Bandwidth Policing Overview

System engineers

Policing rate

Within burst size

Exceed policing rate eed size

Exc burs

Frames Bandwidth policing:

• Policing rate

© 2003, Cisco Systems, Inc. All rights reserved.

Frames Bandwidth policing:

• Policing rate

© 2003, Cisco Systems, Inc. All rights reserved.

For the bandwidth policing feature, the Concentrator provides a maximum data transfer rate. Bandwidth policing sets a maximum limit, a cap, on the rate of tunneled traffic. For example, all system engineers can transfer data up to a sustained rate of 56 Kbps while remotely accessing the Concentrator. The Concentrator transmits traffic it receives below this rate; it drops traffic above this rate. Because traffic is bursty, some flexibility is built into policing. Policing involves two thresholds: the policing rate and the burst size. The policing rate is the maximum limit on the rate of sustained tunneled traffic. The burst size indicates the maximum size of an instantaneous burst of bytes allowed before traffic is capped back to the policing rate. The Concentrator allows for instantaneous bursts of traffic greater than the policing rate up to the burst rate. But should traffic burst consistently and exceed the burst rate, the Concentrator enforces the policing rate threshold. The Concentrator starts to drop frames.

Bandwidth policing is configurable on both a system and group basis. If group policing is configured, every member of the specified group can transmit data according to the group bandwidth policing policy. If a remote user is not a member of a predefined group, the remote user can transmit data up to the system-wide policing rate. For example, there are two groups of remote users, system engineers and executives. The executives have a group policing rate defined at 128 Kbps. The system engineers do not have their own group policing rate defined. When executives connect to the Concentrator, they can transmit data up to 128 Kbps. When system engineers connect, they do not have a policing policy specifically defined for their group. They can transmit data up to the system wide policing rate, or in this example, 56 Kbps.

Bandwidth Policing Policies

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0—9-45

Configuring the bandwidth policing feature is a two-step process. First, the policing policy, or policies, is defined. Next, the policies are assigned to an interface, and optionally to groups. To configure policing policies, choose the Configuration>Policy Management>Traffic Management>Bandwidth Policies window. The bandwidth policy consists of two parts, bandwidth reservation on the top half, and policing on the bottom half. (Bandwidth reservation will be discussed later in the lesson.) Policing involves two thresholds: the policing rate and the burst size. The policing rate is the maximum limit on the rate of sustained tunneled traffic. The burst size indicates the maximum size of an instantaneous burst of bytes allowed before traffic is capped back to the policing rate. The Concentrator allows for instantaneous bursts of traffic greater than the policing rate up to the burst rate. The policing policy parameters are as follows:

■ Policy Name—Enter a unique policy name that helps you remember the policy you are configuring. For example, if this policy focuses on the executive group, you could name it executive.

■ Policing—Select the Enable Policing check box to enable the policing feature.

■ Policing Rate—Enter a value for Policing Rate and select the unit of measurement. The Concentrator transmits traffic that is moving below the policing rate and drops all traffic that is moving above the policing rate. The range is between 56 Kbps and 100 Mbps. The default is 56K (bps). Policing rate is defined in units as follows:

— Kbps—Thousands of bits per second

— Mbps—Millions of bits per second

Normal Burst Size—Enter a value for the normal burst size. The normal burst size is the amount of instantaneous burst that the Concentrator can send at any given time. Use the following formula to set the burst size: (Policing Rate/8) * 1.5. For example, if you want to limit users to 250 Kbps of bandwidth, set the police rate to 250 Kbps and set the burst size to 46875, that is: (250000 bps/8) * 1.5. Enter the Normal Burst Size and select the unit of measurement. The default is a normal burst size of 10500 bytes. Normal burst size is defined in units as follows:

— Kbytes—Thousands of bytes

— Mbytes—Millions of bytes

For example, a policy named normal policy is configured for a policing rate of 56 Kbps and a normal burst size of 10500 bytes. Any remote user assigned this policy has a maximum limit on the rate of sustained tunneled traffic of 56 Kbps. The Concentrator can support an instantaneous burst of 10500 bytes before it starts to limit traffic by dropping packets.

Bandwidth Policing Configuration

Bandwidth policing policies

Normal - 56 Kbps Executive -128 Kbps LAN-to-LAN - 384 Kbps

© 2003, Cisco Systems, Inc. All rights reserved.

Bandwidth policing policies

Normal - 56 Kbps Executive -128 Kbps LAN-to-LAN - 384 Kbps

© 2003, Cisco Systems, Inc. All rights reserved.

In a Concentrator, there may be multiple policies defined. In this example, the administrator defined the three policing rates, normal, executive, and LAN-to-LAN. A normal policy assigns a baseline bandwidth allocation while the executive policy allocates higher thresholds for the policing rate and burst size. The LAN-to-LAN policing policy applies to site-to-site tunnels. Normal policing policy users are allocated a maximum of 56Kbps of bandwidth with a normal burst size of 10500 bytes. This could be the default bandwidth reservation policy for the Concentrator. The executive policing policy users are allotted a maximum of 128 Kbps of bandwidth with a normal burst size of 24 Kbps. This is a custom policy for remote users who need more bandwidth than the reserve bandwidth provided by the normal, default, policy. The LAN-to-LAN policing policy allocates a maximum of 384 Kbps of bandwidth with a normal burst size of 72 Kbps for a site-to-site tunnel. The administrator can assign a bandwidth threshold of 384Kbps to site-to-site tunnels.

© 2003, Cisco Systems, Inc. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved.

Once policies are defined, they are assigned to a Concentrator interface, public or private, or a user group. The interface policy defines the default-policing rate for the Concentrator. If a remote user belongs to a group that is not specifically defined a policing rate, the remote user is assigned the policing rate defined for the interface. Choose the Configuration>Interfaces> Ethernet2>Bandwidth Parameters window to assign a policing policy to the interface. In the Configuration>Interfaces>Ethernet2>Bandwidth Parameters Tab window, enable bandwidth management on the selected interface, define the link rate for the interface, and assign the policy to be used on the interface. The interface bandwidth management parameters are as follows:

■ Bandwidth Management—Select the Bandwidth Management check box to enable bandwidth management on this interface.

■ Link Rate—Enter a value for the link rate, and select a unit of measurement. The defined link rate must be based on the available Internet bandwidth and not the physical LAN connection rate. The default is 1.544 Mbps. If the link rate is less than the sum of the policed rates, it is possible that some remote users will never reach the police rate.

■ Bandwidth Policy—Select a policy from the drop-down list. If there are no policies in this list, you must choose Configuration>Policy Management>Traffic Management> Bandwidth Policies window and define one or more policies.

Note If bandwidth policing is required in a network, a policing policy must be defined and applied to an interface before applying group policing policies. The Concentrator will not allow a group policy to be applied first. If an administrator attempts to apply a group policy first, the Concentrator will return an error message.

In this example, the Internet link is a T1, 1.544 Mbps. The default policy for the interface is normal reservation. The normal reservation provides a maximum bandwidth allocation of 56 Kbps and a burst size of 10500 bytes. System engineers are assigned a policing rate of 56 Kbps.

Group Policing Configuration

Cisco.com System engineers (20)

Executives (6)

Cisco.com System engineers (20)

Executives (6)

© 2003, Cisco Systems, Inc. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved.

Choose the Configuration>User Management Groups window, select a group and select the Assign Bandwidth Policy to assign a policing policy to a group of remote users. From the Configuration>User Management>Bandwidth Policy> Interfaces window, configure the following group bandwidth policy parameters:

■ Policy—Select a policy from the Policy drop-down menu for the group. If you do not want to select a policy here, select none.

■ Bandwidth Aggregation—Enter a value for the aggregate group bandwidth to reserve for this group and select a unit of measurement. This parameter is discussed later in this lesson.

If the administrator assigns a policing policy to a group, remote users who belong to this group participate in the policing policy applied to the group. If you do not configure a bandwidth-policing policy for a group and bandwidth management is enabled on the interface, remote users participate in the policy applied to the interface, which is the default policy for the Concentrator as a whole.

In the figure, there is a multigroup remote access scenario, system engineers and executives. The administrator assigns different policing policies to each group. The executives group is assigned the executive policing policy. The system engineers are not assigned a group policing policy. As remote access executives connect to the Concentrator, they are assigned the group policing rate of 128 Kbps and a burst size of 24 Kbps. No policing policy is assigned to the system engineers group. As remote system engineers connect, they participate in the default policy for the interface, 56 Kbps policing rate and a burst size of 10500 bps.

© 2003, Cisco Systems, Inc. All rights reserved.

User 1 User 2 User 3

Bandwidth reservation reserves a minimum amount of bandwidth per session for tunneled traffic. As they connect to the Concentrator, each remote user receives a minimum amount of bandwidth. When there is little traffic on the box, users receive more than their allocated minimum of bandwidth. When the box becomes busy, they receive at least the minimum amount. When the combined total of the reserved bandwidth amounts of all active tunnels on an interface approaches the limit of the total bandwidth available on that interface, the Concentrator refuses further connections to users who demand more reserved bandwidth than is available.

Suppose the link rate on your public interface is 1.544 Mbps. And suppose you apply a reserved bandwidth policy to that interface that sets the reserved bandwidth to 64 Kbps per user. With this link rate and policy setting, only a total of 24 concurrent users can connect to the Concentrator at one time. (1.544 Mbps per interface divided by 64 Kbps per user equals 24 connections.)

■ The first user who logs on to the Concentrator reserves 64 Kbps of bandwidth plus the remainder of the bandwidth (1,480 Kbps).

■ The second user who logs on to the Concentrator reserves 64 Kbps of bandwidth and shares the remainder of the bandwidth (1,416 Kbps) with the first user.

■ When the twenty-fourth concurrent user connects, all users are limited to their minimum of 64 Kbps of bandwidth per connection.

When the twenty-fifth user attempts to connect, the Concentrator refuses the connection. It does not allow any additional connections since it cannot supply the minimum 64 Kbps reservation of bandwidth to more users.

One can think of bandwidth reservation as pieces of a pie. Each remote user is assigned a slice of pie, reserve bandwidth. As tunnels are established, each user is assigned a slice of the pie until the pie is completely divided. At that point, any new connections requesting a slice of the pie are refused the opportunity to establish a connection.

Was this article helpful?

0 0

Post a comment