02-19-2009 02:53 AM - edited 03-06-2019 04:07 AM
Dear Sir,
We have three web servers connected to 3560 switch and we would like to limit the max bandwidth of them as 30M, 15M and 15M. Is it ok to do the qos at the uplink port such as f0/24?
Any sample for reference?
Thanks.
Solved! Go to Solution.
02-19-2009 04:20 AM
Hi Joseph,
You can apply the following configuration to your switchports. I have used gig 17 , 18 and 19 as an example. Please remember that you are able to apply policy maps to the inbound direction on 3560 routers.
Hope to help,
Kerem
class-map match-all SERVER-1
match access-group name SERVER-1
class-map match-all SERVER-2
match access-group name SERVER-2
class-map match-all SERVER-3
match access-group name SERVER-3
policy-map SERVER-1
class SERVER-1
police 30000000 8000 exceed-action drop
policy-map SERVER-2
class SERVER-2
police 15000000 8000 exceed-action drop
policy-map SERVER-3
class SERVER-3
police 15000000 8000 exceed-action drop
ip access-list extended SERVER-1
permit ip any any
ip access-list extended SERVER-2
permit ip any any
ip access-list extended SERVER-3
permit ip any any
!
!
interface GigabitEthernet0/17
service-policy input SERVER-1
!
interface GigabitEthernet0/18
service-policy input SERVER-2
!
interface GigabitEthernet0/19
service-policy input SERVER-3
!
03-25-2009 09:35 PM
did you enable "mls qos"?
03-31-2009 03:49 AM
Depending on your model of 3560, "resource" might not be much of an issue. The 24 port gig models, I believe, offer nearly wirespeed to all ports. The 48 port gig models, I also believe, has capacity to offer about wirespeed to half the ports. Assuming you don't provide 24 gig or so that could be allowed in externally, it should be difficult to impact the 3560's resources. (Do note, there are other types of DoS attacks which might not require much bandwidth, so simple rate limiters offer little protection against those.)
From one of your prior posts, "We limit the bandwidth of individual server so as to prevent external attack from eating up the entire bandwidth and influence other servers. ", unless you control the bandwidth before the critical bandwidth limited link (usually the WAN link), downsteam rate limiters or shapers might be totally ineffective. Especially, if traffic is non-TCP and/or an intentional DoS.
[edit]
From you post, suspect the 3560 in question is a 3560-24TS/PS. If it is, it too supports wirespeed for all its ports (6.6 Mpps, 8.8 Gbps).
02-19-2009 02:56 AM
Read the below link - all you need to know:-
http://www.cisco.com/univercd/cc/td/doc/solution/esm/qossrnd.pdf
HTH>
02-19-2009 04:20 AM
Hi Joseph,
You can apply the following configuration to your switchports. I have used gig 17 , 18 and 19 as an example. Please remember that you are able to apply policy maps to the inbound direction on 3560 routers.
Hope to help,
Kerem
class-map match-all SERVER-1
match access-group name SERVER-1
class-map match-all SERVER-2
match access-group name SERVER-2
class-map match-all SERVER-3
match access-group name SERVER-3
policy-map SERVER-1
class SERVER-1
police 30000000 8000 exceed-action drop
policy-map SERVER-2
class SERVER-2
police 15000000 8000 exceed-action drop
policy-map SERVER-3
class SERVER-3
police 15000000 8000 exceed-action drop
ip access-list extended SERVER-1
permit ip any any
ip access-list extended SERVER-2
permit ip any any
ip access-list extended SERVER-3
permit ip any any
!
!
interface GigabitEthernet0/17
service-policy input SERVER-1
!
interface GigabitEthernet0/18
service-policy input SERVER-2
!
interface GigabitEthernet0/19
service-policy input SERVER-3
!
03-25-2009 09:04 PM
Dear Sir,
I config the following commands on one 2960 switch.
=====================
interface FastEthernet0/8
description SERVER01
switchport access vlan 80
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input SERVER01
class-map match-all SERVER01
match access-group name SERVER01
policy-map SERVER01
class SERVER01
police 15000000 8000 exceed-action drop
ip access-list extended SERVER01
permit ip any any
============
And expect the speed is controlled at 15M. However, when I use ftp to upload/download file to a web site. I found the speed is up to 8000KB/s, which is 64M.
Any ideas why?
Thanks.
03-25-2009 09:35 PM
did you enable "mls qos"?
03-30-2009 08:34 PM
Is there any way to limit the output traffic? 2960 allows input control only.
Thanks.
03-30-2009 10:12 PM
I don't think so.
From command reference, service-policy can only be applied to "input" direction.
03-30-2009 10:35 PM
We have web server connected to the port. We limit the bandwidth of individual server so as to prevent external attack from eating up the entire bandwidth and influence other servers.
Any work around for this?
Thanks.
03-30-2009 10:47 PM
saying your server is connected to a 3560, you can still apply the ingress service-policy on 3560 swiitch's uplink. You can use the sample config posted by Kerem but using more specified ACL for each server instead of "permit ip any any".
03-30-2009 11:06 PM
Thanks. But I have concern on the resource needed on the 3560 switch. Any experience for the specific IP matching on 3560 regarding resource?
Thanks.
03-31-2009 03:49 AM
Depending on your model of 3560, "resource" might not be much of an issue. The 24 port gig models, I believe, offer nearly wirespeed to all ports. The 48 port gig models, I also believe, has capacity to offer about wirespeed to half the ports. Assuming you don't provide 24 gig or so that could be allowed in externally, it should be difficult to impact the 3560's resources. (Do note, there are other types of DoS attacks which might not require much bandwidth, so simple rate limiters offer little protection against those.)
From one of your prior posts, "We limit the bandwidth of individual server so as to prevent external attack from eating up the entire bandwidth and influence other servers. ", unless you control the bandwidth before the critical bandwidth limited link (usually the WAN link), downsteam rate limiters or shapers might be totally ineffective. Especially, if traffic is non-TCP and/or an intentional DoS.
[edit]
From you post, suspect the 3560 in question is a 3560-24TS/PS. If it is, it too supports wirespeed for all its ports (6.6 Mpps, 8.8 Gbps).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide