2010-07-13

Rate limiting stats

Filed under: Geekiness — iain @ 13:03:48

My experiment with rate limiting downloads seems to be largely successful, modulo a few typos and omissions. I accidentally set the HTTP class as a match-all rule rather than a match-any rule, meaning it would always fail to match as traffic cannot be both HTTP and HTTPS traffic simultaneously. I also forgot to add SSH to a policy class. As a result both these protocols ended up being the default (slow) group. Everything else is working well so far.

I can see some statistics on the rate limiting.

    # sh int d0 rate-limit
     Dialer0 
      Input
        matches: dscp 1
          params:  64000 bps, 12000 limit, 24000 extended limit
          conformed 58600 packets, 4220034 bytes; action: transmit
          exceeded 0 packets, 0 bytes; action: drop
          last packet: 64ms ago, current burst: 0 bytes
          last cleared 02:04:55 ago, conformed 4000 bps, exceeded 0 bps
        matches: dscp 2
          params:  32000 bps, 6000 limit, 12000 extended limit
          conformed 10541 packets, 12268452 bytes; action: transmit
          exceeded 12986 packets, 18191623 bytes; action: drop
          last packet: 36ms ago, current burst: 10018 bytes
          last cleared 1d22h ago, conformed 0 bps, exceeded 0 bps
        matches: dscp 3
          params:  128000 bps, 24000 limit, 48000 extended limit
          conformed 71436 packets, 7030498 bytes; action: transmit
          exceeded 81 packets, 77046 bytes; action: drop
          last packet: 24ms ago, current burst: 0 bytes
          last cleared 1d22h ago, conformed 0 bps, exceeded 0 bps
        matches: dscp 4
          params:  256000 bps, 48000 limit, 96000 extended limit
          conformed 1021747 packets, 109363738 bytes; action: transmit
          exceeded 4012 packets, 3572353 bytes; action: drop
          last packet: 20ms ago, current burst: 0 bytes
          last cleared 1d22h ago, conformed 5000 bps, exceeded 0 bps
        matches: dscp 5
          params:  1024000 bps, 192000 limit, 384000 extended limit
          conformed 407623 packets, 249878838 bytes; action: transmit
          exceeded 13419 packets, 13016776 bytes; action: drop
          last packet: 4789ms ago, current burst: 0 bytes
          last cleared 1d22h ago, conformed 11000 bps, exceeded 0 bps

Unfortunately it isn’t apparent which types of traffic are ending up with each classification.

    # sh policy-map int d0
     Dialer0 
    
      Service-policy input: peak
    
        Class-map: peak-lowest (match-all)
          24951 packets, 32543191 bytes
          5 minute offered rate 86000 bps, drop rate 0 bps
          Match: access-group name peak
          Match: class-map match-any lowest
            Match: class-map match-any p2p
              0 packets, 0 bytes
              5 minute rate 0 bps
              Match: protocol bittorrent
                0 packets, 0 bytes
                5 minute rate 0 bps
              Match: protocol edonkey
                0 packets, 0 bytes
                5 minute rate 0 bps
              Match: protocol gnutella
                0 packets, 0 bytes
                5 minute rate 0 bps
              Match: protocol kazaa2
                0 packets, 0 bytes
                5 minute rate 0 bps
              Match: protocol winmx
                0 packets, 0 bytes
                5 minute rate 0 bps
            Match: class-map match-any rsync
              0 packets, 0 bytes
              5 minute rate 0 bps
              Match: access-group name rsync
                0 packets, 0 bytes
                5 minute rate 0 bps
          QoS Set
            dscp 2
              Packets marked 24948
        ...

So traffic is being marked as lowest priority but I can’t see whether it’s peer-to-peer or rsync.

This is because the class contains subclasses. The solution is to set up a separate policy map on the LAN interface to classify traffic sent out of the router to the internal network. So let’s set up a policy map with the individual classes I’m interested in.

    policy-map classify
     class p2p
     class rsync

My LAN interface happens to be Vlan1 so the policy should be applied on that interface’s output, going to clients. There’s no rate limiting on the interface so all we’re doing is gathering statistics.

    interface Vlan1
     service-policy output classify

Now we can see that it’s rsync which is currently active.

    # sh policy-map int vlan1
     Vlan1 
    
      Service-policy output: classify
    
        Class-map: p2p (match-any)
          56 packets, 5525 bytes
          5 minute offered rate 0 bps
          Match: protocol bittorrent
            0 packets, 0 bytes
            5 minute rate 0 bps
          Match: protocol edonkey
            0 packets, 0 bytes
            5 minute rate 0 bps
          Match: protocol gnutella
            0 packets, 0 bytes
            5 minute rate 0 bps
          Match: protocol kazaa2
            0 packets, 0 bytes
            5 minute rate 0 bps
          Match: protocol winmx
            0 packets, 0 bytes
            5 minute rate 0 bps
    
        Class-map: rsync (match-any)
          181 packets, 274034 bytes
          5 minute offered rate 12000 bps
          Match: access-group name rsync
            0 packets, 0 bytes
            5 minute rate 0 bps

Afterwards the temporary policy map can be removed.

    no policy-map classify

Or it could be kept around for further analysis, adding and removing classes as appropriate.

No Comments »

No comments yet.

RSS feed for comments on this post.

Leave a comment

You must be logged in to post a comment.

Powered by WordPress