c)#shaper average 100000000 265000
  Shaping Interval is 3 milliseconds. Intervals below 4 milliseconds rejected.
  If I use the  minimum Bc value of 400000bps, traffic might be dropped by the SP. Any workaround? The major application in the network is http.
  Thanks.
  Larry

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  Bc isn't a per second value, it's a quantity of bits or bytes.
  Also, Bc might be given in bytes, so double check whether your ISP's value is 256 KBytes or Kbits.

• QOS: egress police command not supported in non-leaf classes

  Hello,
  I have issue with egress policers on EFP (Service instance).
  When configure two egress policers on EFPs (on one physical interface), I received a message:
  ME-3600X(config-if-srv)#service-policy output VLAN-50M
  QOS: egress police command not supported in non-leaf classes
  QoS: Policy attachment failed for policymap VLAN-50M
  The configuration looks easy:
  policy-map VLAN-50M
  class VLAN
    police cir 50000000
     exceed-action drop
  class-map match-all VLAN
  match protocol ip
  interface GigabitEthernet0/11
  description TEST
  switchport trunk allowed vlan none
  switchport mode trunk
  mtu 1998
  load-interval 30
  service instance 199 ethernet
    encapsulation dot1q 199
    rewrite ingress tag pop 1 symmetric
    service-policy output VLAN-50M
    xconnect 82.119.245.231 3291 encapsulation mpls
  service instance 500 ethernet
    description L2MNG-SWITCHE
    encapsulation dot1q 500
    rewrite ingress tag pop 1 symmetric
    bridge-domain 500
  I tried to attach the same policy-map to Service Instance 500, with the messages above mentioned.
  I am not sure if this is correct behaviour, and what means term "non-leaf class".
  IOS version is 15.2(4)S2 with AdvancedMetroIPAccess.
  Best regards,
  Josef

  Platform supports three level hierarchy - Port, VLAN and Class.
  Class is the leaf level.
  Queuing is done only at the leaf level.
  You need to attach your policy to the port level policy so that it can be a two level policy.
  Three Level Class-default Policy Example:
  policy-map leaf
  class class-default
  queue-limit xxxxx bytes
  policy-map logical
  class class-default
  service-policy leaf
  policy-map root
  class class-default
  service-policy logical
  Invalid Queue-Limit Policy Configuration Example:
  This case "class-default" is being considered as the port level.
  Following QOS policy configuration failed because the configuration check assumes user is trying to apply the queue-limit at the vlan level which is not supported.
  policy-map child-1
  class class-default
    queue-limit 256 packets
  policy-map VLAN-OUT
  class class-default       <<< Class default is being assumed at the port level , Child policy at the second level
    shape average 5000000
    service-policy child-1
  interface GigabitEthernet0/5
  switchport trunk allowed vlan none
  switchport mode trunk
  service instance 2 ethernet
    encapsulation dot1q 60
    rewrite ingress tag pop 1 symmetric
    bridge-domain 60
  3600-HL-2-N(config)#interface GigabitEthernet0/5
  3600-HL-2-N(config-if-srv)#service-policy output VLAN-OUT
  QOS: queue-limit command not supported in non-leaf classes
  QoS: Policy attachment failed for policymap VLAN-OUT
  *Feb 13 09:55:28.700: %QOSMGR-3-QLIMIT_LEVEL_ERROR: Qlimit command not supported in non-leaf classes

• Dvi to video adapter changes shape

  When I plug my DVI to Video adapter into my macbook pro, all of the displays change shape, and no matter what resolution I choose, it won't go back to it's true size.   When I try a DVI to vga adapter, it works fine.

  Try starting the Mac in Safe mode.
  http://support.apple.com/kb/HT1455
  Hopefully that will result in a usable screen. If it does, go into Displays Preferences and change the resolution to what it was when you had things working properly before. Then restart normally and the resolution selection made under Safe mode should persist through the normal restart.

• Trying to fill a shape or change text colour-it is always grey instead of the colour I picked?

  I have been working on a file and whenever I have a couple of shapes and some text. When I try to change the fill of the shape or change the text colour it is always changing to grey. It will let me pick a colour, but the box at the bottom(foreground/background box) is always grey as well. Please help.

  THANK YOU SO MUCH BARBARA! I really appreciate you taking  the time to reply to my simple problem(eventhough at the time it was so frustrating). Thanks again. Leanne