Rate limiting stats
My experiment with rate limiting downloads seems to be largely successful, modulo a few typos and omissions. I accidentally set the HTTP class as a match-all rule rather than a match-any rule, meaning it would always fail to match as traffic cannot be both HTTP and HTTPS traffic simultaneously. I also forgot to add SSH to a policy class. As a result both these protocols ended up being the default (slow) group. Everything else is working well so far.
I can see some statistics on the rate limiting.
# sh int d0 rate-limit Dialer0 Input matches: dscp 1 params: 64000 bps, 12000 limit, 24000 extended limit conformed 58600 packets, 4220034 bytes; action: transmit exceeded 0 packets, 0 bytes; action: drop last packet: 64ms ago, current burst: 0 bytes last cleared 02:04:55 ago, conformed 4000 bps, exceeded 0 bps matches: dscp 2 params: 32000 bps, 6000 limit, 12000 extended limit conformed 10541 packets, 12268452 bytes; action: transmit exceeded 12986 packets, 18191623 bytes; action: drop last packet: 36ms ago, current burst: 10018 bytes last cleared 1d22h ago, conformed 0 bps, exceeded 0 bps matches: dscp 3 params: 128000 bps, 24000 limit, 48000 extended limit conformed 71436 packets, 7030498 bytes; action: transmit exceeded 81 packets, 77046 bytes; action: drop last packet: 24ms ago, current burst: 0 bytes last cleared 1d22h ago, conformed 0 bps, exceeded 0 bps matches: dscp 4 params: 256000 bps, 48000 limit, 96000 extended limit conformed 1021747 packets, 109363738 bytes; action: transmit exceeded 4012 packets, 3572353 bytes; action: drop last packet: 20ms ago, current burst: 0 bytes last cleared 1d22h ago, conformed 5000 bps, exceeded 0 bps matches: dscp 5 params: 1024000 bps, 192000 limit, 384000 extended limit conformed 407623 packets, 249878838 bytes; action: transmit exceeded 13419 packets, 13016776 bytes; action: drop last packet: 4789ms ago, current burst: 0 bytes last cleared 1d22h ago, conformed 11000 bps, exceeded 0 bps
Unfortunately it isn’t apparent which types of traffic are ending up with each classification.
# sh policy-map int d0 Dialer0 Service-policy input: peak Class-map: peak-lowest (match-all) 24951 packets, 32543191 bytes 5 minute offered rate 86000 bps, drop rate 0 bps Match: access-group name peak Match: class-map match-any lowest Match: class-map match-any p2p 0 packets, 0 bytes 5 minute rate 0 bps Match: protocol bittorrent 0 packets, 0 bytes 5 minute rate 0 bps Match: protocol edonkey 0 packets, 0 bytes 5 minute rate 0 bps Match: protocol gnutella 0 packets, 0 bytes 5 minute rate 0 bps Match: protocol kazaa2 0 packets, 0 bytes 5 minute rate 0 bps Match: protocol winmx 0 packets, 0 bytes 5 minute rate 0 bps Match: class-map match-any rsync 0 packets, 0 bytes 5 minute rate 0 bps Match: access-group name rsync 0 packets, 0 bytes 5 minute rate 0 bps QoS Set dscp 2 Packets marked 24948 ...
So traffic is being marked as lowest priority but I can’t see whether it’s peer-to-peer or rsync.
This is because the class contains subclasses. The solution is to set up a separate policy map on the LAN interface to classify traffic sent out of the router to the internal network. So let’s set up a policy map with the individual classes I’m interested in.
policy-map classify class p2p class rsync
My LAN interface happens to be Vlan1 so the policy should be applied on that interface’s output, going to clients. There’s no rate limiting on the interface so all we’re doing is gathering statistics.
interface Vlan1 service-policy output classify
Now we can see that it’s rsync which is currently active.
# sh policy-map int vlan1 Vlan1 Service-policy output: classify Class-map: p2p (match-any) 56 packets, 5525 bytes 5 minute offered rate 0 bps Match: protocol bittorrent 0 packets, 0 bytes 5 minute rate 0 bps Match: protocol edonkey 0 packets, 0 bytes 5 minute rate 0 bps Match: protocol gnutella 0 packets, 0 bytes 5 minute rate 0 bps Match: protocol kazaa2 0 packets, 0 bytes 5 minute rate 0 bps Match: protocol winmx 0 packets, 0 bytes 5 minute rate 0 bps Class-map: rsync (match-any) 181 packets, 274034 bytes 5 minute offered rate 12000 bps Match: access-group name rsync 0 packets, 0 bytes 5 minute rate 0 bps
Afterwards the temporary policy map can be removed.
no policy-map classify
Or it could be kept around for further analysis, adding and removing classes as appropriate.