Solved: Re: Qos- I want to apply limit on FTP traffic

shafi0211 · ‎12-13-2013

I want to apply Qos on ftp traffic on cisco 6500. Ftp traffic should use only 512 kbps bandwidth. Please any one suggest how should i establish this and any study document will be welcome.

Thanks in advance

Joseph W. Doherty · ‎12-13-2013

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

You could use an ingress policy-map to identify FTP traffic and police it at 512 Kbps.

One nice feature of the 6500s, they support microflow policers, so you can police individual flows. (Very convenient on a trunk or VLAN interface.)

View solution in original post

paul driver · ‎12-16-2013

Hello

You haven't speechified if this is to be applied for a specific vlan or interface?

Below is a example of both:

access-list 100 permit tcp any any eq ftp

access-list 100 permit tcp any any eq ftp-data

class-map match-all FTP

match access-group 100

or

match protocol ftp

policy-map Police

class FTP

police 512000 conform-action transmit exceed-action drop

class class-default

police 8000000 conform-action transmit exceed-action drop

service-policy input Police

policy-map Police

interface xx

service-policy input Police

Lan/Trunks - nested policy

Class Traffic

match input interface x/x

Policy-map Traffic_pm
Class Traffic

police 8000000 conform-action transmit exceed-action drop

access-list 100 permit tcp any any eq ftp

access-list 100 permit tcp any any eq ftp-data

Class-map FTP
match access-group 100

or

match portocol ftp

Policy-map Police

class FTP

police 512000 conform-action transmit exceed-action drop
service-policy Traffic_pm

int vlan xxx

service-policy input Police

Int xxx ( trunk interfaces)
mls qos vlan based

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Joseph W. Doherty · ‎12-13-2013

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

You could use an ingress policy-map to identify FTP traffic and police it at 512 Kbps.

One nice feature of the 6500s, they support microflow policers, so you can police individual flows. (Very convenient on a trunk or VLAN interface.)

shafi0211 · ‎12-15-2013

I want to limit ftp traffic for 512 kpbs and other to 8 Mb/s . How do i match other traffic ?? I can create acl for ftp traffic but for others ?

thanks

paul driver · ‎12-16-2013

Hello

You haven't speechified if this is to be applied for a specific vlan or interface?

Below is a example of both:

access-list 100 permit tcp any any eq ftp

access-list 100 permit tcp any any eq ftp-data

class-map match-all FTP

match access-group 100

or

match protocol ftp

policy-map Police

class FTP

police 512000 conform-action transmit exceed-action drop

class class-default

police 8000000 conform-action transmit exceed-action drop

service-policy input Police

policy-map Police

interface xx

service-policy input Police

Lan/Trunks - nested policy

Class Traffic

match input interface x/x

Policy-map Traffic_pm
Class Traffic

police 8000000 conform-action transmit exceed-action drop

access-list 100 permit tcp any any eq ftp

access-list 100 permit tcp any any eq ftp-data

Class-map FTP
match access-group 100

or

match portocol ftp

Policy-map Police

class FTP

police 512000 conform-action transmit exceed-action drop
service-policy Traffic_pm

int vlan xxx

service-policy input Police

Int xxx ( trunk interfaces)
mls qos vlan based

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

shafi0211 · ‎12-16-2013

Hi paul,

thanks a lot for your reply. Your configuration really perfect. My scenario is as above. I have ftp server on Ubuntu 2 Pc 192.168.2.1/29 and window 2012-2 Pc 10.10.12.1/29 has ftp client. so window PC's ftp client uploads and downloads files from ubuntu ftp server . This traffic should be 512 kbps.so I want to apply qos for ftp and other traffic.

Please suggest me where should I apply Qos. Do i need to apply Vlan based qos or interface base qos. I think it should be Vlan based.

Thanks,

Joseph W. Doherty · ‎12-16-2013

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

You could apply the policy on the host interfaces, or you could apply to the VLAN interface for those hosts. If you apply to the VLAN interface, policing will apply to all traffic on the VLAN, and if you don't use the "flow" option, it would also limit the aggregate of all ports to your policed values.

BTW, IMO, a better approach to policing is traffic prioritization. Instead of limiting something like FTP traffic to 512 Kbps all the time, you can (sort of) guarantee it 512 Kbps when there's congestion, but when there's not congestion allow it to have additional bandwidth.

shafi0211 · ‎12-16-2013

Hi Joseph,

Thanks for your reply. Then Please suggest me how should i implement your idea also that whenever no congestion, it should use remaining bandwidth ?

Thanks

Joseph W. Doherty · ‎12-16-2013

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

How would depend very much on the QoS features of the device. Even 6500 QoS features depend on line cards.

Most, but not all, Cisco switches support 4 egress queue which you can provide different bandwidth allocations. Such allocations usually provide a minimum, but more bandwidth might be used if its otherwise not being used.

For example, you might define four queues that one is a priority queue for real-time traffic; one is a foreground queue with a large bandwidth allocation (not that such traffic should be bandwidth intensive, but to insure high priority for dequeuing; one is a background queue with minimum bandwidth allocation (often where you might want to direct FTP); and the last is a middle allocation for everything else, i.e. your default.

Also on switches, traffic is often placed into a particular egress queue based on L2 CoS or L3 ToS. So, what this means, you'll want to mark your FTP traffic differently than your other traffic, perhaps with CoS 1 or DSCP CS1 or AF1x.

Cisco has some great guides on how to configure QoS for their different platforms although their 11 class model is often overly complex.

shafi0211 · ‎12-17-2013

Hi,

It is not matching FTP traffic. It is talking class default police not FTP class.

Also, my cisco 6503 is not taking match protocol ftp line. so i am using match access-group 100.

i am using filzilla ftp server.

Thanks,

shafi0211 · ‎12-17-2013

I am matching port 20 and 21 for ftp.

shafi0211 · ‎12-17-2013

Hi,

I have solved my problem. I changed the ACL to match ftp traffic.

access-list 101 permit tcp any any eq 21

access-list 101 permit tcp any eq 20 any

Above ACL will match traffic.

Thanks,

Joseph W. Doherty · ‎12-17-2013

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Also, my cisco 6503 is not taking  match protocol ftp line. so i am using match access-group 100.

Yes, match protocol isn't generally found on Cisco's L3 switches. What you did with the ACLs is the correct approach.