Rate-limiting virtual servers

Unanswered Question
Dec 15th, 2009
User Badges:
  • Silver, 250 points or more

I have a number of virtual servers which reside on a physical host. This host connects to the network via trunk port carrying a number of VLANs. I would like to limit outbound bandwidth from the virtual servers to 100Mbps per virtual server (effectively per IP address). What is the best way to achieve this? The physical host connects to a 2960G switch which uplinks to a pair of C6509s. Ideally, I'd like to do this within the vendor's virtual switch, but the functionality isn't quite there yet, therefore I require a solution which operates outside of the physical host.


Cheers,


Matt

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
sachinraja Tue, 12/15/2009 - 12:15
User Badges:
  • Red, 2250 points or more

Hi


How many virtual servers do you have on the physical port ? is it really necessary to do rate-limiting ? does it affect performance without rate-limiting ? 2960's support input policing with the use of "service policy" commands with policy maps and class maps.. you can defind ACLs matching the input servers IP address and associate it with the class maps...


ip access-list extended ACL_VIRTUAL
permit ip host 192.168.1.1 any


class-map match-all VIRTUAL_SERVERS

match access-group name ACL_VIRTUAL


policy-map VIRTUAL
  class VIRTUAL_SERVERS
    police 10000000 .....


interface g0/2

service policy input VIRTUAL...


the only question is, im not sure if too many of such policies can use more CPU cycles.. i can find that and let you know..


Hope this helps.. all the best..


Raj

mmelbourne Wed, 12/16/2009 - 06:54
User Badges:
  • Silver, 250 points or more

The number of VMs per physical host could be variable, plus the fact that the VMs could be moved/migrated onto different physical hosts. To policy on a per-IP address basis, we'd have to define a class-map for each VM (matching only one IP address), which might work, but scalability could be an issue for large numbers of VMs. Another thought it to utilise something like user-based rate-limiting (per-user microflow policing) in the PFC3 on the upstream 6509.

sachinraja Wed, 12/16/2009 - 07:09
User Badges:
  • Red, 2250 points or more


Hi


Isnt the microflow policing also based on the source ip address ? the class-map should basically point to an access-list which would need to have the ip address of the VMs ? Will it not take the same kind of resource ?


I think its more to do with the design of VMs to make sure the VMs dont hog up the switchport, and to allocate applications on VMs based on usage level ! its tough to restrict traffic especially with many VMs on site, and as you said scalability would be a major issue.


Raj

mmelbourne Wed, 12/16/2009 - 07:20
User Badges:
  • Silver, 250 points or more

To police on a per-IP address basis, I'd expect to have to define many classes (one for each VM) which, for potentially hundreds of VMs could be a scalability issue:


ip access-list extended ACL_VIRTUAL_1
permit ip host 192.168.1.1 any


ip access-list extended ACL_VIRTUAL_2
permit ip host 192.168.1.2 any


... etc


class-map match-all VIRTUAL_SERVER_1

match access-group name ACL_VIRTUAL_1


class-map match-all VIRTUAL_SERVER_2

match access-group name ACL_VIRTUAL_2


... etc


policy-map VIRTUAL
  class VIRTUAL_1
    police 10000000 .....

  class VIRTUAL_2
    police 10000000 .....

  ... etc


interface g0/2

service policy input VIRTUAL


With microflow policing, I believe I can define a range of IPs and use a src-only based flow mask to police on a per-flow (per-source) basis. Although, I'm not sure of the additional load this would place on the CPU for a large number of flows.


I agree entirley with the sentiment that this better achieved with the virtual switch within the Hypervisor, but this functionality is not quite there yet.

sachinraja Wed, 12/16/2009 - 07:31
User Badges:
  • Red, 2250 points or more

Yes.. that makes sense.. you can have policy-maps with:


police flow mask src-only 1000000 32000 conform-act transmit exceed-act drop


to police traffic based on each flow.. with this the bandwidth limitation will be constant for all flows, and cannot be variable (eg 1 MB for app1 , 10 MB for app 2 etc)..


if you have a testbed, try this there or put it on a production switch which isnt mission critical.. but anyways it should work good...


All the best..


Raj

mmelbourne Wed, 12/16/2009 - 08:46
User Badges:
  • Silver, 250 points or more

Policing based on source IP address is the requirement here (although I could conceivably define difference class-maps matching different extended ACLs to identify applications). However, I have just discovered that src-based microflow policing and NDE are mutually exclusive, due to a conflicting TCAM flow mask requirement.

sachinraja Wed, 12/16/2009 - 11:55
User Badges:
  • Red, 2250 points or more

I would still feel you have to do this out of your cisco switch... anyways with the features available that we discussed, you can try doing this.. thanks for the post... you can close it, if you feel you have got your answer..


Thanks


Raj

Actions

This Discussion