ingress/egress limiting

reachonenetadm · ‎05-14-2008

In the context of a small hosting company we have a 7206VXR, a WS-3524-XL switch, and customers connected to access ports on the switch. I'd like to provide customerA on port Fa0/1 1mbpsx1mbps, customerB on port Fa0/2 3mbpsx3mbps etc.

Right now I'm running dot1q vlans over a trunk port from the switch to the router where I am doing basic rate-limit input and rate-limit output. However this doesn't scale well especially when considering redundancy, VRRP etc. So I'm looking to do all the rate limiting on the access switch.

I realize i can do input policing on the access port (upload from the customer perspective) but i'm not sure how to limit the customers donwload. Do i need a switch that does egress policing or can i ingress police a vlan, even on the trunk port?

Any ideas are welcome

Chris

Edison Ortiz · ‎05-14-2008

However this doesn't scale well especially when considering redundancy, VRRP etc.

Can you elaborate?

So I'm looking to do all the rate limiting on the access switch.

Not pretty on a switch, specially on the 3500 Series.

__

Edison.

reachonenetadm · ‎05-14-2008

To elaborate on the scalability, if i have redundant gateways (7206s running VRRP) I'll need to duplicate all the rate-limiting configuration to both routers. If i can place the rate limiting on the switch then all I have to configure is the vlan and IP. Agreed, it is only 2 more lines per VLAN, but i'm trying to keep it as minimal as possible.

If it's a real hassle with the 3500s then I guess keeping it on the 7206 is the way to go. I'm open to any architectural suggestions. Perhaps it's best to get a fast L3 distribution switch and connect each of the 3500s to it.

Edison Ortiz · ‎05-14-2008

Perhaps it's best to get a fast L3 distribution switch and connect each of the 3500s to it.

If you want to avoid work duplication (i.e. your 7200VXR design), then that's the best approach.

However, I don't see a big deal on having the exact rate-limiting configuration on both routers.

__

Edison.

reachonenetadm · ‎05-15-2008

Edison, thanks for the rapid replies. For argument's sake, let's say in another case i cannot do per-vlan rate-limiting on a router. Is the 3500 capable of per-vlan rate-limiting on a trunk port? In other words could i limit all of customerA's ports including their vlan on the trunk port to 1mbps in and out, while also limiting all of customerB's ports to 3mbps in and out? If the 3550 can't do it, any idea what can? Thanks again.

-Chris

Edison Ortiz · ‎05-15-2008

Please take a moment and read this article on how policing (a.k.a rate-limiting) is done on the SVI in order to achieve per-vlan policing in the 3560.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_40_se/configuration/guide/swqos.html#wp1685240

HTH,

__

Edison.

reachonenetadm · ‎05-22-2008

Edison,

Thanks again. I see this doc is for the 3560. The correlating doc for the 3750 says it only does ingress policing. I cannot find any mention of SVI QoS on the 3750. I _really_ need a switch that i can hang a bunch of subnets off of, each in a separate VLAN, that I can rate limit traffic into and out of the VLAN and let the switch do the L3 routing. See attached Visio. ANY SUGGESTIONS are welcome...i've been struggling with this for a while....

Edison Ortiz · ‎05-22-2008

This link:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_40_se/configuration/guide/swqos.html#wp1253412

explains how to configure ingress policing with MQC and egress bandwidth limiting per interface (SRR).

I'm afraid those are the only features available in the box for QoS.

For more extensive QoS, a router would be the best choice here.

__

Edison.