Bandwidth sharing via police exceed-action drop on Cisco Catalyst 3550s: anything less draconian?
I’m the chairman of the wiring committee for a hundred-unit condominium, and not a Cisco expert. We have a trio of Cisco Catalyst 3550 switches, connected to an old Cisco 1417 router, connected to a DSL connection which we realize we need to upgrade. Our consultants configured, but did not enable, policing on each switch, so that each owner gets a guaranteed amount of bandwidth; once I enabled it (with mls qos), this seemed to work as documented:
policy-map USER_INGRESS
class ANY
police 32000 8000 exceed-action drop
policy-map USER_EGRESS
class DSCP0
police 96000 24000 exceed-action drop
But we were sold the switches on the basis that rationing would be more flexible when all the bandwidth wasn’t being used up, which this doesn’t seem to do.
Cisco IOS Quality of Service Solutions Command Reference 12.2 seems to suggest that set-dscp-transmit 0 might mark excess packets as best-effort, which I’d hoped would act sensibly at times of low usage. But it looks like this isn’t supported on our switches; trying to enable it gives % Invalid input detected at '^' marker at the beginning of set-dscp-transmit.
I might be able to offer more than just reputation points for hand-holding on followup issues; I’ve got a budget for some consulting hours, and might get approval for ongoing consulting. But for that, since we’ve had some bad experience with previous consultants, and I’m responsible to our directors, you’d need Cisco certification as well as reputation points here, and a public means of verifying your identity and reputation, since at some point I might need to trust you with our passwords.
References
- Cisco QoS Guidance
- Simple QoS policy on Cisco 877 DSL doesn't appear to do anything
- Catalyst 3500 XL and Bandwidth Limiting
- QoS for Cisco Router to Prioritize Voice and Interactive Traffic
Solution 1:
This strikes me as the wrong way to handle traffic shaping in your environment -- you are effectively limiting an unlimited resource (internal bandwidth - on your local switches) to try to prevent exhausting a limited resource (upstream bandwidth - on your DSL line).
Your router (or barring that, a decent router/firewall appliance like pfSense) should probably be doing the traffic shaping. You can assign each unit/owner an IP or subnet, limiting them to a proportionate share of the total bandwidth but letting them borrow from other queues (See http://www.openbsd.org/faq/pf/queueing.html and read about the "borrow" keyword - handy feature!).
As a bonus if you take this route your more tech-savvy residents can share files with each other at wire speed since the switch ports won't be restricted.
A Cisco expert may be better able to advise you on how to set that up for your environment/hardware, or how to accomplish what you're asking for with your existing hardware if possible.
Solution 2:
I have experience of these switches and their policing.
IMHO it's not that bad doing your policing (shaping) using the 3550s.
A couple of things to realise. The exceed-action drop isn't that draconian relative to the way other bandwidth throttlers work but it probably won't affect UDP just TCP. It relies on TCP's ability to 'back off' essentially telling the visiting client software that the connection is congested and to send less data. We found it works well, add a reasonable percentage to the peak capacity and you'll find most connections will back off seamlessly.
Be aware that although they let you do ingress and egress filtering there's a limit of eight (yes, really) policies on each device to force you spend a small fortune with Cisco for higher spec devices.