To Police or to Shape
Hi - We have an ISP network and sell increments of a 10Gb WAN interface to customers.
At the moment we are policing inbound at the edges of our network to rate limuit L2VPN bandwidth and policing inbound and outbound at the egress of out network for IP transit. We had a few problems with our initial policing config in that it was quite brutal and the effect for L2VPN users was that anything over the 50Mb was just getting dropped and their TCP applications were throttling back loads and the perceived bandwidth (by the customer) was much lower than the 50Mb. The policer we used was this.
policy-map 50Meg
class class-default
police 50000000 1500 1500 conform-action transmit exceed-action drop
Having looked at a few other ISP's configs, I can see shapers being used extensively instead of policers. I know the technical differences between the two, but want to know if we should look to implement shaping instead of policing to provide a better experience for the customer whilst still restricting bandwidth?
Also, I can understand the variables used in policers and shapers, but are there some standard fugures that you would use for say 20, 40 and 50 Mb policers as I can imagine just guessing them is not going to work
Many Thanks in advance
Dom
Hi - We have an ISP network and sell increments of a 10Gb WAN interface to customers.
At
the moment we are policing inbound at the edges of our network to
rate limuit L2VPN bandwidth and policing inbound and outbound at the
egress of out network for IP transit. We had a few problems with our
initial policing config in that it was quite brutal and the effect for
L2VPN users was that anything over the 50Mb was just getting dropped
and their TCP applications were throttling back loads and the
perceived bandwidth (by the customer) was much lower than the 50Mb.
The policer we used was this.
policy-map 50Meg
class class-default
police 50000000 1500 1500 conform-action transmit exceed-action drop
Having
looked at a few other ISP's configs, I can see shapers being used
extensively instead of policers. I know the technical differences
between the two, but want to know if we should look to implement
shaping instead of policing to provide a better experience for the
customer whilst still restricting bandwidth?
Also,
I can understand the variables used in policers and shapers, but are
there some standard fugures that you would use for say 20, 40 and 50
Mb policers as I can imagine just guessing them is not going to work
Many Thanks in advance
Dom
Hi Dom,
Check out the below link for brief differenc between policy and shaping with comparism.
http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a00800a3a25.shtml
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
Similar Messages
-
Is it possible to limit bandwidth between two IPs using ACL or policy map. Like for example i want to limit 50% file sharing traffic coming or going to an IP 172.19.60.50
Hello,
You can rate limit the traffic using Traffic Policing or traffic shapping and YES you can match based on the flow of the traffic
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com -
How do you tell if a 3750 interface is shaping or policing traffic?
We have an Avaya PBX Medpro board plugged into a 3750 port with the following configuration:
interface FastEthernet1/0/4
description PBX Medpro-1
switchport access vlan 10
switchport mode access
duplex full
speed 100
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust dscp
auto qos voip trust
Everything was working fine until the PBX call level went above 110 calls (G-711) which pushed the interface to more than 10mbps. When this happened random calls out of that medpro became garbled and after lots of troubleshooting we came to the conclusion that the default auto qos settings where the problem.
Default auto qos puts these statements on an interface:
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
...which means that queue 1 will allow for 10mbps of traffic and then shaping will kick in.
Adding the line 'priority-queue out' to the interface disables the 10mbps limitation of queue 1 and instead forces the interface to process every packet that goes into the priority queue before anything else.
My question is - is there a 'show' command that we can use to see shaping at work? On router ports with a service policy that has shaping or policing on it you can see the shaping/policing in real time with 'show policy....'
What about on the 3750 switch ports?Thanks for responding. We work with DSCP so I tried your example on the port a medpro is connected to, but with DSCP, as in:
int f0/15
description Medpro-1
switchport access vlan 12
mls qos dscp 46
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
auto qos voip trust
This is the output of 'sh mls qos int f0/15'
#sh mls qos int f0/15
FastEthernet0/15
trust state: not trusted
trust mode: not trusted
trust enabled flag: ena
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based
Note - it doesn't show that 'mls qos dscp 46' did anything. Also it won't take the command 'mls qos dscp override', so how do I tell to mark incoming packets to DSCP 46? -
Traffic policing question on Cisco ASR 1001
Hi Experts,
I have a request to setup aggregated traffic policing on a Cisco ASR 1001 router for multiple networks within a router.
