- Traffic-policing is designed to drop traffic in excess of the target rate, and enforce a max threshold of bandwidth.
- To accomplish this, a system of credits is used.
- Before a packet can be sent the amount of credits equaling the packet's size in bits must have been earned, like wages.
- Policing differs from shaping, in that the router is allowed to borrow future credits and in turn is permitted to go into a debt situation of having to "pay" back the credits.
- Policing can be applied to input or output traffic.
- Limits the rate of traffic on the interface.
- Policing is not a queueing mechanism, because traffic is not buffered for later transmission, either dropped or sent.
Legacy "Rate-Limit" – CAR
- Uses a 2 rate policer.
- Legacy CAR statement supports the continue feature to have nested rate-limits.
- Similar to traffic shaping, changing the burst size determines how often the rate is enforced over the second.
- NOTE that rate-limit Bc/Be are in BYTES, unlike shaping where Bc/Be are in bits.
- NOTE Excess burst is only used when the configured Be is greater than the configured Bc.
Example with a Bc=1000 and Be=1000 there will be no burst.
Formula:
The TC is typically 1 second.
Bc = CIR/8 * Tc
Command:
rate-limit {in|output} [access-group] {CIR (bps)} {Bc (bytes)} {Be (bytes)} conform {OPTIONS} exceed {OPTIONS}
OPTIONS
continue - Scans other rate limits.
drop - Drops the packet.
set-dscp-continue - Sets the DSCP and scans other rate limits.
set-dscp-transmit - Sets the DSCP and sends it.
set-prec-continue - Rewrites packet precedence, scans other rate limits.
set-prec-transmit - Rewrites packet precedence and sends it.
set-qos-continue - Sets QOS-group and scans other rate limits.
set-qos-transmit - Sets QOS-group and sends it.
transmit - Transmits the packet.
- Shows input/output packet and byte counters
sh interface {int} rate-limit
- Example of how to mark ALL input traffic with DSCP-12
- This statement DOES NOT police any traffic, only MARKS
- [8000 8000 8000] arbitrary value, holds no meaning here because conforming
traffic gets marked with DSCP-12 and so does exceeding traffic
interface s0/0
rate-limit input 8000 8000 8000 conform-action set-dscp-transmit 12 exceed-action set-dscp-transmit 12
Example how to limit traffic matching ACL-123 to 128k
rate-limit output 192000 36000 72000 conform-action transmit exceed-action drop
- Example of a "line-rate" statement, configuring the TOTAL output to 192k
rate-limit output access-group 123 128000 24000 48000 conform-action continue exceed-action drop
example:
■ Police all traffic on the interface at 496 kbps; but before sending this traffic on its way….
■ Police all web traffic at 400 kbps.
■ Police all FTP traffic at 160 kbps.
■ Police all VoIP traffic at 200 kbps.
■ Choose Bc and Be so that Bc has 1 second’s worth of traffic, and Be provides no additional burst capability over Bc.
! ACL 101 matches all HTTP traffic
! ACL 102 matches all FTP traffic
! ACL 103 matches all VoIP traffic
interface s 0/0
rate-limit input 496000 62000 62000 conform-action continue exceed-action droprate-limit input access-group 101 400000 50000 50000 conform-action transmit exceed-action
drop
rate-limit input access-group 102 160000 20000 20000 conform-action transmit exceed-action drop
rate-limit input access-group 103 200000 25000 25000 conform-action transmit exceed-action drop
Under subinterface s1/0.1, four rate-limit commands are used. The first sets the rate for all traffic, dropping traffic that exceeds 496 kbps. However, the conform action is “continue.” This means that packets conforming to this statement will be compared to the next rate-limit statements, and when matching a statement, some other action will be taken. For instance, web traffic matches the second rate-limit command, with a resulting action of either transmit or drop. VoIP traffic would be compared with the next three rate-limit commands before matching the last one. As a result, all traffic is limited to 496 kbps, and three particular subsets of traffic are prevented from taking all the bandwidth. CB Policing can achieve the same effect of policing subsets of traffic by using nested policy maps.
MQC Policing
- Uses a two or three rate policer, and does not support the continue feature.
- Uses an exponential formula to decide whether the formula is conforming or exceeding based on the burst rate.
- The burst value determines how often, per second there is policing.
- With a smaller police value, the router will police more often.
- With a larger police value, the router will police less often.
- The Bc/Be are also configured in bytes.
