LAB 4 - Traffic Policing | NetworkAcademy.io

This lab lesson will examine another common use case for localized data policies: to create a traffic policer that controls the maximum rate of traffic sent or received on a specific vEdge interface.

The Initial State

First, let’s verify that our network can transfer 10 Mbps UDP traffic between vEdge-1 and vEdge-4 using the MPLS transport cloud. To do this, we will use the embedded iperf tool installed on every WAN edge router by default.

Before using the iperf tool, we will need to allow all network services in the implicit ACL on the MPLS interfaces on both vEdge-1 and vEdge-4. Otherwise, the implicit ACL will drop the iperf generated traffic.

vEdge-1# conf t -->> we need to configure this on both vEdge-1 and vEdge-4
Entering configuration mode terminal
vEdge-1(config)# vpn 0 int ge0/1
vEdge-1(config-interface-ge0/1)# tunnel-interface 
vEdge-1(config-tunnel-interface)# allow-service all
vEdge-1(config-tunnel-interface)# commit and-quit

Once we have allowed all network services, we can start an iperf server on vEdge-1 using the tools iperf command as shown in the output below:

vEdge-1# tools iperf vpn 0 options "-s -u -i 1"
iperf -s -u -i 1 in VPN 0
------------------------------------------------------------
Server listening on UDP port 5001

Now we can send a 10Mbps UDP stream from vEdge-4 over the MPLS transport to vEdge-1’s ge0/1 interface.

vEdge-4# tools iperf vpn 0 options "-c 10.10.0.1 -u -b 10m -t 60"
iperf -c 10.10.0.1 -u -b 10m -t 60 in VPN 0
------------------------------------------------------------
Client connecting to 10.10.0.1, UDP port 5001
Sending 1470 byte datagrams, IPG target: 1176.00 us (kalman adjust)
UDP buffer size: 2.50 MByte (default)
------------------------------------------------------------
(  4) local 10.10.0.4 port 39353 connected with 10.10.0.1 port 5001
( ID) Interval       Transfer     Bandwidth
(  4)  0.0-60.0 sec  71.5 MBytes  10.0 Mbits/sec
(  4) Sent 51021 datagrams
(  4) Server Report:
(  4)  0.0-60.0 sec  71.3 MBytes  9.97 Mbits/sec   2.188 ms  178/51021 (0.35%)

We can see that we can successfully transfer 10Mbps UDP traffic from vEdge-4 to vEdge-1 over the MPLS cloud. Now let’s configure a local data policy that polices the traffic to 2Mbps in the direction from vEdge-4 to vEdge-1.

Configuring local traffic policer attached on an interface

In Cisco SD-WAN, we configure traffic policer using the policy policer command using the CLI directly on a vEdge or using a vManage device template. Under the policer, we specify the desired values for bandwidth, burst, and exceed action.

vEdge(config)# policy 
vEdge(config-policy)# policer {policer-name}    
vEdge(config-policer)# rate {bandwidth}    
vEdge(config-policer)# burst {bytes}    
vEdge(config-policer)# exceed {action}

In our lab example, we will configure on vEdge-4 a policer named POLICER-2MBPS that specifies a maximum data rate of 2Mbps, a burst value of 40 kbytes, and exceed action drop.

policy
 policer POLICER-2MBPS
  rate   2000000
  burst  40000
  exceed drop
 !

We apply the policer directly on the mpls interface of vEdge-4 in outbound direction as shown below:

vEdge-4#  conf t
Entering configuration mode terminal
vEdge-4(config)# vpn 0 interface ge0/1
vEdge-4(config-interface-ge0/1)# policer POLICER-2MBPS out
vEdge-4(config-interface-ge0/1)# commit and-quit

If we rerun the iperf test, we can see that the available bandwidth between is 1.96Mbps.

vEdge-4# tools iperf vpn 0 options "-c 10.10.0.1 -u -b 10m -t 60"
iperf -c 10.10.0.1 -u -b 10m -t 60 in VPN 0
------------------------------------------------------------
Client connecting to 10.10.0.1, UDP port 5001
Sending 1470 byte datagrams, IPG target: 1176.00 us (kalman adjust)
UDP buffer size: 2.50 MByte (default)
------------------------------------------------------------
(  4) local 10.10.0.4 port 34345 connected with 10.10.0.1 port 5001
( ID) Interval       Transfer     Bandwidth
(  4)  0.0-60.0 sec  71.5 MBytes  10.0 Mbits/sec
(  4) Sent 51021 datagrams
(  4) Server Report:
(  4)  0.0-60.2 sec  14.1 MBytes  1.96 Mbits/sec  20.408 ms 40972/51022 (80%)

Configuring local traffic policer attached to specific traffic

In a real-world deployment, we are more likely to police specific data traffic than an entire interface. In such cases, we match the interesting traffic in an ACL sequence and then invoke the configured local traffic policer as shown in the output below:

Full Content Access is for Registered Users Only (it's FREE)...

Learn any CCNA, DevNet or Network Automation topic with animated explanation.
We focus on simplicity. Networking tutorials and examples written in simple, understandable language for beginners.

Comments

manas.saigal

Wed, 07/13/2022 - 12:16

What will be the equivalent command for iPerf test on Cisco-Edges ??

Ivan.Ivanov

Fri, 07/15/2022 - 04:22

Hi manas saigal,
IOS-XE supports iperf in guestshell. However, it is not that easy and straightforward to install and use. Also, notice that most virtual images used for labing don't come with licenses and are limited to a few Mbps of throughout.
If you need iperf for lab purposes, I would suggest using a tiny Linux image and performing iperf from there.
HTH, Ivan

D6ANC

Mon, 11/21/2022 - 17:08

Hi,

a burst value of 40 kbytes??

The burst value = 40000 = 40000 kbytes = 40 Mbps

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/qos/v…

Ivan.Ivanov

Mon, 11/21/2022 - 17:31

Hi,
The burst value is in bytes.
vEdge(config)# policy policer policer-name
vEdge(config-policer)# rate bandwidth
vEdge(config-policer)# burst bytes
vEdge(config-policer)# exceed action
HTH, Ivan

D6ANC

Mon, 11/21/2022 - 17:48

Actually the Cisco document contradicts it self and doesn't give a definitive answer.
It's badly written by Cisco.

"we want to always have 10 MB available"
When traffic exceeds 20 MB (configured in the policer burst command)
policer bursty-traffic
rate 1000000
burst 20000

This reads as 20000 = 20 Mega Bytes,
So its 20000 in Kilo Bytes?

Then this contradicts it in the same document.

Here "policer p1" is configured to have a maximum traffic rate of 1,000,000 bits per second and a maximum burst-size limit of 15000 bytes

policer p1
rate 1000000
burst 15000

Now it reads as burst = 15000 = 15000 Bytes

So what is burst size in?
Burst size is in Kilo Bytes or Bytes?

D6ANC

Mon, 11/21/2022 - 17:49

Where the rate value is in Bits not Bytes.
But this also looks like a mistake.
It's written as 1000000 = 1 Mbps, but it talks about 10 MB.
MB = MegaByte.

So that should be 10,000,000. Not 1,000,000 for 10 mega bits.

But again it talks about MB that means Bytes.

Cisco is not clear in their document.

But I believe it should be

rate = bits
Burst = bytes

Although your iperf testing looks like it only allows 2 mega bits. So the rate is in bits.

You can not see those bursts with iperf.
It would have been interesting to see it on a graphical view to see the bursts.

D6ANC

Mon, 11/21/2022 - 18:00

Ivan, Keep up the good work.
This course is very good and more accurate than many others including Cisco's own documents.

char0051

Fri, 01/05/2024 - 16:54

Why is the ACL configured as "In" in the last example on the interface ? shouldn't be in the outwards direction /