Thursday, 22 April 2010

Inbound Rate Limiting on Cisco Catalyst Switches

Cisco Catalyst Switch Port Close-UpIf you need to limit the inbound bandwidth of a switch port on a Cisco Catalyst, the key is in the QoS configuration. Rather than going into an depth discussion of QoS and how it works, let’s skip that (check out Cisco’s QoS site for that level of detail) and jump into the configuration details. This particular configuration was done on a Cisco Catalyst 2960.

As I mentioned, the key is QoS. The first thing you need to do is globally enable QoS with the mls qos configuration command. Once this command is enabled, QoS is enabled on all ports with default settings.

Next, we’ll need an access-list to match traffic on. In this example, we are going to police all traffic coming through the switch port, so our access-list will match all IP addresses.

ip access-list extended ACL_SLAP
permit ip any any

A class map is necessary to classify our traffic.

class-map match-all CLASS_SLAP
match access-group name ACL_SLAP

The policy map dictates what we want done to the traffic class previously defined. The police configuration command sets our rate limit in this example to 8 Mbps the a burst size of 100 KB. The burst size is the trickiest part of this command. If the burst is set too low, your traffic will not be able to approach the maximum allowed throughput do to packet drops.

Because TCP window scaling halves the window size for each dropped packet, it’s important to set the burst size at a level that doesn’t impact performance. The rule of thumb is that the burst size should be double the amount of traffic sent at the maximum rate at a given round-trip time. In this example, I assumed a round-trip time of 50 ms which results in a burst size of 100 KB.

policy-map POLICY_SLAP
police 8000000 100000 exceed-action drop

Finally, apply the policy-map to the switch port with the service-policy configuration command.

interface GigabitEthernet0/2
service-policy input POLICY_SLAP

And now you’re done. In our example, we configured a switch port to only allow inbound traffic at 8 Mbps. We won’t be able to truly max the 8 Mbps, but we should come close. I’ve created a full text example that should be ready to copy and paste.

Leave a comment and let me know how it goes for you.

Wednesday, 21 April 2010

How would you limit the bandwidth on a switch port?

Edit: this configuration doesn’t seem to be that simple, because it’s not working very well on my 3560 now.

Edit #2: It turns out everything works as stated, except for the minor fact that the command slows your interface down.

Go into interface configuration mode, on the port you are making changes on.

switch(config-if)#srr-queue bandwidth ?
limit Configure bandwidth-limit for this interface
shape Configure shaping on transmit queues
share Configure shared bandwidth

These is what the IOS help is showing; you can see that there are more options than merely limiting the bandwidth.

switch(config-if)#srr-queue bandwidth limit ?
<10-90> enter bandwidth limit for interface as percentage

The percentage value range that should be entered, ranging from 10 to 90. The default is 100.

Therefore, a workaround to limit the switch port’s speed to 5mbps would be to do the following instead:

switch(config-if)#speed 10

switch(config-if)#srr-queue bandwidth limit 50

*Remember that this will slow your interface down, as it’s reduced from a 100mbps interface to a 10mbps interface instead.