Configuring Class-Based Policing in FTOS
 
Introduction

This document provides a sample configuration for class-based traffic policing using QoS policies on Force10 switches (C-Series, E-Series, and S-Series) running FTOS. It also explains the impact of rate policing on network control traffic.
As shown in the following figure, the switch supports rate policing on an input interface, rate limiting and traffic shaping on an output interface. 

Application of QoS policies along Packet Path

Configure and Monitor Policing

This configuration limits all incoming HTTP traffic (TCP port 80) between two IP networks to 10 Mbps. After this QoS service policy has been applied, the HTTP traffic streams will be policed down to 10 Mbps, and excessive traffic will be dropped.

1. Define interesting traffic using an IP access list (also called an Access Control List -- ACL):

ip access-list extended HTTP-RATE-POLICE
seq 5 permit tcp 10.0.0.0/24 172.16.0.0/24 eq 80

2. Configure a class map to match the interesting traffic:

class-map match-all HTTP
match ip access-group HTTP-RATE-POLICE

3. Define a rate-limiting QoS policy using the rate-police command:

qos-policy-input QOS-HTTP-IN
rate-police 1

4. Assign an input policy-map to input queues with the class-map and QoS policy defined in steps 2 and 3:

policy-map-input PM-HTTP-IN
service-queue 4 class-map HTTP qos-policy QOS-HTTP-IN

Note: The C-Series and S-Series reserve the top four queues (4-7) for control traffic.

5. Apply the policy-map command to interface Gig1/0:

interface GigabitEthernet 1/0
no ip address
switchport
service-policy input PM-HTTP-IN
no shutdown

6. Use the show qos statistics command to verify that the QoS policy is working correctly.

Note: This command is available only for the E-Series.

Important Notes About Rate Policing/Limiting and Control Plane Traffic

Force10 Networks uses the term "rate control" to apply generically to either inbound traffic policing or outbound traffic limiting. As of FTOS Release 5.3.1, using rate controls can affect network control traffic as follows:

Note: This description pertains only to the E-Series. The C-Series and S-Series have separate data queues (0-3) and control traffic queues (4-7).

  • FTOS prepends a proprietary header on all inbound packets, including control traffic like OSPF and VRRP packets. Such control packets are directed to queue 7 independent of their original Differentiated Services Code Point (DSCP) value, which includes DSCP 6 for OSPF and BGP and DSCP 0 for VRRP. Thus, under link-full conditions with no configured QoS, control traffic is guaranteed and should not be dropped.  Note: Only control traffic should be directed to queue 7. Do not use queue 7 for significant data traffic.
  • When applied at the interface level, rate controls affect the default queue (queue 0) only, and control traffic is not affected.

  • When applied at the queue level with a QoS service policy, rate limiting will not impact control traffic (and such traffic is guaranteed) as long as a rate-limiting policy is not applied to queue 7.

  • Unicast control traffic generated by the switch is placed in the highest-priority queue on the egress port. If the entire interface is rate-controlled, control traffic may be dropped.

  • Multicast control traffic generated by the switch (and other control traffic) is marked with an IP Type of Service (TOS) bit value of 0x6 (Internet Control) and directed to the egress interface's queue 7. By default, only control traffic goes to this queue. Weighted Fair Queuing WFQ at egress ensures that multicast control traffic in queue 7 is not dropped when the interface is congested.

  • Each interface supports eight queues for unicast traffic and eight queues for multicast traffic. By default, multicast data traffic goes to multicast queue 0. The packets in these queues are transmitted in a round-robin fashion. During a congestion condition, multicast data traffic in queue 0 may be dropped. However, multicast control traffic in queue 7 should not experience any drops as the amount of control traffic going to queue 7 is significantly less than the total available bandwidth given to this queue.

  • Interface-level rate controls thus can affect unicast control traffic, but will not affect multicast control traffic.

  • To best protect unicast control-plane traffic, use class-based rate controls and do not police the highest-priority queue (queue 7).

Request Additional Assistance

To request assistance from Force10 Networks, please use the Create Service Request form on the iSupport page and include as much of the above information as possible. 

Email: support@force10networks.com
Toll-Free: 866-965-5800
Telephone: 408-965-5800

  How do you rate this document ?
Not Helpful Very Helpful
 
Comments / Suggestions