ASR9000/XR - QoS - Limit overall amount of bandwidth per IP

Andy Erickson · ‎03-21-2015

We have a few thousand broadband customers in our network with various speed packages. The highest speed package of 500Mbps.

I'm trying to create an ingress QoS policy that I can apply on my interface facing my upstream providers that will limit put a bandwidth cap PER IP ADDRESS of 500Mbps.

I don't want to limit the overall interface to 500Mbps.

Goal of this is to protect my links deeper in my network from getting over run in the event of a DDoS attack.

Now I know this is not going to protect or mitigate any DDoS attack (like the vDDoS solution with the VSM and Arbor Networks), as budgets are not allowing me to go down that road at this time.

Any ideas on how a QoS policy would look like?

I can limit the overall interface, but struggling with how to limit an interface on a PER IP basis because i want to utilize as much of the 10GE port as possible (under normal conditions).

Simple diagram below.

Look forward to any ideas on this!

-ae

+----------------+
| INTERNET |
| PROVIDER |
+-------+--------+
|
|
+---------------+10 GE
|
+-------+--------+
| BGP EDGE |
| ASR 9000 |
+---+---+---+----+
| | |
| | |
| | |
| | |
+---+---+---+----+
| BROADBAND |
| CUSTOMERS |
+----------------+

Florian Frotzler · ‎03-21-2015

I think "Flow aware QoS" is the feature you are looking for:

http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r5-1/qos/configuration/guide/b_qos_cg51xasr/b_qos_cg51xasr_chapter_01010.html

Florian