Control plane or QoS

John Blakley · ‎05-28-2010

All,

If a router is totally maxed out on the outside interface, I'm able to telnet but the cli is choppy at times. Is creating a control-plane policy the best way to handle incoming telnet traffic? I've never done one of these before....

Thanks,

John

HTH, John *** Please rate all useful posts ***

kevin.hu · ‎05-28-2010

Hey John,

In this situation (happened all the time to me in the past), you need to use CBWFQ to create a class called Mgt Class. And then assign telnet, SSH, NTP, etc to that Class so that any management traffic can be protected during high bandwidth utilization period.

Most of the transit traffic is CEF switched so there should not be any high CPU utilization.

John Blakley · ‎05-28-2010

Thanks Kevin. Where would you apply this? I can't apply it as inbound because it won't let me do it when I'm matching on an acl....

Thanks,

HTH, John *** Please rate all useful posts ***

John Blakley · ‎05-28-2010

Okay, so here's what I did that seemed to work.

I created an inbound service policy that marked telnet traffic to dscp af31.

I applied that to s0/0/0

Then I created an outbound service policy that match on af31 and gave 2% of bandwidth

I applied this outbound to fa0/0

Seemed to speed up things quite a bit....

Thanks,

John

HTH, John *** Please rate all useful posts ***

kevin.hu · ‎05-28-2010

Yup, you got it!

John Blakley · ‎05-28-2010

Unfortunately, I think it was just conincidental that the packages that were being pushed were paused. I'm back to square one now that they're starting to use the bandwidth again. Any other suggestions?

HTH, John *** Please rate all useful posts ***

kevin.hu · ‎05-28-2010

John,

You can only police input traffic and not queue input traffic. Here are the commands you should use.

class-map match-any mgt
match protocol telnet

policy-map ingress-wan
class mgt
police cir percent 5

interface Serial1/0
service-policy input ingress-wan

John Blakley · ‎05-28-2010

Kevin,

I'm still getting very choppy response. Here's what I have:

class-map match-all MANAGEMENT
match access-group 123

Extended IP access list 123
10 permit tcp any any eq telnet (2703 matches)

policy-map S_INBOUND
class MANAGEMENT
   police cir 256000
     conform-action transmit
     exceed-action transmit

Service-policy input: S_INBOUND

    Class-map: MANAGEMENT (match-all)
      2588 packets, 170169 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group 123
      police:
          cir 256000 bps, bc 8000 bytes
      conformed 1042 packets, 47346 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          transmit
        conformed 0 bps, exceed 0 bps

    Class-map: class-default (match-any)
      287636 packets, 269795265 bytes
      5 minute offered rate 1319000 bps, drop rate 0 bps
      Match: any

It's matching, but it's not doing anything. I've also tried 5 and 10%. It's not "unuseable" so to speak, just choppy and I would think that it would speed up even if the bandwidth is used up.

Thanks,

John

HTH, John *** Please rate all useful posts ***