Policing and monitoring
Last year I configured my Cisco 877 router to rate-limit downloads so as not to exceed my ISP’s monthly quota. Later I realised that rate-limiting is not the best method to cap downstream traffic and switched to policing instead. My method worked but with some changes to the implementation I have since been able to simplify the management and get access to more useful stats.
Explaining the difference between what I was doing and what I’m now doing would probably take almost as long as describing everything from scratch and would certainly be confusing let’s go back to the very beginning.
The situation was that my ISP imposed a strict download quota between the hours of 0900 and 1800 on weekdays. I wanted to make sure that I didn’t inadvertently eat into that quota by configuring traffic management policies on the router.
Since the peak period is based on time of day I first configured the local timezone correctly.
clock timezone GMT 0 clock summer-time BST recurring last Sun Mar 1:00 last sun Oct 2:00
Then I created a time range to represent peak time.
time-range peak periodic weekdays 9:00 to 17:59
The time range is used inside IP and IPv6 access lists which would match any connection at peak time.
ip access-list extended peak permit ip any any time-range peak ipv6 access-list peak6 permit ipv6 any any time-range peak
We next need a class-map which will categorise any traffic which matches the peak or peak6 access lists. Thus it must be a match-any class-map.
class-map match-any peak match access-group name peak match access-group name peak6
Rather than just apply a blanket restriction I wanted to allow different types of traffic to have different speeds. For example I decided that HTTP traffic should be allowed to attain 1Mbps in peak time. Outside peak time I wasn’t applying any throttling at all.
Now we need a class-map to recognise HTTP. That’s achieved with a combination of the router’s own protocol recognition and some custom access lists which match non-standard but commonly-used ports.
ip access-list extended http-alt permit tcp any eq 8080 any permit tcp any eq 8443 any ipv6 access-list http-alt6 permit tcp any eq 8080 any permit tcp any eq 8443 any class-map match-any http match protocol http match protocol secure-http match access-group name http-alt match access-group name http-alt6
In order to apply the 1Mbps restriction we need a policy-map. The peak class-map is used to limit the effects of the policy to traffic in peak time.
policy-map 1Mbps class peak police rate 1024000 conform-action transmit exceed-action drop violate-action drop
The penultimate step is to create a policy, to be applied on the dialer interface, which will match traffic using the class-maps defined earlier and apply the appropriate restriction policies. Any traffic not categorised by a class-map is handled by the class-default rule.
policy-map from_internet class http service-policy 1Mbps class class-default service-policy 512kbps
Finally the from_internet policy is applied to the dialer interface so as to take effect.
interface Dialer 0 service-policy input from_internet
By configuring policing this way I am able to see stats for all the traffic classes I define without needing to set up a separate Netflow server.
# show policy-map interface Dialer 0 input class http Dialer0 Service-policy input: from_internet Class-map: http (match-any) 7880183 packets, 9841690612 bytes 5 minute offered rate 7000 bps
To keep this post simple I only described one speed for one traffic class. In reality I created several more time-ranges and policy-maps, and nested service policies to allow variable restrictions at different times of day. When my ISP tightened the download quota for evenings and weekends I was able to apply a tiered strategy whereby peak time traffic was severely restricted, nighttime traffic was unrestricted and remaining times were mildly restricted. Then after a month I switched to an uncapped ISP but that's another story.
time-range off-peak periodic daily 2:00 to 5:59 ip access-list extended off-peak permit ip any any time-range off-peak ipv6 access-list off-peak6 permit ipv6 any any time-range off-peak class-map match-any off-peak match access-group name off-peak match access-group name off-peak6 policy-map 256kbps class class-default police rate 256000 conform-action transmit exceed-action drop violate-action drop policy-map unlimited class class-default policy-map low class peak service-policy 256kbps class off-peak service-policy unlimited class class-default service-policy 512kbps policy-map from_internet class p2p service-policy low class http service-policy medium