Lets say I have a router with several subinterfaces:
interface GigabitEthernet0/2
description WAN
ip address x.x.x.x x.x.x.x
interface GigabitEthernet0/1.70
description Lan_1
encapsulation dot1Q 70
ip address 192.168.55.1 255.255.255.0
interface GigabitEthernet0/1.80
description LAN_2
encapsulation dot1Q 80
ip address 192.168.56.1 255.255.255.0
interface GigabitEthernet0/1.90
description Servers
encapsulation dot1Q 90
ip address 172.16.10.1 255.255.255.0
I have a WAN link 100Mbit/s and I need to police traffic, so that I have 30Mbit/s for servers (GigabitEthernet0/1.90) and the rest 70Mbit I want to share between Interface Lan_1 and LAN_2. The Idea is that I need 70Mbit/s equally shared between two interfaces, so that I have fair policing on both iunterfaces. What is the best way to achieve this?
Many ThanksHello
The below configuration is a possible option, Its provides policing inbound from the clients interfaces and LLQ priority queung on the wan interface for the servers and shaping values from LAN1 & 2 traffic is set to 35MB.each.
Notice nothing is defined for the default class, however i am on the understanding this is given by default 1% of Hqos implementations.
Maybe others on here could review to verify any problems with this post and share their thoughts?
ip access-list extended SRVS_acl
permit ip 172.16.10.0 0.0.0.255 any
ip access-list extended LAN1_acl
permit ip 192.168.55.0 0.0.0.255 any
ip access-list extended LAN2_acl
permit ip 192.168.56.0 0.0.0.255 any
class-map match-all SRVS_CM
match access-group name SRVS_acl
class-map match-all LAN_1_CM
match access-group name LAN1_acl
class-map match-all LAN_2_CM
match access-group name LAN2_acl
policy-map SRVS_PM
class SRVS_CM
police 30720000 conform-action transmit exceed-action drop
policy-map LAN_2_PM
class LAN_2_CM
police 35840000 conform-action transmit
policy-map LAN_1_PM
class LAN_1_CM
police 35840000 conform-action transmit
interface GigabitEthernet0/1.70
service-policy input LAN_1_PM
interface GigabitEthernet0/1.90
service-policy input SRVS_PM
interface GigabitEthernet0/1.80
service-policy input LAN_2_PM
policy-map WAN_CHILD
class SRVS_CM
priority 30720
class LAN_1_CM
shape average 35840000
class LAN_2_CM
shape average 35840000
class class-default
fair-queue
policy-map WAN_PARENT
class class-default
shape average 102400000
service-policy WAN_CHILD
int GigabitEthernet0/2
bandwidth 102400
service-policy output WAN_PARENT
res
Paul -
Cisco ASA 8.6.1 Shape Command Invalid
Tried setting up a Shape Policy and it states its invalid. Worked fine on my 5520, just curious if anyone else might know why its coming as invalid now
ciscoasa(config-pmap-c)# shape
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-pmap-c)# shape ?
ERROR: % Unrecognized command100% sure, this is on asa 8.6.1
ciscoasa(config)# policy-map shaper
ciscoasa(config-pmap)# policy-map shaper
ciscoasa(config-pmap)# class class-default
ciscoasa(config-pmap-c)# ?
MPF policy-map class configuration commands:
exit Exit from MPF class action configuration mode
help Help for MPF policy-map class/match submode commands
no Negate or set default values of a command
police Rate limit traffic for this class
priority Strict scheduling priority for this class
quit Exit from MPF class action configuration mode
set Set connection values
user-statistics configure user statistics for identity firewall
csc Content Security and Control service module
flow-export Configure filters for NetFlow events
inspect Protocol inspection services
ips Intrusion prevention services
ciscoasa(config-pmap-c)# shape average ?
ERROR: % Unrecognized command
ciscoasa(config-pmap-c)# shape average
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-pmap-c)#
The downfall here for me is that I need to use shape for outgoing traffic and limit it, the connect speed with the fiber box is 100Mbit, police polocy doesnt work, using police people downloading off the FTP server get under 1KB per second (Acts like a duplex issue), using shaper always made it work perfect by limiting the upload to 60MBit -
I have seen this config in one of the examples in cisco site
policy-map mqcp
class hub
bandwidth 200
police cir 5000000
Please help in understanding the bandwidth and police command setting in this exampleBandwidth is a Queing mechanism (class based Weighted Fair Queing) where in the bandwidth specified is reserved for the traffic when there is congestion. Policing is like Committed access rate(CAR) which sizes ur bandwidth(doesnt shape).
-
Traffic Shape in ethernet - C3750Metro
I have a scenario where, one hub site which is connected to metro ether MAN at 1Gbps and spoke sites are connected to metro ether MAN at 100Mbps, in these remote sites variable bandwidths are agreed with service provider: 20Mbps, 40Mbps, etc.
I only want to configure "traffic shape" in my Catalysts because if I don't, these Catalyst use max. speed to transmit (100Mbps when 20Mbps is only permitted) and the network drops my excess traffic.
I don't want to configure anymore (different QoS for differents services, etc.)
Which is the best, and more elegant, way to do it?
Thanks.access-list 1 permit any
class-map match_metro
match access-group 1
policy-map match_metro
class metro_class
police 20000000 2000000 exceed-action drop
interface whatever
service-policy input match_metro
This is a just a sample config to achieve what you want, you should check the following link for a more thorough explanation.
Traffic shaping allows you to shape output traffic (egress traffic) on a per-physical port basis. Ucode monitors output traffic to verify that it conforms to the rate configured on the switch router. When excess traffic comes into the switch, the output side of the processor interface applies back pressure and queues the excess traffic in the switch fabric.
http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a0080476087.html -
Hello. I'm having trouble seeing the forest OR the trees, and I'd appreciate some help from someone who has a better field view than myself. We're upgrading our internet connection to 200MB and management is wanting to upgrade our Packet Shaper to meet the new bandwidth. (The Packet Shaper shows top talkers, top protocols, and rate limits protocols or users.) I'm trying to make the argument that we can do this w/ existing tools (nbar, netflow, QoS policing, and MARS), at the same time I'm trying to make the argument that we need to have our supervisors (currently SUP2 MSFC2) on a 3-4 year upgrade cycle.
To get to the 12.2 IOS, I'd require a memory or sup upgrade. What I am hoping for is someone who has gone down this road who knows what I'm lacking in 12.1 code, or if in fact I can do it all here.
While it is self-evident to most in IT why we need to regularly upgrade equipment, I'm having difficulty making this argument to management with hard facts. I'm guessing they'd still be running Windows for Workgroups to save money...but that's another story.
My plan is to use Netflow and MARS to track top users and top protocols. It appears that I lose some mgt functionality w/ MARS in conjunction w/ IOS 12.1, but I am currently unclear if I lose any tracking capability. (MARS is new to us and awaiting install.)
Then, I hope to use NBAR to identify all the latest P2P traffic and police it appropriately w/ QoS tools.
Does my thinking sound solid? Will I be able to pull this off w/ 12.1? If not, what do I need that I lack in 12.1?
Thank you for your time,
JoshuaHi,
First of all - you need to be clear that although MARS uses netflow data, it uses it for the purpose of identifying security issues. If you want to use netflow for reporting and/or accounting purposes MARS isn't the tool you need, try one of the following freeware netflow tools:
http://www.cisco.com/warp/public/732/Tech/nmp/netflow/partners/freeware/index.shtml
or one of the following commercial tools:
http://www.cisco.com/warp/public/732/Tech/nmp/netflow/partners/commercial/index.shtml
The freeware ones are generally more difficult to set up but once running are just as good as the commercial ones.
However, this means you need two netflow destinations - one for MARS and one for your netflow tool, and this feature is called "Netflow Multiple Export Destinations" and initially appeared at 12.1(3)T, but it seems to be VERY platform specific - for example, because we only run GD software on our 3660's we had to upgrade to 12.3(20) to get it.
Looking at the Feature Navigator for SUP2/MSFC2 it appears that you need at least 12.2(18)SXF6 to get this feature so that might help your case.
I'd personally keep the PacketShaper for it's reporting capability if nothing else (IOS can do the job, but not as elegantly as the PacketShaper).
HTH - plz rate if useful.
Andrew. -
ASR 1006 shaping\policing on port-channel interfaces
Hello
I encountered a problem - ASR 1006 ignores shaping\policing configuration on a port-channel interfaces.
