12-15-2009 03:08 AM - edited 03-06-2019 08:57 AM
I have a number of virtual servers which reside on a physical host. This host connects to the network via trunk port carrying a number of VLANs. I would like to limit outbound bandwidth from the virtual servers to 100Mbps per virtual server (effectively per IP address). What is the best way to achieve this? The physical host connects to a 2960G switch which uplinks to a pair of C6509s. Ideally, I'd like to do this within the vendor's virtual switch, but the functionality isn't quite there yet, therefore I require a solution which operates outside of the physical host.
Cheers,
Matt
12-15-2009 12:15 PM
Hi
How many virtual servers do you have on the physical port ? is it really necessary to do rate-limiting ? does it affect performance without rate-limiting ? 2960's support input policing with the use of "service policy" commands with policy maps and class maps.. you can defind ACLs matching the input servers IP address and associate it with the class maps...
ip access-list extended ACL_VIRTUAL
permit ip host 192.168.1.1 any
class-map match-all VIRTUAL_SERVERS
match access-group name ACL_VIRTUAL
policy-map VIRTUAL
class VIRTUAL_SERVERS
police 10000000 .....
interface g0/2
service policy input VIRTUAL...
the only question is, im not sure if too many of such policies can use more CPU cycles.. i can find that and let you know..
Hope this helps.. all the best..
Raj
12-16-2009 06:54 AM
The number of VMs per physical host could be variable, plus the fact that the VMs could be moved/migrated onto different physical hosts. To policy on a per-IP address basis, we'd have to define a class-map for each VM (matching only one IP address), which might work, but scalability could be an issue for large numbers of VMs. Another thought it to utilise something like user-based rate-limiting (per-user microflow policing) in the PFC3 on the upstream 6509.
12-16-2009 07:09 AM
Hi
Isnt the microflow policing also based on the source ip address ? the class-map should basically point to an access-list which would need to have the ip address of the VMs ? Will it not take the same kind of resource ?
I think its more to do with the design of VMs to make sure the VMs dont hog up the switchport, and to allocate applications on VMs based on usage level ! its tough to restrict traffic especially with many VMs on site, and as you said scalability would be a major issue.
Raj
12-16-2009 07:20 AM
To police on a per-IP address basis, I'd expect to have to define many classes (one for each VM) which, for potentially hundreds of VMs could be a scalability issue:
ip access-list extended ACL_VIRTUAL_1
permit ip host 192.168.1.1 any
ip access-list extended ACL_VIRTUAL_2
permit ip host 192.168.1.2 any
... etc
class-map match-all VIRTUAL_SERVER_1
match access-group name ACL_VIRTUAL_1
class-map match-all VIRTUAL_SERVER_2
match access-group name ACL_VIRTUAL_2
... etc
policy-map VIRTUAL
class VIRTUAL_1
police 10000000 .....
class VIRTUAL_2
police 10000000 .....
... etc
interface g0/2
service policy input VIRTUAL
With microflow policing, I believe I can define a range of IPs and use a src-only based flow mask to police on a per-flow (per-source) basis. Although, I'm not sure of the additional load this would place on the CPU for a large number of flows.
I agree entirley with the sentiment that this better achieved with the virtual switch within the Hypervisor, but this functionality is not quite there yet.
12-16-2009 07:31 AM
Yes.. that makes sense.. you can have policy-maps with:
police flow mask src-only 1000000 32000 conform-act transmit exceed-act drop
to police traffic based on each flow.. with this the bandwidth limitation will be constant for all flows, and cannot be variable (eg 1 MB for app1 , 10 MB for app 2 etc)..
if you have a testbed, try this there or put it on a production switch which isnt mission critical.. but anyways it should work good...
All the best..
Raj
12-16-2009 08:46 AM
Policing based on source IP address is the requirement here (although I could conceivably define difference class-maps matching different extended ACLs to identify applications). However, I have just discovered that src-based microflow policing and NDE are mutually exclusive, due to a conflicting TCAM flow mask requirement.
12-16-2009 11:55 AM
I would still feel you have to do this out of your cisco switch... anyways with the features available that we discussed, you can try doing this.. thanks for the post... you can close it, if you feel you have got your answer..
Thanks
Raj
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: