Solved

Traffic Policing on 3750 Switch

Posted on 2013-06-06
4
1,343 Views
Last Modified: 2013-06-18
All,

We have a Cisco 3750 switch and an ASA. The ASA has 100Mbps bandwidth from ISP and it has two ports connected to the switch (inside and outside). 100 users are behind this ASA to access internet. What we want to achieve is to throttle the download rate for these 100 users to 70Mbps and retain the rest of the 30Mbps for other services.

Ideally I should do the traffic shaping/policing on the switch for the outside interface outbound direction. But according to Cisco article, 3750 series only allows to do the traffic shaping/policing on the inbound traffic not outbound. My question is:

If I do the traffic shaping/polcing on the switch for inside interface ingress direction, will it also work?

Litterally it shouldn't work because it only restrict the rate between users (LAN) and the ASA inside interface. However, does TCP protocol know how to adjust the rate to avoid too much packets being dropped before it goes to the inside interface? So the rate between ISP and the ASA outside can also be shaped? It's something related to TCP congestion theory I think. Anyone ever tested this in your environment or do you have other suggestions?

My configs:

access-list 101 permit ip any any

class-map match-any RSP_ASA_Class
match access-group 101
 
policy-map RSP_ASA
 class RSP_ASA_Class
  police 70000000 1000000 exceed-action drop
 
 
interface GigabitEthernet2/0/11
description ASA-INSIDE
service-policy input RSP_ASA
 
reference:

https://supportforums.cisco.com/message/132778#132778
https://supportforums.cisco.com/thread/2037175
0
Comment
Question by:rsp_it
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 39227339
I'm not quite understanding where other services that you're reserving 30% of the bandwidth for are located, so it's a bit difficult to completely wrap my head around it.

If the other services are serviced by a DMZ interface on the ASA, I suggest you look into doing the shaping on the firewall itself rather than on the switch.

policy-map PM-Shape
 class class-default
  shape average 70000000 875000
service-policy PM-Shape interface inside

If the other services are sharing the same LAN as the 100 users you're policing, then inbound policing on the switch interface makes sense too, but you'll want your ACL to cover only the 100 users that you want to limit.

Policing will drop packets as they exceed the limit, but the TCP protocol will handle those losses by reducing the session's window and transmitting again.
0
 

Author Comment

by:rsp_it
ID: 39227741
Hi jodylemoine,

Thanks for your quick response. The other services are reserved for a router but are sharing the same LAN as the 100 users.

So you are saying the policy won't throttle the outbound traffic as expected but the TCP protocol would. Rather than dropping the packets, TCP protocol will 'queue' the packets and transmit later which will cost more CPU/memory resources. Am I understanding you correctly?

Is this a normal way that we do traffic thottling?

Thank you
0
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 500 total points
ID: 39227761
The policy will throttle the traffic by dropping packets that violate it. TCP is designed to account for packet loss though, so it will retransmit. The combination effectively limits speeds when shaping isn't an option. It's standard practice when dealing with incoming traffic.

Shaping is better than policing, but can only be done outbound. It gives the device the option of queuing packets rather than just dropping them like policing does. The ASA can do it, but not selectively.

It doesn't look like shaping is going to be an option here, so falling back on policing and relying on TCP's retransmission mechanism will work well.
0
 

Author Closing Comment

by:rsp_it
ID: 39255474
Thanks for your help
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question