Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Cisco>
  3. NAS
IP CEF Problem
rommel.catabian at eaccelera
Jan 24, 2004, 4:28 AM
Post #1 of 10 (3298 views)
Permalink
Hi,

Instead of Serial via HDSL modem, we requested a Fast Ethernet connection
from our uplink provider who happens to be on the same floor as our office.
However, they requested us to do the rate limiting for our subscribed
bandwidth of 2048Kbps.

As i read it, i need to enable "IP CEF" on the router (Cisco3660) which also
double as a Remote Access Server, to make rate-limiting work. However,
the problem is our dial-up connections become slower when I enable ip cef.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Here is the IOS version and conf of our router:

CISCO-3660-NAS2#sh version
Cisco Internetwork Operating System Software
IOS (tm) 3600 Software (C3660-IS-M), Version 12.2(2)T4, RELEASE SOFTWARE
(fc3)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Sat 09-Feb-02 21:48 by yiyan
Image text-base: 0x600089C0, data-base: 0x61360000

ROM: System Bootstrap, Version 12.0(6r)T, RELEASE SOFTWARE (fc1)

CISCO-3660-NAS2 uptime is 6 weeks, 4 days, 6 hours, 51 minutes
System returned to ROM by power-on
System image file is "flash:c3660-is-mz.122-2.T4.bin"

cisco 3660 (R527x) processor (revision B0) with 253952K/8192K bytes of memory.
Processor board ID JAB041886C2
R527x CPU at 225Mhz, Implementation 40, Rev 10.0, 2048KB L2 Cache
Channelized E1, Version 1.0.
MICA-6DM Firmware: CP ver 2720 - 5/30/2000, SP ver 2720 - 5/30/2000.
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
Primary Rate ISDN software, Version 1.1.


3660 Chassis type: ENTERPRISE
2 FastEthernet/IEEE 802.3 interface(s)
4 Serial network interface(s)
46 terminal line(s)
2 Channelized E1/PRI port(s)
DRAM configuration is 64 bits wide with parity disabled.
125K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Read/Write)

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


CISCO-3660-NAS2#sh run >>>>>>>>>(IP CEF DISABLED)
Building configuration...

Current configuration : 7205 bytes
!
version 12.2
no parser cache
service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname CISCO-3660-NAS2
!
boot system flash c3660-is-mz.122-12a.bin
logging rate-limit console 10 except errors
logging monitor informational
aaa new-model
aaa authentication login console none
aaa authentication login vty group radius enable
aaa authentication login li enable
aaa authentication login radius local
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa accounting network default start-stop group radius
enable secret 5 $1$33u0$Q.sl.nbqdiAmkmZh45cJv.
!
username xxxxxxx password 7 08245B4F07120A
username xxxxxxx password 7 060A0E2F48541D1816031B08
username xxxxxxx password 7 02030558080303245E4F
username xxxxxxx password 7 09565B05160A1F081E
username xxxxxxx password 7 00171208025A090F0E2F
!
!
clock timezone GMT+8 8
ip subnet-zero
!
!
ip domain-name eaccelera.ph
ip name-server xxx.xxx.xx.1
ip name-server xxx.xxx.xx.2
ip name-server xxx.xxx.xx.184
!
no ip dhcp-client network-discovery
isdn voice-call-failure 0
call rsvp-sync
!
!
!
!
!
fax interface-type modem
mta receive maximum-recipients 0
!
!
controller E1 2/0
framing NO-CRC4
ds0-group 1 timeslots 1-15,17-31 type r2-digital r2-compelled
cas-custom 1
country philippines use-defaults
!
controller E1 2/1
!
!
interface FastEthernet0/0
description **UPLINK CONNECTION**
ip address 203.190.xx.xx 255.255.255.252
ip nat outside
rate-limit input 2048000 4000 4000 conform-action transmit exceed-action drop
no ip mroute-cache
duplex auto
speed auto
fair-queue
no cdp enable
!
interface FastEthernet0/1
ip address 203.190.xx.x 255.255.255.224
ip nat inside
no ip mroute-cache
speed auto
full-duplex
no cdp enable
!
interface Group-Async0
ip unnumbered FastEthernet0/1
encapsulation ppp
ip tcp header-compression passive
no ip mroute-cache
ip policy route-map cacheraq
async default routing
async dynamic routing
async mode dedicated
peer default ip address pool DialUpPool1
ppp authentication pap
ppp ipcp dns 203.190.xx.x 203.190.xx.x
group-range 129 158
!
interface Group-Async1
ip unnumbered FastEthernet0/1
encapsulation ppp
ip tcp header-compression passive
no ip mroute-cache
ip policy route-map cacheraq
async default routing
async dynamic routing
async mode dedicated
peer default ip address pool DialUpPool
ppp authentication pap
ppp ipcp dns 203.190.xx.x 203.190.xx.x
group-range 97 112
!
ip local pool DialUpPool 203.190.xx.xx 203.190.xx.xx
ip local pool DialUpPool1 203.190.xx.xx 203.190.xx.xx
ip classless
ip route 0.0.0.0 0.0.0.0 203.190.xx.xx
ip route 203.190.xx.xx 255.255.255.224 Null0 250 (ip route for the dial-up,
Group Async1)
ip route 203.190.xx.xx 255.255.255.224 Null0 250 (ip route for the dial up,
Group Async2)
no ip http server
!
ip radius source-interface FastEthernet0/1

!
route-map cacheraq permit 10
match ip address 110
set ip next-hop 203.190.XX.XX
!

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


Please help me. Thank you in advance.

Rommel Y. Catabian
Eaccelera, Incorporated
Re: IP CEF Problem [ In reply to ]
gert at greenie
Jan 24, 2004, 4:31 AM
Post #2 of 10 (3266 views)
Permalink
Hi,

On Sat, Jan 24, 2004 at 07:28:05PM +0800, Rommel Y. Catabian wrote:
> As i read it, i need to enable "IP CEF" on the router (Cisco3660) which also
> double as a Remote Access Server, to make rate-limiting work. However,
> the problem is our dial-up connections become slower when I enable ip cef.

CEF is not required for rate-limiting.

> CISCO-3660-NAS2#sh version
> Cisco Internetwork Operating System Software
> IOS (tm) 3600 Software (C3660-IS-M), Version 12.2(2)T4, RELEASE SOFTWARE
> (fc3)

... but this is something you might want to upgrade anyway. It's "T", and
the number in brackets is way too low... there is at least one serious
security vulnerability in this IOS version, which entitles you to a free
upgrade.

> interface FastEthernet0/0
> description **UPLINK CONNECTION**
> ip address 203.190.xx.xx 255.255.255.252
> ip nat outside
> rate-limit input 2048000 4000 4000 conform-action transmit exceed-action drop

Why *input*?

You want to do traffic-shaping for *output*.

(Also, traffic-shaping is more gentle to the packets than rate-limiting).

gert

--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert@greenie.muc.de
fax: +49-89-35655025 gert@net.informatik.tu-muenchen.de
Re: IP CEF Problem [ In reply to ]
rommel.catabian at eaccelera
Jan 24, 2004, 5:25 AM
Post #3 of 10 (3264 views)
Permalink
Thank you for the advise, we will coordinate with the supplier for the IOS
upgrade.
Actually, we need to rate-limit (or traffic shape) both input and output on
the interface connected to our Uplink provider. We do not want to go beyond
our subscribed BW as we will be charged for the excess BW used.

How do I shape the input traffic? What's the command.

Thanks again for the immediate reply.

Rommel Y. Catabian

Website: www.eaccelera.com

----- Original Message -----
From: "Gert Doering" <gert@greenie.muc.de>
To: "Rommel Y. Catabian" <rommel.catabian@eaccelera.com>
Cc: <cisco-nas@puck.nether.net>
Sent: Saturday, January 24, 2004 7:31 PM
Subject: Re: [cisco-nas] IP CEF Problem


> Hi,
>
> On Sat, Jan 24, 2004 at 07:28:05PM +0800, Rommel Y. Catabian wrote:
> > As i read it, i need to enable "IP CEF" on the router (Cisco3660) which
also
> > double as a Remote Access Server, to make rate-limiting work. However,
> > the problem is our dial-up connections become slower when I enable ip
cef.
>
> CEF is not required for rate-limiting.
>
> > CISCO-3660-NAS2#sh version
> > Cisco Internetwork Operating System Software
> > IOS (tm) 3600 Software (C3660-IS-M), Version 12.2(2)T4, RELEASE
SOFTWARE
> > (fc3)
>
> ... but this is something you might want to upgrade anyway. It's "T", and
> the number in brackets is way too low... there is at least one serious
> security vulnerability in this IOS version, which entitles you to a free
> upgrade.
>
> > interface FastEthernet0/0
> > description **UPLINK CONNECTION**
> > ip address 203.190.xx.xx 255.255.255.252
> > ip nat outside
> > rate-limit input 2048000 4000 4000 conform-action transmit
exceed-action drop
>
> Why *input*?
>
> You want to do traffic-shaping for *output*.
> Eaccelera, Incorporated
Unit D, 34F Tower 2, RCBC Plaza
6819 Ayala Ave. cor. G. Puyat Ave.
Makati City, 1226 Philippines

Email : rommel.catabian@eaccelera.com
Tel. No.: +632-7574715 or +632-7535000 local 406
Fax No.: +632-753-5013

> (Also, traffic-shaping is more gentle to the packets than rate-limiting).
>
> gert
>
> --
> USENET is *not* the non-clickable part of WWW!
>
//www.muc.de/~gert/
> Gert Doering - Munich, Germany
gert@greenie.muc.de
> fax: +49-89-35655025
gert@net.informatik.tu-muenchen.de
Re: IP CEF Problem [ In reply to ]
gert at greenie
Jan 24, 2004, 6:52 AM
Post #4 of 10 (3265 views)
Permalink
Hi,

On Sat, Jan 24, 2004 at 08:25:13PM +0800, Rommel Y. Catabian wrote:
> Actually, we need to rate-limit (or traffic shape) both input and output on
> the interface connected to our Uplink provider. We do not want to go beyond
> our subscribed BW as we will be charged for the excess BW used.
>
> How do I shape the input traffic? What's the command.

Input shaping (or rate limiting) is "difficult". Imagine someone
sending a 10Mbit/s.-Burst towards you, to cause monetary damage.

Whatever you do on your router to stop that: it has already been sent
out your provider's interface, and thus the damage has been done.

For "normal" traffic, input rate limiting will have some effect (due
to TCP connections noticing packet drops and slowing down) but it's
a tricky thing. You would achieve that with the "rate-limit input"
command. Input traffic shaping is not available on Cisco hardware.

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert@greenie.muc.de
fax: +49-89-35655025 gert@net.informatik.tu-muenchen.de
Re: IP CEF Problem [ In reply to ]
pnepveu at videotron
Jan 24, 2004, 12:46 PM
Post #5 of 10 (3276 views)
Permalink
Rommel,

> rate-limit input 2048000 4000 4000 conform-action transmit exceed-action drop

your values for burst and extended-burst are way too low and will result in
decreased actual thruput when the rate limiting kicks in. I have tested
different values and the Cisco recommended values really do work best.
| Cisco recommends the following values for the normal and extended burst
| parameters:
|
| normal burst = configured rate * (1 byte)/(8 bits) * 1.5 seconds
| extended burst = 2 * normal burst

The above comes from the following document :
"Policing and Shaping Overview-Cisco IOS Software Releases 12.2 Mainline"
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800bd8ed.html

Using the Cisco recommended values, your config should be :

rate-limit input 2048000 384000 768000 conform-action transmit exceed-action drop
rate-limit output 2048000 384000 768000 conform-action transmit exceed-action drop

HTH,

-------------------------------------------------------------------
Pierre Nepveu, CCNP tel: +1 514.380-4289
Administrateur de reseau +1 888.INFOVTL x 4289
Ingenierie / Acces Internet fax: +1 514 899-8452
Videotron Telecom Ltee (VTL) - Montreal (Quebec), Canada
-------------------------------------------------------------------


Le 2004-01-24 à 12:31, Gert Doering a écrit:

GD> Hi,
GD>
GD> On Sat, Jan 24, 2004 at 07:28:05PM +0800, Rommel Y. Catabian wrote:
GD> > As i read it, i need to enable "IP CEF" on the router (Cisco3660) which also
GD> > double as a Remote Access Server, to make rate-limiting work. However,
GD> > the problem is our dial-up connections become slower when I enable ip cef.
GD>
GD> CEF is not required for rate-limiting.
GD>
GD> > CISCO-3660-NAS2#sh version
GD> > Cisco Internetwork Operating System Software
GD> > IOS (tm) 3600 Software (C3660-IS-M), Version 12.2(2)T4, RELEASE SOFTWARE
GD> > (fc3)
GD>
GD> ... but this is something you might want to upgrade anyway. It's "T", and
GD> the number in brackets is way too low... there is at least one serious
GD> security vulnerability in this IOS version, which entitles you to a free
GD> upgrade.
GD>
GD> > interface FastEthernet0/0
GD> > description **UPLINK CONNECTION**
GD> > ip address 203.190.xx.xx 255.255.255.252
GD> > ip nat outside
GD> > rate-limit input 2048000 4000 4000 conform-action transmit exceed-action drop
GD>
GD> Why *input*?
GD>
GD> You want to do traffic-shaping for *output*.
GD>
GD> (Also, traffic-shaping is more gentle to the packets than rate-limiting).
GD>
GD> gert
GD>
GD> --
GD> USENET is *not* the non-clickable part of WWW!
GD> //www.muc.de/~gert/
GD> Gert Doering - Munich, Germany gert@greenie.muc.de
GD> fax: +49-89-35655025 gert@net.informatik.tu-muenchen.de
GD> _______________________________________________
GD> cisco-nas mailing list
GD> cisco-nas@puck.nether.net
GD> https://puck.nether.net/mailman/listinfo/cisco-nas
GD>
Re: IP CEF Problem [ In reply to ]
rommel.catabian at eaccelera
Jan 25, 2004, 10:31 PM
Post #6 of 10 (3259 views)
Permalink
To Pierre Nepveu and Gert Doering,
Just want to thank you for the information you provided. Have already
configured our router and so far we have not exceeded our rate limit.
Regards,

Rommel Y. Catabian
Eaccelera, Incorporated
Unit D, 34F Tower 2, RCBC Plaza
6819 Ayala Ave. cor. G. Puyat Ave.
Makati City, 1226 Philippines

Email : rommel.catabian@eaccelera.com
Tel. No.: +632-7574715 or +632-7535000 local 406
Fax No.: +632-753-5013

Website: www.eaccelera.com

----- Original Message -----
From: "Pierre Nepveu" <pnepveu@videotron.net>
To: "Rommel Y. Catabian" <rommel.catabian@eaccelera.com>
Cc: <cisco-nas@puck.nether.net>
Sent: Sunday, January 25, 2004 3:46 AM
Subject: Re: [cisco-nas] IP CEF Problem


Rommel,

> rate-limit input 2048000 4000 4000 conform-action transmit exceed-action
drop

your values for burst and extended-burst are way too low and will result in
decreased actual thruput when the rate limiting kicks in. I have tested
different values and the Cisco recommended values really do work best.
| Cisco recommends the following values for the normal and extended burst
| parameters:
|
| normal burst = configured rate * (1 byte)/(8 bits) * 1.5 seconds
| extended burst = 2 * normal burst

The above comes from the following document :
"Policing and Shaping Overview-Cisco IOS Software Releases 12.2 Mainline"
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800bd8ed.html

Using the Cisco recommended values, your config should be :

rate-limit input 2048000 384000 768000 conform-action transmit
exceed-action drop
rate-limit output 2048000 384000 768000 conform-action transmit
exceed-action drop

HTH,

-------------------------------------------------------------------
Pierre Nepveu, CCNP tel: +1 514.380-4289
Administrateur de reseau +1 888.INFOVTL x 4289
Ingenierie / Acces Internet fax: +1 514 899-8452
Videotron Telecom Ltee (VTL) - Montreal (Quebec), Canada
-------------------------------------------------------------------


Le 2004-01-24 à 12:31, Gert Doering a écrit:

GD> Hi,
GD>
GD> On Sat, Jan 24, 2004 at 07:28:05PM +0800, Rommel Y. Catabian wrote:
GD> > As i read it, i need to enable "IP CEF" on the router (Cisco3660)
which also
GD> > double as a Remote Access Server, to make rate-limiting work. However,
GD> > the problem is our dial-up connections become slower when I enable ip
cef.
GD>
GD> CEF is not required for rate-limiting.
GD>
GD> > CISCO-3660-NAS2#sh version
GD> > Cisco Internetwork Operating System Software
GD> > IOS (tm) 3600 Software (C3660-IS-M), Version 12.2(2)T4, RELEASE
SOFTWARE
GD> > (fc3)
GD>
GD> ... but this is something you might want to upgrade anyway. It's "T",
and
GD> the number in brackets is way too low... there is at least one serious
GD> security vulnerability in this IOS version, which entitles you to a free
GD> upgrade.
GD>
GD> > interface FastEthernet0/0
GD> > description **UPLINK CONNECTION**
GD> > ip address 203.190.xx.xx 255.255.255.252
GD> > ip nat outside
GD> > rate-limit input 2048000 4000 4000 conform-action transmit
exceed-action drop
GD>
GD> Why *input*?
GD>
GD> You want to do traffic-shaping for *output*.
GD>
GD> (Also, traffic-shaping is more gentle to the packets than
rate-limiting).
GD>
GD> gert
GD>
GD> --
GD> USENET is *not* the non-clickable part of WWW!
GD>
//www.muc.de/~gert/
GD> Gert Doering - Munich, Germany
gert@greenie.muc.de
GD> fax: +49-89-35655025
gert@net.informatik.tu-muenchen.de
GD> _______________________________________________
GD> cisco-nas mailing list
GD> cisco-nas@puck.nether.net
GD> https://puck.nether.net/mailman/listinfo/cisco-nas
GD>
Re: IP CEF Problem [ In reply to ]
rommel.catabian at eaccelera
Jan 26, 2004, 3:51 AM
Post #7 of 10 (3257 views)
Permalink
Hi,
I configured the rate-limit as advised but I exceeded (just now) the 2048000
limit.
Is there anything I missed in the configuration?

Regards,

Rommel

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
interface FastEthernet0/0
description **Ethernet Connection to REACH**
ip address 203.190.70.86 255.255.255.252
ip nat outside
rate-limit input 2048000 384000 768000 conform-action transmit
exceed-action drop
rate-limit output 2048000 384000 768000 conform-action transmit
exceed-action drop
no ip mroute-cache
duplex auto
speed auto
fair-queue
no cdp enable

FastEthernet0/0 is up, line protocol is up

5 minute input rate 2076000 bits/sec, 564 packets/sec
5 minute output rate 615000 bits/sec, 701 packets/sec
80981176 packets input, 1042153441 bytes
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
9 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog



----- Original Message -----
From: "Pierre Nepveu" <pnepveu@videotron.net>
To: "Rommel Y. Catabian" <rommel.catabian@eaccelera.com>
Cc: <cisco-nas@puck.nether.net>
Sent: Sunday, January 25, 2004 3:46 AM
Subject: Re: [cisco-nas] IP CEF Problem


Rommel,

> rate-limit input 2048000 4000 4000 conform-action transmit exceed-action
drop

your values for burst and extended-burst are way too low and will result in
decreased actual thruput when the rate limiting kicks in. I have tested
different values and the Cisco recommended values really do work best.
| Cisco recommends the following values for the normal and extended burst
| parameters:
|
| normal burst = configured rate * (1 byte)/(8 bits) * 1.5 seconds
| extended burst = 2 * normal burst

The above comes from the following document :
"Policing and Shaping Overview-Cisco IOS Software Releases 12.2 Mainline"
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800bd8ed.html

Using the Cisco recommended values, your config should be :

rate-limit input 2048000 384000 768000 conform-action transmit
exceed-action drop
rate-limit output 2048000 384000 768000 conform-action transmit
exceed-action drop

HTH,

-------------------------------------------------------------------
Pierre Nepveu, CCNP tel: +1 514.380-4289
Administrateur de reseau +1 888.INFOVTL x 4289
Ingenierie / Acces Internet fax: +1 514 899-8452
Videotron Telecom Ltee (VTL) - Montreal (Quebec), Canada
-------------------------------------------------------------------


Le 2004-01-24 à 12:31, Gert Doering a écrit:

GD> Hi,
GD>
GD> On Sat, Jan 24, 2004 at 07:28:05PM +0800, Rommel Y. Catabian wrote:
GD> > As i read it, i need to enable "IP CEF" on the router (Cisco3660)
which also
GD> > double as a Remote Access Server, to make rate-limiting work. However,
GD> > the problem is our dial-up connections become slower when I enable ip
cef.
GD>
GD> CEF is not required for rate-limiting.
GD>
GD> > CISCO-3660-NAS2#sh version
GD> > Cisco Internetwork Operating System Software
GD> > IOS (tm) 3600 Software (C3660-IS-M), Version 12.2(2)T4, RELEASE
SOFTWARE
GD> > (fc3)
GD>
GD> ... but this is something you might want to upgrade anyway. It's "T",
and
GD> the number in brackets is way too low... there is at least one serious
GD> security vulnerability in this IOS version, which entitles you to a free
GD> upgrade.
GD>
GD> > interface FastEthernet0/0
GD> > description **UPLINK CONNECTION**
GD> > ip address 203.190.xx.xx 255.255.255.252
GD> > ip nat outside
GD> > rate-limit input 2048000 4000 4000 conform-action transmit
exceed-action drop
GD>
GD> Why *input*?
GD>
GD> You want to do traffic-shaping for *output*.
GD>
GD> (Also, traffic-shaping is more gentle to the packets than
rate-limiting).
GD>
GD> gert
GD>
GD> --
GD> USENET is *not* the non-clickable part of WWW!
GD>
//www.muc.de/~gert/
GD> Gert Doering - Munich, Germany
gert@greenie.muc.de
GD> fax: +49-89-35655025
gert@net.informatik.tu-muenchen.de
GD> _______________________________________________
GD> cisco-nas mailing list
GD> cisco-nas@puck.nether.net
GD> https://puck.nether.net/mailman/listinfo/cisco-nas
GD>
Re: IP CEF Problem [ In reply to ]
mag at caravan
Jan 26, 2004, 4:01 AM
Post #8 of 10 (3268 views)
Permalink
On Mon, 26 Jan 2004 18:51:33 +0800
"Rommel Y. Catabian" <rommel.catabian@eaccelera.com> wrote:

> Hi,
> I configured the rate-limit as advised but I exceeded (just now) the 2048000
> limit.
> Is there anything I missed in the configuration?

show interface ...

show you statistics before the traffic is shaped or rate-limited.

>
> Regards,
>
> Rommel
>
> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
> interface FastEthernet0/0
> description **Ethernet Connection to REACH**
> ip address 203.190.70.86 255.255.255.252
> ip nat outside
> rate-limit input 2048000 384000 768000 conform-action transmit
> exceed-action drop
> rate-limit output 2048000 384000 768000 conform-action transmit
> exceed-action drop
> no ip mroute-cache
> duplex auto
> speed auto
> fair-queue
> no cdp enable
>
> FastEthernet0/0 is up, line protocol is up
>
> 5 minute input rate 2076000 bits/sec, 564 packets/sec
> 5 minute output rate 615000 bits/sec, 701 packets/sec
> 80981176 packets input, 1042153441 bytes
> Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
> 9 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
> 0 watchdog
>
>
>
> ----- Original Message -----
> From: "Pierre Nepveu" <pnepveu@videotron.net>
> To: "Rommel Y. Catabian" <rommel.catabian@eaccelera.com>
> Cc: <cisco-nas@puck.nether.net>
> Sent: Sunday, January 25, 2004 3:46 AM
> Subject: Re: [cisco-nas] IP CEF Problem
>
>
> Rommel,
>
> > rate-limit input 2048000 4000 4000 conform-action transmit exceed-action
> drop
>
> your values for burst and extended-burst are way too low and will result in
> decreased actual thruput when the rate limiting kicks in. I have tested
> different values and the Cisco recommended values really do work best.
> | Cisco recommends the following values for the normal and extended burst
> | parameters:
> |
> | normal burst = configured rate * (1 byte)/(8 bits) * 1.5 seconds
> | extended burst = 2 * normal burst
>
> The above comes from the following document :
> "Policing and Shaping Overview-Cisco IOS Software Releases 12.2 Mainline"
> http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800bd8ed.html
>
> Using the Cisco recommended values, your config should be :
>
> rate-limit input 2048000 384000 768000 conform-action transmit
> exceed-action drop
> rate-limit output 2048000 384000 768000 conform-action transmit
> exceed-action drop
>
> HTH,
>
> -------------------------------------------------------------------
> Pierre Nepveu, CCNP tel: +1 514.380-4289
> Administrateur de reseau +1 888.INFOVTL x 4289
> Ingenierie / Acces Internet fax: +1 514 899-8452
> Videotron Telecom Ltee (VTL) - Montreal (Quebec), Canada
> -------------------------------------------------------------------
>
>
> Le 2004-01-24 à 12:31, Gert Doering a écrit:
>
> GD> Hi,
> GD>
> GD> On Sat, Jan 24, 2004 at 07:28:05PM +0800, Rommel Y. Catabian wrote:
> GD> > As i read it, i need to enable "IP CEF" on the router (Cisco3660)
> which also
> GD> > double as a Remote Access Server, to make rate-limiting work. However,
> GD> > the problem is our dial-up connections become slower when I enable ip
> cef.
> GD>
> GD> CEF is not required for rate-limiting.
> GD>
> GD> > CISCO-3660-NAS2#sh version
> GD> > Cisco Internetwork Operating System Software
> GD> > IOS (tm) 3600 Software (C3660-IS-M), Version 12.2(2)T4, RELEASE
> SOFTWARE
> GD> > (fc3)
> GD>
> GD> ... but this is something you might want to upgrade anyway. It's "T",
> and
> GD> the number in brackets is way too low... there is at least one serious
> GD> security vulnerability in this IOS version, which entitles you to a free
> GD> upgrade.
> GD>
> GD> > interface FastEthernet0/0
> GD> > description **UPLINK CONNECTION**
> GD> > ip address 203.190.xx.xx 255.255.255.252
> GD> > ip nat outside
> GD> > rate-limit input 2048000 4000 4000 conform-action transmit
> exceed-action drop
> GD>
> GD> Why *input*?
> GD>
> GD> You want to do traffic-shaping for *output*.
> GD>
> GD> (Also, traffic-shaping is more gentle to the packets than
> rate-limiting).
> GD>
> GD> gert
> GD>
> GD> --
> GD> USENET is *not* the non-clickable part of WWW!
> GD>
> //www.muc.de/~gert/
> GD> Gert Doering - Munich, Germany
> gert@greenie.muc.de
> GD> fax: +49-89-35655025
> gert@net.informatik.tu-muenchen.de
> GD> _______________________________________________
> GD> cisco-nas mailing list
> GD> cisco-nas@puck.nether.net
> GD> https://puck.nether.net/mailman/listinfo/cisco-nas
> GD>
>
> _______________________________________________
> cisco-nas mailing list
> cisco-nas@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas


--
WBR, Alexey G Misurenko ( MAG-RIPE | MMAGG-RIPN )
CTO of Caravan ISP http://www.caravan.ru
Phone: +7 095 3632252 Cell: +7 903 7450163
Re: IP CEF Problem [ In reply to ]
rommel.catabian at eaccelera
Jan 26, 2004, 4:22 AM
Post #9 of 10 (3269 views)
Permalink
sh int

FastEthernet0/0 is up, line protocol is up
Hardware is AmdFE, address is 0002.1633.cae0 (bia 0002.1633.cae0)
Description: **Ethernet Connection to REACH**
Internet address is XXX.XXX.XX.XX/30
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 13/255, rxload 43/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 10Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters 2d07h
Input queue: 0/75/1804/0 (size/max/drops/flushes); Total output drops:
15174
Queueing strategy: weighted fair
Output queue: 0/1000/64/12053 (size/max total/threshold/drops)
Conversations 0/137/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 7500 kilobits/sec
5 minute input rate 1723000 bits/sec, 539 packets/sec
5 minute output rate 549000 bits/sec, 682 packets/sec
82781107 packets input, 1827036560 bytes
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
9 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
94610245 packets output, 2867376056 bytes, 0
underruns(4896050/5562882/1)
1 output errors, 10458933 collisions, 1 interface resets
0 babbles, 0 late collision, 4766557 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out

Thank you.

Rommel Y. Catabian
Eaccelera, Incorporated
Unit D, 34F Tower 2, RCBC Plaza
6819 Ayala Ave. cor. G. Puyat Ave.
Makati City, 1226 Philippines

Email : rommel.catabian@eaccelera.com
Tel. No.: +632-7574715 or +632-7535000 local 406
Fax No.: +632-753-5013

Website: www.eaccelera.com

----- Original Message -----
From: "Alexey G Misurenko" <mag@caravan.ru>
To: <cisco-nas@puck.nether.net>
Sent: Monday, January 26, 2004 7:01 PM
Subject: Re: [cisco-nas] IP CEF Problem


> On Mon, 26 Jan 2004 18:51:33 +0800
> "Rommel Y. Catabian" <rommel.catabian@eaccelera.com> wrote:
>
> > Hi,
> > I configured the rate-limit as advised but I exceeded (just now) the
2048000
> > limit.
> > Is there anything I missed in the configuration?
>
> show interface ...
>
> show you statistics before the traffic is shaped or rate-limited.
>
> >
> > Regards,
> >
> > Rommel
> >
> > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
> > interface FastEthernet0/0
> > description **Ethernet Connection to REACH**
> > ip address 203.190.70.86 255.255.255.252
> > ip nat outside
> > rate-limit input 2048000 384000 768000 conform-action transmit
> > exceed-action drop
> > rate-limit output 2048000 384000 768000 conform-action transmit
> > exceed-action drop
> > no ip mroute-cache
> > duplex auto
> > speed auto
> > fair-queue
> > no cdp enable
> >
> > FastEthernet0/0 is up, line protocol is up
> >
> > 5 minute input rate 2076000 bits/sec, 564 packets/sec
> > 5 minute output rate 615000 bits/sec, 701 packets/sec
> > 80981176 packets input, 1042153441 bytes
> > Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
> > 9 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
> > 0 watchdog
> >
> >
> >
> > ----- Original Message -----
> > From: "Pierre Nepveu" <pnepveu@videotron.net>
> > To: "Rommel Y. Catabian" <rommel.catabian@eaccelera.com>
> > Cc: <cisco-nas@puck.nether.net>
> > Sent: Sunday, January 25, 2004 3:46 AM
> > Subject: Re: [cisco-nas] IP CEF Problem
> >
> >
> > Rommel,
> >
> > > rate-limit input 2048000 4000 4000 conform-action transmit
exceed-action
> > drop
> >
> > your values for burst and extended-burst are way too low and will result
in
> > decreased actual thruput when the rate limiting kicks in. I have tested
> > different values and the Cisco recommended values really do work best.
> > | Cisco recommends the following values for the normal and extended
burst
> > | parameters:
> > |
> > | normal burst = configured rate * (1 byte)/(8 bits) * 1.5 seconds
> > | extended burst = 2 * normal burst
> >
> > The above comes from the following document :
> > "Policing and Shaping Overview-Cisco IOS Software Releases 12.2
Mainline"
> >
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800bd8ed.html
> >
> > Using the Cisco recommended values, your config should be :
> >
> > rate-limit input 2048000 384000 768000 conform-action transmit
> > exceed-action drop
> > rate-limit output 2048000 384000 768000 conform-action transmit
> > exceed-action drop
> >
> > HTH,
> >
> > -------------------------------------------------------------------
> > Pierre Nepveu, CCNP tel: +1 514.380-4289
> > Administrateur de reseau +1 888.INFOVTL x 4289
> > Ingenierie / Acces Internet fax: +1 514 899-8452
> > Videotron Telecom Ltee (VTL) - Montreal (Quebec), Canada
> > -------------------------------------------------------------------
> >
> >
> > Le 2004-01-24 à 12:31, Gert Doering a écrit:
> >
> > GD> Hi,
> > GD>
> > GD> On Sat, Jan 24, 2004 at 07:28:05PM +0800, Rommel Y. Catabian wrote:
> > GD> > As i read it, i need to enable "IP CEF" on the router (Cisco3660)
> > which also
> > GD> > double as a Remote Access Server, to make rate-limiting work.
However,
> > GD> > the problem is our dial-up connections become slower when I enable
ip
> > cef.
> > GD>
> > GD> CEF is not required for rate-limiting.
> > GD>
> > GD> > CISCO-3660-NAS2#sh version
> > GD> > Cisco Internetwork Operating System Software
> > GD> > IOS (tm) 3600 Software (C3660-IS-M), Version 12.2(2)T4, RELEASE
> > SOFTWARE
> > GD> > (fc3)
> > GD>
> > GD> ... but this is something you might want to upgrade anyway. It's
"T",
> > and
> > GD> the number in brackets is way too low... there is at least one
serious
> > GD> security vulnerability in this IOS version, which entitles you to a
free
> > GD> upgrade.
> > GD>
> > GD> > interface FastEthernet0/0
> > GD> > description **UPLINK CONNECTION**
> > GD> > ip address 203.190.xx.xx 255.255.255.252
> > GD> > ip nat outside
> > GD> > rate-limit input 2048000 4000 4000 conform-action transmit
> > exceed-action drop
> > GD>
> > GD> Why *input*?
> > GD>
> > GD> You want to do traffic-shaping for *output*.
> > GD>
> > GD> (Also, traffic-shaping is more gentle to the packets than
> > rate-limiting).
> > GD>
> > GD> gert
> > GD>
> > GD> --
> > GD> USENET is *not* the non-clickable part of WWW!
> > GD>
> > //www.muc.de/~gert/
> > GD> Gert Doering - Munich, Germany
> > gert@greenie.muc.de
> > GD> fax: +49-89-35655025
> > gert@net.informatik.tu-muenchen.de
> > GD> _______________________________________________
> > GD> cisco-nas mailing list
> > GD> cisco-nas@puck.nether.net
> > GD> https://puck.nether.net/mailman/listinfo/cisco-nas
> > GD>
> >
> > _______________________________________________
> > cisco-nas mailing list
> > cisco-nas@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nas
>
>
> --
> WBR, Alexey G Misurenko ( MAG-RIPE | MMAGG-RIPN )
> CTO of Caravan ISP http://www.caravan.ru
> Phone: +7 095 3632252 Cell: +7 903 7450163
> _______________________________________________
> cisco-nas mailing list
> cisco-nas@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas
Re: IP CEF Problem [ In reply to ]
pnepveu at videotron
Jan 26, 2004, 9:51 AM
Post #10 of 10 (3279 views)
Permalink
hi Rommel,

