Policy Routing: Guaranteeing Bandwidth Question
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||
|
Posted by Mysticmoose06 on March 27, 2007, 11:23 pm
Please log in for more thread options I work for a school district and we have now outsourced our entire student information database and with all the internet-traffic we have on some days, we can easily saturate our T-1 line. (We can easily have more than 200 concurrent connections, etc.) So I now get angry phone calls from secretaries who just want to do building attendance but can't because we're at 98% capacity. What I would like to do, is set up a policy that takes say 40% of our bandwidth, and when it is required, is allocated to all traffic going to our outsourced database ip address. However, when administration / teachers are not visiting our database site, I want that 40% of the 'reserved' bandwidth to go back into the pot for everyone to use. Through my research , I believe the solution will come via policy & class mapping with bandwidth settings. Please review my theory as I am hoping for comments and improvements. # Theorized Solution class-map student-data-traffic match access-group 171 policy-map student-data class student-data-traffic bandwidth percent 40 class class-default fair-queue queue-limit 10 Serial 0/0: ip policy route-map student-data (create access 171 here) # If there is an easier solution that would offer bandwidth to users when they need it, and release it when they aren't, I am very open to ideas. Thanks in advance for your help. ~ Aaron | ||||||||||||||||
|
Posted by Mysticmoose06 on March 27, 2007, 11:25 pm
Please log in for more thread options Quick Note: Router is a Cisco 2611. | ||||||||||||||||
|
Posted by J.Cottingim on March 28, 2007, 12:02 pm
Please log in for more thread options This looks ok... but...
Be sure that your ACL 171 is configured to PERMIT traffic to the important web site. When that when you apply the policy-map to the interface on the 2611, remember that it's an out-going policy map. Therefore, if the saturation problem is on the incoming direction, you'll need to do some tricks to make this work. To fix this, apply a bandwidth statement and policy-map on your inside ethernet interface. Assuming you have only one T1 , this would be (example): interface ethernet 0/0 bandwidth 1544 service-policy output student-data Also, you'll need to make sure ACL 171 is built in such a manner as to be bi-directional. If the destination web site is 12.13.14.15 then ACL 171 would look something like this: access-list 171 remark identify important traffic !<-- always document your ACL's access-list 171 remark database site access-list 171 permit ip any host 12.13.14.15 access-list 171 permit ip host 12.13.14.15 any With this set up, any traffic that is not identified by ACL 171, would get the "best effort" treatment. Also, remember... the traffic exceeds the percentage of bandwidth you've reserved for any particular class is subject to the "best effort" treatment. Alternatively, you could create two separate ACL's with two seperate policy-maps. This would reduce CPU utilization slightly, and would increase memory utilization. Another thing that you could do to *help the situation would be to further classify traffic. The below example all depends on your companies' policies on internet usage. Here's the summary: Class-A ... low-bandwidth high-priority traffic ... (telnet, snmp, snmp-trap, etc) ... guarantee 10% bandwidth Class-B ... your extremely important traffic (as in ACL 171) ... guarantee 40% bandwidth Class-C ... your somewhat important traffic (define as necessary) ... guarantee 25% bandwidth Class-D ... traffic to those Bandwidth Sucking (BS) sites ... ie. youtube, video.google, myspace, etc. ... limit to 128Kb/s Class-F ... point-to-point file sharing and other unwanted traffic ... drop -or- limit to very small (8Kb/s) The configuration would look something like this: class-map match-any CLASS-A match access-group name Priority-ACL class-map match-any CLASS-B match access-group name HIGH-PRIORITY-SITES class-map match-any CLASS-C match access-group name MED-PRIORITY-SITES class-map match-any CLASS-D match access-group name LOW-PRIORITY-SITES match protocol http url "*youtube*" match protocol http url "*video.google*" match protocol http url "*myspace*" class-map match-any CLASS-F match protocol gnutella match protocol kazaa2 match protocol fasttrack match protocol napster match protocol cuseeme match protocol vdolive match protocol realaudio match protocol edonkey match protocol bittorrent ! policy-map QoS-POLICY class CLASS-A priority percent 10 class CLASS-B bandwidth percent 40 class CLASS-C bandwidth percent 25 class CLASS-D police 128000 1500 1500 conform-action transmit exceed-action drop class CLASS-F police 8000 1500 1500 conform-action transmit exceed-action drop ! ip access-list extended Priority-ACL remark Low-bandwidth High-Priority permit tcp any eq telnet <your-inside-net-address>
!
permit udp any eq snmp <your-inside-net-address> permit udp any eq snmptrap <your-inside-net-address> permit udp any eq tftp <your-inside-net-address> permit tcp <your-inside-net-address> any eq telnet permit udp <your-inside-net-address> any eq snmp permit udp <your-inside-net-address> any eq snmptrap permit udp <your-inside-net-address> any eq tftp ip access-list extended HIGH-PRIORITY-SITES remark Build your ACL 171 here. ! ip access-list extended MED-PRIORITY-SITES remark Build your not-so important traffic acl here ! ip access-list extended LOW-PRIORITY-SITES remark identify any traffic that you want to limit it's speed You'll need to enable NBAR on the router in order to do the CLASS-F part. This will add memory and CPU requirements on your router. (it might be time to upgrade your internet router as well) Good luck JC | ||||||||||||||||
|
Posted by Mysticmoose06 on March 28, 2007, 10:04 pm
Please log in for more thread options > This looks ok... but...
> Be sure that your ACL 171 is configured to PERMIT traffic to the > important web site. > When that when you apply the policy-map to the interface on the 2611, > remember that it's an out-going policy map. Therefore, if the > saturation problem is on the incoming direction, you'll need to do > some tricks to make this work. > > To fix this, apply a bandwidth statement and policy-map on your inside > ethernet interface. Assuming you have only one T1 , this would be > (example): > interface ethernet 0/0 > bandwidth 1544 > service-policy output student-data > > Also, you'll need to make sure ACL 171 is built in such a manner as to > be bi-directional. > If the destination web site is 12.13.14.15 then ACL 171 would look > something like this: > > access-list 171 remark identify important traffic !<-- always > document your ACL's > access-list 171 remark database site > access-list 171 permit ip any host 12.13.14.15 > access-list 171 permit ip host 12.13.14.15 any > > With this set up, any traffic that is not identified by ACL 171, would > get the "best effort" treatment. > Also, remember... the traffic exceeds the percentage of bandwidth > you've reserved for any particular class is subject to the "best > effort" treatment. > Alternatively, you could create two separate ACL's with two seperate > policy-maps. This would reduce CPU utilization slightly, and would > increase memory utilization. > > Another thing that you could do to *help the situation would be to > further classify traffic. The below example all depends on your > companies' policies on internet usage. Here's the summary: > Class-A > ... low-bandwidth high-priority traffic > ... (telnet, snmp, snmp-trap, etc) > ... guarantee 10% bandwidth > Class-B > ... your extremely important traffic (as in ACL 171) > ... guarantee 40% bandwidth > Class-C > ... your somewhat important traffic (define as necessary) > ... guarantee 25% bandwidth > Class-D > ... traffic to those Bandwidth Sucking (BS) sites > ... ie. youtube, video.google, myspace, etc. > ... limit to 128Kb/s > Class-F > ... point-to-point file sharing and other unwanted traffic > ... drop -or- limit to very small (8Kb/s) > > The configuration would look something like this: > class-map match-any CLASS-A > match access-group name Priority-ACL > class-map match-any CLASS-B > match access-group name HIGH-PRIORITY-SITES > class-map match-any CLASS-C > match access-group name MED-PRIORITY-SITES > class-map match-any CLASS-D > match access-group name LOW-PRIORITY-SITES > match protocol http url "*youtube*" > match protocol http url "*video.google*" > match protocol http url "*myspace*" > class-map match-any CLASS-F > match protocol gnutella > match protocol kazaa2 > match protocol fasttrack > match protocol napster > match protocol cuseeme > match protocol vdolive > match protocol realaudio > match protocol edonkey > match protocol bittorrent > ! > policy-map QoS-POLICY > class CLASS-A > priority percent 10 > class CLASS-B > bandwidth percent 40 > class CLASS-C > bandwidth percent 25 > class CLASS-D > police 128000 1500 1500 conform-action transmit exceed-action drop > class CLASS-F > police 8000 1500 1500 conform-action transmit exceed-action drop > ! > ip access-list extended Priority-ACL > remark Low-bandwidth High-Priority > permit tcp any eq telnet <your-inside-net-address> > permit udp any eq snmp <your-inside-net-address> > permit udp any eq snmptrap <your-inside-net-address> > permit udp any eq tftp <your-inside-net-address> > permit tcp <your-inside-net-address> any eq telnet > permit udp <your-inside-net-address> any eq snmp > permit udp <your-inside-net-address> any eq snmptrap > permit udp <your-inside-net-address> any eq tftp > ! > ip access-list extended HIGH-PRIORITY-SITES > remark Build your ACL 171 here. > ! > ip access-list extended MED-PRIORITY-SITES > remark Build your not-so important traffic acl here > ! > ip access-list extended LOW-PRIORITY-SITES > remark identify any traffic that you want to limit it's speed > > You'll need to enable NBAR on the router in order to do the CLASS-F > part. This will add memory and CPU requirements on your router. (it > might be time to upgrade your internet router as well) > > Good luck > JC Wow thanks for the detailed response. I essentially just want to give people bandwidth to the student data when needed and then drop when not. I'm looking forward to testing this. Quick question: On our 2611, we have a t-1 card serial 0/0 and an ethernet. You're saying I have to put the policy map on the ethernet port? I would assume I have to put it on the serial (i.e. T1)? I'm little confused on the placement and direction. Thanks again JC for the help. | ||||||||||||||||
|
Posted by Vincent C Jones on March 29, 2007, 2:56 pm
Please log in for more thread options Mysticmoose06 wrote:
> All,
> > I work for a school district and we have now outsourced our entire > student information database and with all the internet-traffic we have > on some days, we can easily saturate our T-1 line. (We can easily have > more than 200 concurrent connections, etc.) So I now get angry phone > calls from secretaries who just want to do building attendance but > can't because we're at 98% capacity. > > What I would like to do, is set up a policy that takes say 40% of our > bandwidth, and when it is required, is allocated to all traffic going > to our outsourced database ip address. However, when administration / > teachers are not visiting our database site, I want that 40% of the > 'reserved' bandwidth to go back into the pot for everyone to use. > > Through my research , I believe the solution will come via policy & > class mapping with bandwidth settings. Please review my theory as I am > hoping for comments and improvements. > > # Theorized Solution > > class-map student-data-traffic > match access-group 171 > > policy-map student-data > class student-data-traffic > bandwidth percent 40 > class class-default > fair-queue > queue-limit 10 > > Serial 0/0: > ip policy route-map student-data > > > (create access 171 here) > # > > If there is an easier solution that would offer bandwidth to users > when they need it, and release it when they aren't, I am very open to > ideas. > > Thanks in advance for your help. > ~ Aaron If this is a T1 link to your ISP, you will probably need the ISP to do the policy routing for you. Unless your traffic patterns are weird for a user community, you'll find that you T1 is only saturated from the ISP to you, and still has lots of outbound capacity. Reserving 40% of your outbound capacity for the data base won't help if YouTube only requires 5% of your outbound capacity to generate a T3's worth of inbound traffic. Good luck and have fun! -- Vincent C Jones, Consultant Expert advice and a helping hand Networking Unlimited, Inc. for those who want to manage and Tenafly, NJ Phone: 201 568-7810 control their networking destiny http://www.networkingunlimited.com | ||||||||||||||||
| Similar Threads | Posted |
| Policy Routing: Guaranteeing Bandwidth Question | March 27, 2007, 11:23 pm |
| Policy Based Routing Question | November 13, 2005, 7:38 pm |
| policy based routing for multiple tracking options question | April 9, 2006, 8:42 pm |
| Frame-relay bandwidth and policy-maps | July 20, 2006, 4:38 am |
| intervlan routing and policy routing C3750 or C 4948 | October 19, 2005, 6:38 pm |
| GRE & Policy Routing | July 28, 2005, 8:46 am |
| policy routing on PIX | October 10, 2008, 9:37 am |
| PIX 7.0 policy based routing? | October 24, 2005, 8:57 am |
| policy based routing | November 4, 2005, 5:14 am |
| Policy based routing on a ASA | February 2, 2007, 5:03 pm |
| PIX 525, I think I need Policy-based routing?? | April 23, 2007, 9:45 pm |
| Policy based routing | April 30, 2008, 11:30 am |
| Policy Based Routing and/or NAT | May 7, 2008, 8:15 am |
| HSRP and Policy based Routing | October 26, 2005, 10:12 pm |
| Policy Based Routing with 2 providers | April 18, 2008, 1:12 am |
>
> I work for a school district and we have now outsourced our entire
> student information database and with all the internet-traffic we have
> on some days, we can easily saturate our T-1 line. (We can easily have
> more than 200 concurrent connections, etc.) So I now get angry phone
> calls from secretaries who just want to do building attendance but
> can't because we're at 98% capacity.
>
> What I would like to do, is set up a policy that takes say 40% of our
> bandwidth, and when it is required, is allocated to all traffic going
> to our outsourced database ip address. However, when administration /
> teachers are not visiting our database site, I want that 40% of the
> 'reserved' bandwidth to go back into the pot for everyone to use.
>
> Through my research , I believe the solution will come via policy &
> class mapping with bandwidth settings. Please review my theory as I am
> hoping for comments and improvements.
>
> # Theorized Solution
>
> class-map student-data-traffic
> match access-group 171
>
> policy-map student-data
> class student-data-traffic
> bandwidth percent 40
> class class-default
> fair-queue
> queue-limit 10
>
> Serial 0/0:
> ip policy route-map student-data
>
> (create access 171 here)
> #
>
> If there is an easier solution that would offer bandwidth to users
> when they need it, and release it when they aren't, I am very open to
> ideas.
>
> Thanks in advance for your help.
> ~ Aaron