Solved

Traffic Policing on 3750 Switch

Posted on 2013-06-06
4
1,297 Views
Last Modified: 2013-06-18
All,

We have a Cisco 3750 switch and an ASA. The ASA has 100Mbps bandwidth from ISP and it has two ports connected to the switch (inside and outside). 100 users are behind this ASA to access internet. What we want to achieve is to throttle the download rate for these 100 users to 70Mbps and retain the rest of the 30Mbps for other services.

Ideally I should do the traffic shaping/policing on the switch for the outside interface outbound direction. But according to Cisco article, 3750 series only allows to do the traffic shaping/policing on the inbound traffic not outbound. My question is:

If I do the traffic shaping/polcing on the switch for inside interface ingress direction, will it also work?

Litterally it shouldn't work because it only restrict the rate between users (LAN) and the ASA inside interface. However, does TCP protocol know how to adjust the rate to avoid too much packets being dropped before it goes to the inside interface? So the rate between ISP and the ASA outside can also be shaped? It's something related to TCP congestion theory I think. Anyone ever tested this in your environment or do you have other suggestions?

My configs:

access-list 101 permit ip any any

class-map match-any RSP_ASA_Class
match access-group 101
 
policy-map RSP_ASA
 class RSP_ASA_Class
  police 70000000 1000000 exceed-action drop
 
 
interface GigabitEthernet2/0/11
description ASA-INSIDE
service-policy input RSP_ASA
 
reference:

https://supportforums.cisco.com/message/132778#132778
https://supportforums.cisco.com/thread/2037175
0
Comment
Question by:rsp_it
  • 2
  • 2
4 Comments
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
I'm not quite understanding where other services that you're reserving 30% of the bandwidth for are located, so it's a bit difficult to completely wrap my head around it.

If the other services are serviced by a DMZ interface on the ASA, I suggest you look into doing the shaping on the firewall itself rather than on the switch.

policy-map PM-Shape
 class class-default
  shape average 70000000 875000
service-policy PM-Shape interface inside

If the other services are sharing the same LAN as the 100 users you're policing, then inbound policing on the switch interface makes sense too, but you'll want your ACL to cover only the 100 users that you want to limit.

Policing will drop packets as they exceed the limit, but the TCP protocol will handle those losses by reducing the session's window and transmitting again.
0
 

Author Comment

by:rsp_it
Comment Utility
Hi jodylemoine,

Thanks for your quick response. The other services are reserved for a router but are sharing the same LAN as the 100 users.

So you are saying the policy won't throttle the outbound traffic as expected but the TCP protocol would. Rather than dropping the packets, TCP protocol will 'queue' the packets and transmit later which will cost more CPU/memory resources. Am I understanding you correctly?

Is this a normal way that we do traffic thottling?

Thank you
0
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 500 total points
Comment Utility
The policy will throttle the traffic by dropping packets that violate it. TCP is designed to account for packet loss though, so it will retransmit. The combination effectively limits speeds when shaping isn't an option. It's standard practice when dealing with incoming traffic.

Shaping is better than policing, but can only be done outbound. It gives the device the option of queuing packets rather than just dropping them like policing does. The ASA can do it, but not selectively.

It doesn't look like shaping is going to be an option here, so falling back on policing and relying on TCP's retransmission mechanism will work well.
0
 

Author Closing Comment

by:rsp_it
Comment Utility
Thanks for your help
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now