QOS: policing

Unanswered Question
May 28th, 2009
User Badges:

I'm trying to finding a solution for a customer to police backup traffic on a 100MB WAN circuit. The customer only wants to allow backup traffic to use a max of 60% bandwidth ingree/egress on the WAN port (fa5/1).


I cannot use NBAR because port fa5/1 is configured as a trunk port. Please advise.


note: The WAN circuit does not respect QOS markings (DSCP/COS/IP Prec)



### Site A Backup Servers ###

Srv 1: TCP/IP 172.16.38.100 TCP Port 3225

Srv 2: TCP/IP 172.16.35.152 TCP Port 3225


### Site B Backup Servers ###

Srv 1: TCP/IP 172.18.38.100 TCP Port 3225

Srv 2: TCP/IP 172.18.35.125 TCP Port 3225


### Site A 6509 ###


int vlan 35

172.16.35.1 255.255.255.0


int vlan 38

172.16.38.1 255.255.255.0


interface Vlan99

description "WAN"

ip address 172.31.1.1 255.255.255.0



interface fa/1

description "100MB WAN Circuit"

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 99

switchport trunk allowed vlan 99

switchport mode trunk



ip route 0.0.0.0 0.0.0.0 172.31.1.1



### Site B 6509 ###


int vlan 35

172.18.35.1 255.255.255.0


int vlan 38

172.18.38.1 255.255.255.0


interface Vlan99

description "WAN"

ip address 172.31.1.2 255.255.255.0



interface fa/1

description "100MB WAN Circuit"

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 99

switchport trunk allowed vlan 99

switchport mode trunk


ip route 0.0.0.0 0.0.0.0 172.31.1.2





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
John Blakley Thu, 05/28/2009 - 06:22
User Badges:
  • Purple, 4500 points or more

I would shape the traffic on both ends when destined to your other location.


SiteA:


access-list 101 permit ip 172.16.0.0 0.0.255.255 172.18.0.0 0.0.255.255


class-map SHAPE

match ip address 101


policy-map OUTBOUND

class SHAPE

shape average 60000000


int fa/1

policy-map OUTBOUND out



SiteB:


access-list 101 permit ip 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255


class-map SHAPE

match ip address 101


policy-map OUTBOUND

class SHAPE

shape average 60000000


int fa/1

policy-map OUTBOUND out



This is *ALL IN THEORY*. I've never done this over a backup route or in a switch. I do have two sites that I'm running this same type of configuration between two sites, and it works great. (Both sites have 20MB circuits, but I'm shaping back to 3MB for just this one site.) I don't know how this is a backup link, and I can only assume that you have two separate circuits coming in. If you're tracking one interface (without a policy), and that interface goes down, your traffic should go out the backup link (policy applied). If you have two routes in your routing table for the same destination though, it's going to load balance, and your traffic will be affected that's going out the backup link.


HTH,

John

colmgrier Thu, 05/28/2009 - 07:50
User Badges:

Thanks John for the excellent advise.


The customer only has a 100MB circuit going to each site. The backup traffic is data being backed to a SAN in site B.

nate-miller Mon, 06/01/2009 - 13:45
User Badges:
  • Bronze, 100 points or more

What device is this? The 6500/7600 don't support traffic shaping on ethernet ports- only on FlexWAN modules.



Shaping is better than policing, becasue a policer will just drop packets, a shaper will try to at least be polite and buffer things a bit.


If you've got a full dedicated 100Mb port between sites, the carrier shouldn't have to be QoS aware- you can police at your egress.


Thinking about this makes me realize that there's issues with the COS based queue-mappings I've been using, and the fact that scavenger is COS1 and "bulk data" is recomended to be AF11. AF11 is going to suffer considerably from the small buffers and no queue-ratios that it gets by being associated with the Scavenger COS. Hmmm.


At the edges where your backup servers are, I'd mark their traffic to a specific DSCP value.

At the WAN link, give that DSCP value about 60% of that interface via a policer.


That'd be the first approach I can think of.

Joseph W. Doherty Tue, 06/02/2009 - 04:14
User Badges:
  • Super Bronze, 10000 points or more

The particulars for the 6500s depend on what's installed. In general, most "LAN" type Ethernet intefaces might only restrict bandwidth via some policer.


The problem with restricting bandwidth, for something like backups, it doesn't allow such traffic to use additional bandwidth that might otherwise be availble. Second, assuming it's "low" priority, when it's at its permitted max, you might want to have some of that bandwidth for more important traffic.


What you might consider is using different queues for backup and other traffic, then adjust the ratios such that non-backup traffic is seldom delayed by backup traffic regardless of its bandwidth demand.


NB: such queuing can only be done for egress, but if you control both sides, one side's ingress is the other's egress.

Actions

This Discussion