If I configure:
policy-map Shaping
class class-default
shape average 100000
interface TenGigabitEthernet0/0/0
no ip address
channel-group 1 mode active
interface Port-channel1.10
encapsulation dot1Q 10
ip address 1.0.0.1 255.255.255.0
service-policy output Shaping
With such configuration shaping doesn't work. But it works on ordinary tenGigabit interfaces...
I've tried several ios xe versions.. no changes
Are there any ristrictions with shaping on Port-channel interfaces?Hi,
Traditional QoS will not work for etherchannels. Please read to find suitable config for your case.
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_mqc/configuration/xe-3s/qos-mqc-xe-3s-book/qos-eth-int.html#GUID-6137A7B8-B2D1-4024-8AC9-E7EBEDD868C6 -
Traffic Policing on Service Provider Edge router.
Hi,
I'm confused about the traffic policing on service provider edge router. Suppose I have taken internet bandwidth from my ISP and he says that they will give me 100 Mbps bandwidth burstable upto 1Gbps. What does that mean? what is burstable here?
I would appreiciate if anyone from service provider organization, can give a output of their edge router's running config. I just have to understand how the police our traffic. Here I'm talking about the Internet leased lines.This is probably something you will have to get your service provider to answer. Different service providers use the term burst in a different context. Some SP's are "NICE' and will setup no policer or shaper and will purely monitor the link for fair use allowing you to exceed what you have purchased as long as you don’t abuse the privilege. Other Serves providers may setup a dual rate policer with a CIR and a PIR to achieve the same. a 3rd scenario is as explained above where the SP will setup a policer for 100Mb/s and then calculate the burst value at 1/8 of a second (or less in some cases) which allows your traffic to burst to full line rate for that time slice,
There are other scenarios but the point I’m trying to make is that service providers don’t all do this the same way which is why you should ask them what they mean and how long your traffic would be allowed to burst to line rate.
PJ -
QPM Shaping and Nested Policies
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
I'm getting ready for a QPM deployment and I have come across some issues in testing.
I have an Ethernet interface which I need to apply a shaper so I can limit the egress traffic sent to our WAN provider. Then do CB queuing under the shaper.
It looks like I do this via nested polices, but the documentation isn't too clear on how I use the nested policy I create. I think the policies in the nested policies would be the children policies, but it's not really clear. Does anyone have any experience with this?
Also when I attempt to create a shaper it will not allow me to enter a CIR above 154400Kbps and I need a shaper for 200000Kbps. Is there a setting somewhere to increase the limit?
Thanks for any help,
JoeHi,
Is this occurring on all devices? What kind of device is having the problem?
Just on Cisco 3845 that has level 3 policies applied
QPM limitation is 12 classes per interface so you could be running into a bug
I have qpm 4.1.5 installed where this bug should be resolved?
Show ver and screenshot in attachment.
Thank you,
Ivana -
QoS Settings to Match SP Policer
Hi,
My SP has an ingress policer specifying 100mbps CIR and 256kbps Bc.
When I try to configure a shaper to match this requirement, I cannot specify a Bc value smaller than 400000, as the Tc cannot be less than 4ms. For example,
OFFICE-01(config-pmap-c)#policy-map policy-map QoS-Outbound-100M
OFFICE-01(config-pmap-c)#class class-default
OFFICE-01(config-pmap-c)#shaper average 100000000 265000
Shaping Interval is 3 milliseconds. Intervals below 4 milliseconds rejected.
If I use the minimum Bc value of 400000bps, traffic might be dropped by the SP. Any workaround? The major application in the network is http.
Thanks.
LarryDisclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Bc isn't a per second value, it's a quantity of bits or bytes.
Also, Bc might be given in bytes, so double check whether your ISP's value is 256 KBytes or Kbits. -
QOS: egress police command not supported in non-leaf classes
Hello,
I have issue with egress policers on EFP (Service instance).
When configure two egress policers on EFPs (on one physical interface), I received a message:
ME-3600X(config-if-srv)#service-policy output VLAN-50M
QOS: egress police command not supported in non-leaf classes
QoS: Policy attachment failed for policymap VLAN-50M
The configuration looks easy:
policy-map VLAN-50M
class VLAN
police cir 50000000
exceed-action drop
class-map match-all VLAN
match protocol ip
interface GigabitEthernet0/11
description TEST
switchport trunk allowed vlan none
switchport mode trunk
mtu 1998
load-interval 30
service instance 199 ethernet
encapsulation dot1q 199
rewrite ingress tag pop 1 symmetric
service-policy output VLAN-50M
xconnect 82.119.245.231 3291 encapsulation mpls
service instance 500 ethernet
description L2MNG-SWITCHE
encapsulation dot1q 500
rewrite ingress tag pop 1 symmetric
bridge-domain 500
I tried to attach the same policy-map to Service Instance 500, with the messages above mentioned.
I am not sure if this is correct behaviour, and what means term "non-leaf class".
IOS version is 15.2(4)S2 with AdvancedMetroIPAccess.
Best regards,
JosefPlatform supports three level hierarchy - Port, VLAN and Class.
Class is the leaf level.
Queuing is done only at the leaf level.
You need to attach your policy to the port level policy so that it can be a two level policy.
Three Level Class-default Policy Example:
policy-map leaf
class class-default
queue-limit xxxxx bytes
policy-map logical
class class-default
service-policy leaf
policy-map root
class class-default
service-policy logical
Invalid Queue-Limit Policy Configuration Example:
This case "class-default" is being considered as the port level.
Following QOS policy configuration failed because the configuration check assumes user is trying to apply the queue-limit at the vlan level which is not supported.
policy-map child-1
class class-default
queue-limit 256 packets
policy-map VLAN-OUT
class class-default <<< Class default is being assumed at the port level , Child policy at the second level
shape average 5000000
service-policy child-1
interface GigabitEthernet0/5
switchport trunk allowed vlan none
switchport mode trunk
service instance 2 ethernet
encapsulation dot1q 60
rewrite ingress tag pop 1 symmetric
bridge-domain 60
3600-HL-2-N(config)#interface GigabitEthernet0/5
3600-HL-2-N(config-if-srv)#service-policy output VLAN-OUT
QOS: queue-limit command not supported in non-leaf classes
QoS: Policy attachment failed for policymap VLAN-OUT
*Feb 13 09:55:28.700: %QOSMGR-3-QLIMIT_LEVEL_ERROR: Qlimit command not supported in non-leaf classes -
Dvi to video adapter changes shape
When I plug my DVI to Video adapter into my macbook pro, all of the displays change shape, and no matter what resolution I choose, it won't go back to it's true size. When I try a DVI to vga adapter, it works fine.
Try starting the Mac in Safe mode.
http://support.apple.com/kb/HT1455
Hopefully that will result in a usable screen. If it does, go into Displays Preferences and change the resolution to what it was when you had things working properly before. Then restart normally and the resolution selection made under Safe mode should persist through the normal restart. -
Trying to fill a shape or change text colour-it is always grey instead of the colour I picked?
I have been working on a file and whenever I have a couple of shapes and some text. When I try to change the fill of the shape or change the text colour it is always changing to grey. It will let me pick a colour, but the box at the bottom(foreground/background box) is always grey as well. Please help.
THANK YOU SO MUCH BARBARA! I really appreciate you taking the time to reply to my simple problem(eventhough at the time it was so frustrating). Thanks again. Leanne
Maybe you are looking for
-
IPhoto 9.2.1 update - no RAW files
This problem is on my husband's MacBook Pro running 10.6.8. Prior to the 9.2.1 update he had uploaded quite a few RAW (NEF) files from his Nikon D90 and they worked fine. After the update, the thumbnails are there, but they cannot be opened to view
-
Please help me: what is the wrong in my code?
Hi all , I wrote a script in unix to send a mail, i am executing the script using java code, when i test the script separately in unix it is working properly , when i am executing it in java it is not working properly it is not showing any errors. UN
-
Acrobat Pro 9.4 batch processing
I have Acrobat Pro 9.4. When I select Batch Processing, nothing happens. How do I make this feature active?
-
I have used Photoshop 7.0 for around 6 years and upgraded to CS5. I did the trial download for 30 days and when working with layers if I clicked on the layer to move it around, it would disappear *poof*. I'd have to hit Ctrl-T and I could usually loc
-
Can you add grid lines in Photoshop Touch?
I would like to be able to add grid lines to an image in Photoshop Touch. Is that possible?