Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Traffic Policing on 3750 Switch

Posted on 2013-06-06
4
1,331 Views
Last Modified: 2013-06-18
All,

We have a Cisco 3750 switch and an ASA. The ASA has 100Mbps bandwidth from ISP and it has two ports connected to the switch (inside and outside). 100 users are behind this ASA to access internet. What we want to achieve is to throttle the download rate for these 100 users to 70Mbps and retain the rest of the 30Mbps for other services.

Ideally I should do the traffic shaping/policing on the switch for the outside interface outbound direction. But according to Cisco article, 3750 series only allows to do the traffic shaping/policing on the inbound traffic not outbound. My question is:

If I do the traffic shaping/polcing on the switch for inside interface ingress direction, will it also work?

Litterally it shouldn't work because it only restrict the rate between users (LAN) and the ASA inside interface. However, does TCP protocol know how to adjust the rate to avoid too much packets being dropped before it goes to the inside interface? So the rate between ISP and the ASA outside can also be shaped? It's something related to TCP congestion theory I think. Anyone ever tested this in your environment or do you have other suggestions?

My configs:

access-list 101 permit ip any any

class-map match-any RSP_ASA_Class
match access-group 101
 
policy-map RSP_ASA
 class RSP_ASA_Class
  police 70000000 1000000 exceed-action drop
 
 
interface GigabitEthernet2/0/11
description ASA-INSIDE
service-policy input RSP_ASA
 
reference:

https://supportforums.cisco.com/message/132778#132778
https://supportforums.cisco.com/thread/2037175
0
Comment
Question by:rsp_it
  • 2
  • 2
4 Comments
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 39227339
I'm not quite understanding where other services that you're reserving 30% of the bandwidth for are located, so it's a bit difficult to completely wrap my head around it.

If the other services are serviced by a DMZ interface on the ASA, I suggest you look into doing the shaping on the firewall itself rather than on the switch.

policy-map PM-Shape
 class class-default
  shape average 70000000 875000
service-policy PM-Shape interface inside

If the other services are sharing the same LAN as the 100 users you're policing, then inbound policing on the switch interface makes sense too, but you'll want your ACL to cover only the 100 users that you want to limit.

Policing will drop packets as they exceed the limit, but the TCP protocol will handle those losses by reducing the session's window and transmitting again.
0
 

Author Comment

by:rsp_it
ID: 39227741
Hi jodylemoine,

Thanks for your quick response. The other services are reserved for a router but are sharing the same LAN as the 100 users.

So you are saying the policy won't throttle the outbound traffic as expected but the TCP protocol would. Rather than dropping the packets, TCP protocol will 'queue' the packets and transmit later which will cost more CPU/memory resources. Am I understanding you correctly?

Is this a normal way that we do traffic thottling?

Thank you
0
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 500 total points
ID: 39227761
The policy will throttle the traffic by dropping packets that violate it. TCP is designed to account for packet loss though, so it will retransmit. The combination effectively limits speeds when shaping isn't an option. It's standard practice when dealing with incoming traffic.

Shaping is better than policing, but can only be done outbound. It gives the device the option of queuing packets rather than just dropping them like policing does. The ASA can do it, but not selectively.

It doesn't look like shaping is going to be an option here, so falling back on policing and relying on TCP's retransmission mechanism will work well.
0
 

Author Closing Comment

by:rsp_it
ID: 39255474
Thanks for your help
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Multicast on 3750x cisco router 1 45
Vsphere web not showing changes made by ssh console 5 53
Windows 2012 R2 Anywhere Access and PCI compliance 5 26
VLAN Question 7 32
When replacing some switches recently I started playing with the idea of having admins authenticate with their domain accounts instead of having local users on all switches all over the place. Since I allready had an w2k8R2 NPS running for my acc…
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

838 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question