Sunday, July 11, 2010

QoS: Policing mini-lab

Hi all, here as promised the next mini-lab on Qos topics: today is the Policing lab :-)

using the same topology as the last post, here is the .net file:

autostart = False
[localhost:7200]
workingdir = /tmp
udp = 10000
[[3640]]
image = /opt/IOS/c3640-jk9o3s-mz.124-16.bin
chassis = 3640
ghostios = True
sparsemem = True
[[ROUTER R1]]
model = 3640
console = 4002
slot0 = NM-4T
s0/0 = R2 s0/0
[[ROUTER R2]]
model = 3640
console = 4003
slot0 = NM-4T
s0/0 = R1 s0/0
s0/1 = R3 s0/0
[[ROUTER R3]]
model = 3640
console = 4004
slot0 = NM-4T
s0/0 = R2 s0/1


and the initial configs:

!------ R1 initial config -----------------
hostname R1
!
no ip domain-lookup
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Serial0/0
bandwidth 128
ip address 12.12.12.1 255.255.255.0
load-interval 30
tx-ring-limit 1
tx-queue-limit 1
serial restart-delay 0
no fair-queue
!
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
line con 0
exec-timeout 0 0
logging synchronous
!------ END R1 initial config -----------------

!------ R2 initial config -----------------
hostname R2
!
no ip domain-lookup
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Serial0/0
bandwidth 128
ip address 12.12.12.2 255.255.255.0
load-interval 30
tx-ring-limit 1
tx-queue-limit 1
serial restart-delay 0
no fair-queue
!
interface Serial0/1
bandwidth 128
ip address 23.23.23.2 255.255.255.0
encapsulation frame-relay
ip ospf network point-to-point
load-interval 30
tx-ring-limit 1
tx-queue-limit 1
no keepalive
serial restart-delay 0
no fair-queue
frame-relay map ip 23.23.23.3 666 broadcast
no frame-relay inverse-arp
!
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
line con 0
exec-timeout 0 0
logging synchronous
!------ END R2 initial config -----------------

!------ R3 initial config -----------------
hostname R3
!
no ip domain-lookup
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Serial0/0
bandwidth 128
ip address 23.23.23.3 255.255.255.0
encapsulation frame-relay
ip ospf network point-to-point
load-interval 30
tx-ring-limit 1
tx-queue-limit 1
no keepalive
serial restart-delay 0
no fair-queue
frame-relay map ip 23.23.23.2 666 broadcast
no frame-relay inverse-arp
!
router ospf 1
router-id 3.3.3.3
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
line con 0
exec-timeout 0 0
logging synchronous
!------ END R3 initial config -----------------


Let's start trying the different policing options:

1) Police single rate with two colors

For the policing, one important thing is that Bc and Be are expressed in BYTES, so you may expect different values as shaping.
The logic also is a little bit different, there is no Tc interval to refill the Token Bucket, but the arrival time in seconds of each packet is considered. Every time a packet is arrived, the token bucket is refilled with a variable amount of tokens, using this formula:

refill = ((time packet arrival sec - time arrival last packet sec) * Police rate ) /8

so more closely packets arrives, less refill will happen.
Obviously, if there aren't enough tokens, the packet is exceeding the cir, so the exceeding action will executed.
With single rate policing, the Bc value is used only as first filling value, then the refill formula above is applyed.

Let's try on R2:

R2(config-pmap-c)#do sh run | sec policy-map
policy-map POLICE-SINGLE-RATE-TWO-COLORS
class class-default
police 64000 conform-action transmit exceed-action drop

R2(config-pmap-c-police)#do sh policy-map
Policy Map POLICE-SINGLE-RATE-TWO-COLORS
Class class-default
police cir 64000 bc 2000
conform-action transmit
exceed-action drop


Here I haven't specified any initial Bc value, so the default 2000 Bytes is taken, as the show policy-map output.

Let's apply on Ser 0/0 of R2 and generate some traffic:

R2(config-pmap-c)#int s 0/0
R2(config-if)#service-policy output POLICE-SINGLE-RATE-TWO-COLORS

R2(config-if)#do ping 1.1.1.1 repeat 1000 timeout 0 size 500

Type escape sequence to abort.
Sending 1000, 500-byte ICMP Echos to 1.1.1.1, timeout is 0 seconds:
......dots dots.......

R2(config-pmap-c)#do sh policy-map int s 0/0
Serial0/0

Service-policy output: POLICE-SINGLE-RATE-TWO-COLORS

Class-map: class-default (match-any)
1006 packets, 504551 bytes
30 second offered rate 117000 bps, drop rate 117000 bps
Match: any
police:
cir 64000 bps, bc 2000 bytes
conformed 4 packets, 2016 bytes; actions:
transmit
exceeded 996 packets, 501984 bytes; actions:
drop
conformed 1000 bps, exceed 117000 bps


as you can see, the conformed rate is very low, since all our packets are sent in a too short amount of time, we can barely assume that the 4 conformed packets are using the initial 2000 Bytes Bc (500 Bytes x 4 packets...).
Here we can see a big difference between policing and shaping, with shaping the link utilization will be higher.

2) Police single rate with three colors

Woks in the same way of Single Rate dual colors, but uses two token bukets. When the conform bucket is full, the spillage refills the exceed bucket. The refill of the conform bucket uses always the packet arrival time as reference.


R2(config-pmap-c-police)#do sh policy-map
Policy Map POLICE-SINGLE-RATE-THREE-COLORS
Class class-default
police cir 64000 bc 2000 be 2000
conform-action transmit
exceed-action set-dscp-transmit default
violate-action drop

R2(config-pmap-c-police)#do sh run | sec policy-map
policy-map POLICE-SINGLE-RATE-THREE-COLORS
class class-default
police 64000 conform-action transmit exceed-action set-dscp-transmit 0 violate-action drop


The main objective with three colors is to perform a different action than drop for the exceeding or violating traffic.


3) Police dual rate with three colors

With Dual rate, policing is a little bit different. There are two buckets, one conforming and one exceeding, and they are filled in a independent way, both using the time arrival based formula.
When a packet conforms, that means there are enough tokens in the conforming bucket, but also in the exceeding one. So tokens for conforming packets are taken twice, one from each bucket.
If a packet exceeds, that means there aren't enough tokens in the conforming bucket but there are in the exceeding bucket, otherwise the packet violates.

Here an example:


R2(config-pmap-c-police)#do sh run | sec policy-map
policy-map POLICE-TWO-RATES-THREE-COLORS
class class-default
police cir 64000 pir 96000
conform-action transmit
exceed-action set-dscp-transmit default
violate-action drop

R2(config-pmap-c-police)#do sh policy-map
Policy Map POLICE-TWO-RATES-THREE-COLORS
Class class-default
police cir 64000 bc 2000 pir 96000 be 3000
conform-action transmit
exceed-action set-dscp-transmit default
violate-action drop

R2(config-if)#do sh policy-map int s 0/0
Serial0/0

Service-policy output: POLICE-TWO-RATES-THREE-COLORS

Class-map: class-default (match-any)
9011 packets, 576851 bytes
30 second offered rate 73000 bps, drop rate 68000 bps
Match: any
police:
cir 64000 bps, bc 2000 bytes
pir 96000 bps, be 3000 bytes
conformed 384 packets, 24576 bytes; actions:
transmit
exceeded 198 packets, 12672 bytes; actions:
set-dscp-transmit default
violated 8418 packets, 538752 bytes; actions:
drop
conformed 4000 bps, exceed 3000 bps, violate 68000 bps


The dual rate policing is used when you want to have the flexibility of the three colors, but the exceeding traffic has to be set with a custom value, usually less than cir rate.

As usual the policying methods can be used with the percent value:


R2(config-pmap-c-police)#do sh run | sec policy-map
policy-map POLICE-PERCENT
class class-default
police cir percent 50 pir percent 75
conform-action transmit
exceed-action set-dscp-transmit af13
violate-action drop

R2(config-pmap-c-police)#do sh policy-map
Policy Map POLICE-PERCENT
Class class-default
police cir percent 50 pir percent 75 be 0
conform-action transmit
exceed-action set-dscp-transmit af13
violate-action drop

R2(config-if)#do sh policy-map int ser 0/0
Serial0/0

Service-policy output: POLICE-PERCENT

Class-map: class-default (match-any)
33 packets, 2717 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
police:
cir 50 %
cir 64000 bps, bc 2000 bytes
pir 75 %
pir 96000 bps, be 3000 bytes
conformed 2 packets, 272 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
set-dscp-transmit af13
violated 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps, violate 0 bps


Well, enough for today, this week I have reviewed the whole QoS exam certification guide, the only thing I miss to review is the SRR/WRR differences, since the book is a little bit outdated (it uses 2950s).
Well, the next week of vacations will be the turn of Routing TCP/IP vol.I, I hope to preserve it from the beach sand :-)

have fun
Marco

No comments: