Rate-limiting virtual servers

Unanswered Question
Dec 15th, 2009

I have a number of virtual servers which reside on a physical host. This host connects to the network via trunk port carrying a number of VLANs. I would like to limit outbound bandwidth from the virtual servers to 100Mbps per virtual server (effectively per IP address). What is the best way to achieve this? The physical host connects to a 2960G switch which uplinks to a pair of C6509s. Ideally, I'd like to do this within the vendor's virtual switch, but the functionality isn't quite there yet, therefore I require a solution which operates outside of the physical host.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
sachinraja Tue, 12/15/2009 - 12:15


How many virtual servers do you have on the physical port ? is it really necessary to do rate-limiting ? does it affect performance without rate-limiting ? 2960's support input policing with the use of "service policy" commands with policy maps and class maps.. you can defind ACLs matching the input servers IP address and associate it with the class maps...

ip access-list extended ACL_VIRTUAL
permit ip host any

class-map match-all VIRTUAL_SERVERS

match access-group name ACL_VIRTUAL

policy-map VIRTUAL
    police 10000000 .....

interface g0/2

service policy input VIRTUAL...

the only question is, im not sure if too many of such policies can use more CPU cycles.. i can find that and let you know..

Hope this helps.. all the best..


mmelbourne Wed, 12/16/2009 - 06:54

The number of VMs per physical host could be variable, plus the fact that the VMs could be moved/migrated onto different physical hosts. To policy on a per-IP address basis, we'd have to define a class-map for each VM (matching only one IP address), which might work, but scalability could be an issue for large numbers of VMs. Another thought it to utilise something like user-based rate-limiting (per-user microflow policing) in the PFC3 on the upstream 6509.

sachinraja Wed, 12/16/2009 - 07:09


Isnt the microflow policing also based on the source ip address ? the class-map should basically point to an access-list which would need to have the ip address of the VMs ? Will it not take the same kind of resource ?

I think its more to do with the design of VMs to make sure the VMs dont hog up the switchport, and to allocate applications on VMs based on usage level ! its tough to restrict traffic especially with many VMs on site, and as you said scalability would be a major issue.


mmelbourne Wed, 12/16/2009 - 07:20

To police on a per-IP address basis, I'd expect to have to define many classes (one for each VM) which, for potentially hundreds of VMs could be a scalability issue:

ip access-list extended ACL_VIRTUAL_1
permit ip host any

ip access-list extended ACL_VIRTUAL_2
permit ip host any

... etc

class-map match-all VIRTUAL_SERVER_1

match access-group name ACL_VIRTUAL_1

class-map match-all VIRTUAL_SERVER_2

match access-group name ACL_VIRTUAL_2

... etc

policy-map VIRTUAL
  class VIRTUAL_1
    police 10000000 .....

  class VIRTUAL_2
    police 10000000 .....

  ... etc

interface g0/2

service policy input VIRTUAL

With microflow policing, I believe I can define a range of IPs and use a src-only based flow mask to police on a per-flow (per-source) basis. Although, I'm not sure of the additional load this would place on the CPU for a large number of flows.

I agree entirley with the sentiment that this better achieved with the virtual switch within the Hypervisor, but this functionality is not quite there yet.

sachinraja Wed, 12/16/2009 - 07:31

Yes.. that makes sense.. you can have policy-maps with:

police flow mask src-only 1000000 32000 conform-act transmit exceed-act drop

to police traffic based on each flow.. with this the bandwidth limitation will be constant for all flows, and cannot be variable (eg 1 MB for app1 , 10 MB for app 2 etc)..

if you have a testbed, try this there or put it on a production switch which isnt mission critical.. but anyways it should work good...

All the best..


mmelbourne Wed, 12/16/2009 - 08:46

Policing based on source IP address is the requirement here (although I could conceivably define difference class-maps matching different extended ACLs to identify applications). However, I have just discovered that src-based microflow policing and NDE are mutually exclusive, due to a conflicting TCAM flow mask requirement.

sachinraja Wed, 12/16/2009 - 11:55

I would still feel you have to do this out of your cisco switch... anyways with the features available that we discussed, you can try doing this.. thanks for the post... you can close it, if you feel you have got your answer..




This Discussion