05-26-2009 09:22 AM - edited 03-04-2019 04:53 AM
I need to throttle all HTTP and HTTPS traffic to 50% of the available bandwidth on a 3MB PVC I am using for internet access. The problem I am having now is that when anyone does a large download IE an update from Microsoft etc, it hogs up just about all avalaible bandwidth. What I would like to do is drop all http and https traffic when the when it hits the 50% threshhold. I need to have available bandwidth for other applications such as VPN, webmail etc. What is the best practice to make this happen? I have the follwing pllicy maps but they don't seem to be working:
policy-map INET_WAN
class WBST
set ip dscp af11
class PORT_80
police rate percent 50
exceed-action drop
class p2p
drop
class class-default
fair-queue
policy-map HTTP_WAN_IN
class PORT_80
police rate percent 50
exceed-action drop
class p2p
drop
class WBST
set ip dscp af11
INET_WAN is for all outbound traffic and HTTP_WAN_IN is for all inbound traffic on the 3MB ATM PVC subinterface.
Thanks for any help!
05-26-2009 10:42 AM
What's the physical port that's providing the 3 Mbps.
Inbound can be difficult to regulate downstream of the bottleneck. Ideally you would want to control egress on both sides of the 3 Mbps. This isn't possible?
BTW, you mention controlling both HTTP and HTTPs, since you didn't post the class maps, class PORT_80 is a match-any for both HTTP and HTTPS?
05-26-2009 10:49 AM
The physical interface is an ATM interface, with two sub-interfaces, one for public traffic and the other for private.
And yes, the class maps are set to only HTTP and HTTPS protocols.
These is my sub-interface config:
interface ATM1/0.2 point-to-point
description PUBLIC
bandwidth 3000000
ip address *********************
ip access-group 120 in
ip access-group 120 out
pvc 1/32
vbr-nrt 3000 3000
encapsulation aal5snap
service-policy input HTTP_WAN_IN
service-policy output INET_WAN
05-26-2009 04:13 PM
What does the show policy-map interface command present for the policer bandwidths?
Have you tried "bandwidth 3000" rather than "bandwidth 3000000"?
05-27-2009 08:55 AM
I made a few changes on the bandwidth statement. Here is the requested show policy-map interface command:
ATM1/0.2: VC 1/32 -
Service-policy input: HTTP_WAN_IN
Class-map: PORT_80 (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http
Match: protocol secure-http
police:
rate 50 %
rate 1500000 bps, burst 46875 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
Class-map: WBST (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 2
QoS Set
dscp af11
Packets marked 0
Class-map: p2p (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol fasttrack file-transfer "*"
Match: protocol gnutella file-transfer "*"
Match: protocol bittorrent
Match: protocol skype
Match: protocol kazaa2 file-transfer "*"
Match: protocol edonkey
Match: protocol napster
Match: protocol irc
Match: protocol winmx
Class-map: class-default (match-any)
1490 packets, 441573 bytes
5 minute offered rate 4000 bps, drop rate 0 bps
Match: any
Service-policy output: INET_WAN
Class-map: WBST (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 2
QoS Set
dscp af11
Packets marked 0
Class-map: PORT_80 (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http
Match: protocol secure-http
police:
rate 50 %
rate 1500000 bps, burst 46875 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
Class-map: p2p (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol fasttrack file-transfer "*"
Match: protocol gnutella file-transfer "*"
Match: protocol bittorrent
Match: protocol skype
Match: protocol kazaa2 file-transfer "*"
Match: protocol edonkey
Match: protocol napster
Match: protocol irc
Match: protocol winmx
Class-map: class-default (match-any)
1502 packets, 286072 bytes
5 minute offered rate 5000 bps, drop rate 0 bps
Match: any
Queueing
Flow Based Fair Queueing
Maximum Number of Hashed Queues 128
(total queued/total drops/no-buffer drops) 0/0/0
05-27-2009 11:48 AM
Your policer bandwidths look good, i.e.:
police:
rate 50 %
rate 1500000 bps
but you're using a match-all when you need to use match-any in some of your class-maps.
05-29-2009 11:26 AM
Also, just as an aside, unless you're using it for something else, you're not going to drop based on DSCP value.
For that to be effective, I believe you have to add "random-detect dscp-based".
Also, as Joseph stated, ingress QoS on a WAN link is, for most applications, pointless. Your ISP has already throttled down the traffic, and it is being delivered to you in an organized fashion anyway (which is somewhat the point of QoS). So unless you really need it, it's pretty much just wasting CPU cycles.
Just my $.02
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide