2011-12-27

Policing and monitoring

Filed under: Geekiness — iain @ 12:17:38

Last year I configured my Cisco 877 router to rate-limit downloads so as not to exceed my ISP’s monthly quota. Later I realised that rate-limiting is not the best method to cap downstream traffic and switched to policing instead. My method worked but with some changes to the implementation I have since been able to simplify the management and get access to more useful stats.

Explaining the difference between what I was doing and what I’m now doing would probably take almost as long as describing everything from scratch and would certainly be confusing let’s go back to the very beginning.

The situation was that my ISP imposed a strict download quota between the hours of 0900 and 1800 on weekdays. I wanted to make sure that I didn’t inadvertently eat into that quota by configuring traffic management policies on the router.

Since the peak period is based on time of day I first configured the local timezone correctly.

    clock timezone GMT 0
    clock summer-time BST recurring last Sun Mar 1:00 last sun Oct 2:00

Then I created a time range to represent peak time.

    time-range peak
     periodic weekdays 9:00 to 17:59

The time range is used inside IP and IPv6 access lists which would match any connection at peak time.

    ip access-list extended peak
     permit ip any any time-range peak

    ipv6 access-list peak6
     permit ipv6 any any time-range peak

We next need a class-map which will categorise any traffic which matches the peak or peak6 access lists. Thus it must be a match-any class-map.

    class-map match-any peak
     match access-group name peak
     match access-group name peak6

Rather than just apply a blanket restriction I wanted to allow different types of traffic to have different speeds. For example I decided that HTTP traffic should be allowed to attain 1Mbps in peak time. Outside peak time I wasn’t applying any throttling at all.

Now we need a class-map to recognise HTTP. That’s achieved with a combination of the router’s own protocol recognition and some custom access lists which match non-standard but commonly-used ports.

    ip access-list extended http-alt
     permit tcp any eq 8080 any
     permit tcp any eq 8443 any

    ipv6 access-list http-alt6
     permit tcp any eq 8080 any
     permit tcp any eq 8443 any

    class-map match-any http
     match protocol http
     match protocol secure-http
     match access-group name http-alt
     match access-group name http-alt6

In order to apply the 1Mbps restriction we need a policy-map. The peak class-map is used to limit the effects of the policy to traffic in peak time.

    policy-map 1Mbps
     class peak
        police rate 1024000
          conform-action transmit
          exceed-action drop
          violate-action drop

The penultimate step is to create a policy, to be applied on the dialer interface, which will match traffic using the class-maps defined earlier and apply the appropriate restriction policies. Any traffic not categorised by a class-map is handled by the class-default rule.

    policy-map from_internet
     class http
      service-policy 1Mbps
     class class-default
      service-policy 512kbps

Finally the from_internet policy is applied to the dialer interface so as to take effect.

    interface Dialer 0
     service-policy input from_internet

By configuring policing this way I am able to see stats for all the traffic classes I define without needing to set up a separate Netflow server.

    # show policy-map interface Dialer 0 input class http
     Dialer0

      Service-policy input: from_internet

        Class-map: http (match-any)
          7880183 packets, 9841690612 bytes
          5 minute offered rate 7000 bps

To keep this post simple I only described one speed for one traffic class. In reality I created several more time-ranges and policy-maps, and nested service policies to allow variable restrictions at different times of day. When my ISP tightened the download quota for evenings and weekends I was able to apply a tiered strategy whereby peak time traffic was severely restricted, nighttime traffic was unrestricted and remaining times were mildly restricted. Then after a month I switched to an uncapped ISP but that's another story.

    time-range off-peak
     periodic daily 2:00 to 5:59

    ip access-list extended off-peak
     permit ip any any time-range off-peak

    ipv6 access-list off-peak6
     permit ipv6 any any time-range off-peak

    class-map match-any off-peak
     match access-group name off-peak
     match access-group name off-peak6

    policy-map 256kbps
     class class-default
        police rate 256000
          conform-action transmit
          exceed-action drop
          violate-action drop

    policy-map unlimited
     class class-default

    policy-map low
     class peak
      service-policy 256kbps
     class off-peak
      service-policy unlimited
     class class-default
      service-policy 512kbps

    policy-map from_internet
     class p2p
      service-policy low
     class http
      service-policy medium

No Comments »

No comments yet.

RSS feed for comments on this post.

Leave a comment

You must be logged in to post a comment.

Powered by WordPress