Note that although MQC police can be applied inbound/outbound on an interface, when queueing is configured in the same policy-map, it can only be applied outbound.
CB Policing categorizes packets into two or three categories, depending on the style of policing, and then applies one of these actions to each category of packet. The categories are conforming packets, exceeding packets, and violating packets. The CB Policing logic that dictates when packets are placed into a particular category varies based on the type of policing.
Formulas
> Single Rate, two colour: no violate Bc = CIR/32, Be = 0
> Single Rate, three colour: violate Bc = CIR/32, Be = Bc
> Dual Rate, three colour: PIR Bc = CIR/32, Be = PIR/32
OPTIONS
drop - Drops the packet.
set-discard-class-transmit - Sets the discard-class and sends it.
set-dscp-transmit - Sets the DSCP and sends it.
set-frde-transmit - Sets the FR DE and sends it.
set-mpls-exp-imposition-transmit - Sets the exp-bits at tag imposition and sends it.
set-mpls-exp-topmost-transmit - Sets exp-bits on topmost label and sends it.
set-prec-transmit - Rewrites the packet precedence and sends it.
set-qos-transmit - Sets the QOS-group and sends it.
transmit - Transmits the packet.
policy-map POLICE
class SMTP
police cir 384000 bc 72000 be 144000 - CIR is in bits per second
conform-action {OPTIONS} - BC/BE are in bytes per second
exceed-action {OPTIONS}
violate-action {OPTIONS} - Violate-action enables a 3-rate policer
police bps burst-normal burst-max conform-action action exceed-action action
[violate-action action]
dual-rate":
police {cir cir} [bc conform-burst] {pir pir} [be peak-burst] [conform-action action [exceed-action action [violate-action action]]]
COPP (Control Plane Policing)
- The COPP feature allows users to configure a QoS filter that manages the traffic flow of control plane packets to protect the control plane of Cisco IOS routers and switches against reconnaissance and denial-of-service (DOS) attacks.
- In this way, the control plane can help maintain packet forwarding and protocol states despite an attack or heavy traffic load on the router or switch.
- Ensure that layer 3 control packets have priority over other packet types that are destined for the control plane.
- The following types of layer 3 packets are forwarded to the control plane:
1. Routing protocol CP (control packets).
2. Packets destined for the local IP address of the router.
3. Packets from management protocols (such as SNMP, Telnet, and SSH).
- Aggregate control plane services provide control plane policing for all CP packets that are received from all line-card interfaces on the router.
- Distributed control plane services provide control plane policing for all CP packets that are received from the interfaces on a line card.
- Control-plane traffic is classified into different categories of traffic:
1. Control-plane host sub-interface
- Is traffic which is directly destined for one of the routers interfaces.
Examples of control-plane host IP traffic include tunnel termination traffic, management traffic, or routing protocols such as SSH, SNMP, BGP, OSPF, and EIGRP.
- All host traffic terminates on and is processed by the router.
2. Control-plane transit sub-interface
- Is traffic which is software switched by the route processor, thus packets not directly destined to the router itself but rather traffic traversing through the router.
- Non terminating tunnels handled by the router are an example of this type of control-plane traffic.
3. Control-plane CEF-exception sub-interface
- Is traffic that is either redirected as a result of a configured input feature in the CEF packet forwarding path for process switching, or directly enqueued in the control-plane input queue by the interface driver.
- Examples are ARP, L2 keepalives, and all non-IP host traffic.
Example:
acess-list 140 permit tcp host 10.1.1.1 any eq 23 - Allows 10.1.1.1 trusted host traffic
access-list 140 permit tcp host 10.1.1.2 any eq 23 - Allows 10.1.1.2 trusted host traffic
!
class-map telnet-class
match access-group 140
!
policy-map control-plane-in
class telnet-class
police 80000 conform transmit exceed drop - Drops all traffic that matches the class "icmp-class
!
control-plane
service-policy output control-plane-out - Defines the aggregate control plane service for the active RP
sh policy-map control-plane all
- Enters control-plane configuration mode- [host] Applies policies to host control-plane traffic, optional
- [transit] Applies policies to transit control-plane traffic
- [cef] Applies policies to CEF-exception control-plane traffic
- [slot] Attach a QoS policy to the specified slot
control-plane [host | transit | cef | slot]
- Attaches a QoS service policy to the control plane-{input} Applies to packets received on the control plane
-{output} Applies to packets transmitted from the control plane
service-policy {input|output} {p-name}
No comments:
Post a Comment