Limiting bandwidth usage to remote sites

  • 0
  • 1
  • Question
  • Updated 4 years ago
  • Answered
Create Date: Aug 9 2012 9:43AM

I have a couple of questions that I was hoping to get clarified as to how they work. I am completely stumped and any help would be greatly appreciated.

When applying a static ACL policy (i.e. - bandmax.pol) on a Summit x450e and x450a does that apply to the ingress, egress or can you specify either or both? Also does that include only physical interfaces or does it also include virtual interfaces (SVI's) in and out of the VLAN where ipforwarding is enabled.

What I am trying to do is setup QoS to limit the bandwidth to remote sites in both directions (5MB to each site in both directions). At our main facility we have 15 Mbps coming in from our ISP. Then from the ISP to each remote site (3 total) there is 5 Mbps. The ISP has a policer that flat drops any extra traffic which really causes problems and actually makes our remote sites run slower. They provide Q on Q tagging so the gateway for each remote site is at the main site. Eventually we will have VOIP phones at the remote sites that currently use QP5. The main site has an x450a and all the remotes have x450e's. Here's a quick diagram below.

Remote Site 1        Remote Site 2        Remote Site 3
        |                            |                            |
   5 Mbps                   5 Mbps                   5 Mbps
        |                            |                            |
        ----------------------ISP---------------------
                                     |
                              15 Mbps
                                     |
                               Main Site

Here is the configuration I have been using on the x450a. Port 2:20 is the port that connects from our x450a to a Cisco switch on location provided by our ISP.


Main site:
create qosprofile qp2
create qosprofile qp3
create qosprofile qp4

config qosprofile qp2 peak_rate 5 M port 2:20
config qosprofile qp3 peak_rate 5 M port 2:20
config qosprofile qp4 peak_rate 5 M port 2:20

create vlan EM1
config vlan EM1 ipadress 10.10.20.1
config vlan EM1 tag 20
config vlan EM1 qosprofile qp2
config vlan EM1 add port 2:20 tagged

create vlan DR1
config vlan DR1 ipadress 10.10.30.1
config vlan DR1 tag 30
config vlan DR1 qosprofile qp3
config vlan DR1 add port 2:20 tagged

create vlan MP1
config vlan MP1 ipadress 10.10.40.1
config vlan MP1 tag 40
config vlan MP1 qosprofile qp4
config vlan MP1 add port 2:20 tagged

---------------------------------------------------

Here's the configuration at the remote sites. Port 1:48 is the port that connects from our x450e to a Cisco switch on location provided by our ISP. I have been using the same QoS queue on both sides for each remote site and main facility. I wasn't sure if that made a difference.

Remote Site 1:
create qosprofile qp2
config qosprofile qp2 peak_rate 5 M port 1:48

create vlan EM1
config vlan EM1 ipadress 10.10.20.2
config vlan EM1 tag 20
config vlan EM1 qosprofile qp2
config vlan EM1 add port 1:48 tagged

---------------------------------------------------

Remote Site 2:
create qosprofile qp3
config qosprofile qp3 peak_rate 5 M port 1:48

create vlan DR1
config vlan DR1 ipadress 10.10.30.2
config vlan DR1 tag 30
config vlan DR1 qosprofile qp3
config vlan DR1 add port 1:48 tagged

---------------------------------------------------

Remote Site 3:
create qosprofile qp4
config qosprofile qp4 peak_rate 5 M port 1:48

create vlan MP1
config vlan MP1 ipadress 10.10.40.2
config vlan MP1 tag 40
config vlan MP1 qosprofile qp4
config vlan MP1 add port 1:48 tagged

I was hoping someone might tell me if I am going in the right direction with this or if I am missing something. When I copy a file I see we exceed our ISP limits and then we start saw-toothing and it runs really slow so I don't think it's working correctly from what I am doing. If I use the command show port qosmonitor everything is still in QP1 at the main site on the 450a but it does look correct at the remotes sites in QP2.

Thank you for any help. I have been stuck on this for the past several days and can't quite figure it out.

(from Chad_Wilson)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Aug 9 2012 1:55PM

Hello WilsonLet me start to answer this question and hopefully it will make enough sense that it will help you. In XOS we assign traffic to a queue as the traffic ingresses the switch. This allows us to maintain the QoS from the ingress of the switch through the fabric to the egress. The QoS queues, qp1-qp8 are egress queues so that the traffic is shaped or limited. So in the example below you are providing the shaping on egress on each side which is one way to do this. We also can do metering where we drop traffic as it ingresses the port of the switch. So for example you can do a meter on the ingress port at the main site which will drop the traffic at that point. This may not be the best idea as it will allow all traffic across the MAN before it drops. But I mention it for future reference.The information that is in the show port qosm is always egress traffic. So to see the level of traffic from the remote site to the main site you would look at the remote site uplink port and vice versa. If the traffic is staying in QP1 then most likely that is a problem with the precedence of the QoS. XOS allows you to set up many different traffic groups for any type of traffic. When there are more than one traffic group then there is a precedence where one traffic group takes priority over another one. Page 735 of the 15.1 concept guides shows the precedence but here it is."Switches, SummitStack, and""Summit Family Switches""1 ACL-based traffic groups for IP packets (specifies IP address information)""2 ACL-based traffic groups for Ethernet frames (specifies MAC address information)""3 CoS 802.1p-based traffic groups""4 Port-based traffic groups""5 VLAN-based traffic groups""6 DiffServ-based traffic groups"As you can see VLAN traffic is low on the list. If traffic comes into the switch with an 802.1Q tag then the internal .1p bit will take priority over your VLAN setting. This means that most likely the .1p bit will be 0 unless you change it and 0 will fall into qp1 queue.To verify if this is the problem you can disable dot1p examination and see if the traffic falls into the correct queue. So if this is the problem what are the solutions? 1) keep dot1p examination disabled (this can be a problem later on if you use voice as voice traffic will set the 1.p bit. 2) when the traffic egresses either site you can have the switch change the 1.p bit on the fly using config dot1p replacement. If the dot1p values are defined i.e. 0 -qp1, 2-qp2 7-qp8 etc then the switch will change the dot1p bit as the traffic egresses the port to the new value. The other side will see the new .1p bit and place it into the correct queue when dot1p examination is turned on 3) you can use an ACL to look at the IP subnet and then assign it to a qp.Ok does that help? does it raise more questions and do you have any other information that we can use to find the issue.P

(from Paul_Russo)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Aug 10 2012 8:40AM

Hi Prusso, thank you. That really does help. I think it will take some time to sink in since there's so much information and flexibility with more than one way to accomplish the goal it looks like. The manual and concept guides are helpful but they just don't really pull it altogether as good with real world use. Your explanation is much more helpful than all the manuals I read.

I do have some additional information and a few more questions that might sound pretty elementary but very helpful in getting it all straight in my mind! :)

When referring to QoS is it always egress and not ingress?

Also I saw there is an option for ACL's to apply them to the egress (which I originally thought would be the solution) but when I tried to use it an XOS switch it failed even though the option was there. Are ACL's mostly/always ingress?

Lastly for QoS and ACL's do they ever refer to the virtual interface or just physical ports only? I always get hung up that when you enable ipforwarding on a VLAN and it becomes a virtual interface that traffic flows in out and of it. I keep wondering if that may have a QoS or ACL applied to it or just physical interfaces.

Ok, yes I do have some additional information. I setup the QoS profiles from the first post but it seems like I have only done half a solution? What we have is an EAPS ring that has the 450a as the core. We also have several smaller 450e's that are "spoked" off the 450a. So we have several ports that traffic could potenially come in on to the main site and then go to the remote sites. So basically traffic comes to the core but I am guessing it's needs to be tagged there or can I tag it as its leaving the egress port on 2:22? I just don't know how to accomplish this but it sounds like there is more than one way.

Also we actually do have dot1p already disabled. We are using ShoreTel phones and we had a our reseller do the setup. Here's what is on the 450a (main site) from the diagram. We will not have IP phones at remote sites for a while. Here's the lines from the 450a:

config diffserv examination code-point 46 qosprofile QP5
disable dot1p examination ports all
enable diffserv examination ports all

So just to clarify I have a potenial solution with the QoS setup but the QoS monitor shows everything in QP1 so I need to get it to the correct queue. What is the difference between dot1p and diffserv?

One last question I noticed on the remote sites all the traffic originates in the VLAN and comes back to the main site so it seems to leave from the correct queue with no additional configuration beyond the QoS setup on the VLAN. Where as the traffic coming from the main site is in the wrong queue. Is that because it originates in the queue at the remote site vs. traversing a switch from one VLAN to another at the main site before heading to the remote sites?

I know I have a lot of questions but I just can't seem to find the answers and first level support on the phone just didn't have the answers either so thank you very much for all the help!

(from Chad_Wilson)

This conversation is no longer open for comments or replies.