from what I understand of what you said in earlier mails, "input" is what your
provider sends your way. Nothing you can do about it (short of having them
rate-limit at their end and buying more bandwith :-).

Adjusting burst and extended-burst to Cisco's proposed values did as expected :
it increased your link performance (to saturation point). Your router already
started dropping packets 'randomly'. Individual TCP sessions will adjust. UDP
and ICMP will just suffer. If most of the incoming trafic is UDP and ICMP, it
will just hit a brick wall at your interface (and TCP sessions will suffer
more). You will see usage rate slightly over 2048 k. This is normal. However,
usage at your provider's interface may be much higher. "They" should also
implement CAR, otherwise they will send all UDP and ICMP that is destined to
you. You will drop it, but they will send it.

Do you have access to some kind of statistics from your provider at their
interface ? It would surely be helpful to determine how much bandwith you
really require (if you can afford it).

On your side, you can check CAR statistics (this is an actual client circuit
where rate-limit is 3Mbps, 3000kbps) :
example#sh interface fas0/0 rate-limit
FastEthernet0/0 Port WAN
Input
matches: all traffic
params: 3000000 bps, 562500 limit, 1125000 extended limit
conformed 672983812 packets, 508583M bytes; action: transmit
exceeded 229790 packets, 290799025 bytes; action: drop
last packet: 68ms ago, current burst: 60 bytes
last cleared 37w6d ago, conformed 177000 bps, exceeded 0 bps
Output
matches: all traffic
params: 3000000 bps, 562500 limit, 1125000 extended limit
conformed 581185898 packets, 164154M bytes; action: transmit
exceeded 2183611 packets, 2848M bytes; action: drop
last packet: 4ms ago, current burst: 0 bytes
last cleared 37w6d ago, conformed 57000 bps, exceeded 0 bps

Have fun !

pn
cd /pub; more beer


Le 2004-01-26 à 18:51, Rommel Y. Catabian a écrit:

RYC> Hi,
RYC> I configured the rate-limit as advised but I exceeded (just now) the 2048000
RYC> limit.
RYC> Is there anything I missed in the configuration?
RYC>
RYC> Regards,
RYC>
RYC> Rommel
RYC>
RYC> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
RYC> interface FastEthernet0/0
RYC> description **Ethernet Connection to REACH**
RYC> ip address 203.190.70.86 255.255.255.252
RYC> ip nat outside
RYC> rate-limit input 2048000 384000 768000 conform-action transmit
RYC> exceed-action drop
RYC> rate-limit output 2048000 384000 768000 conform-action transmit
RYC> exceed-action drop
RYC> no ip mroute-cache
RYC> duplex auto
RYC> speed auto
RYC> fair-queue
RYC> no cdp enable
RYC>
RYC> FastEthernet0/0 is up, line protocol is up
RYC>
RYC> 5 minute input rate 2076000 bits/sec, 564 packets/sec
RYC> 5 minute output rate 615000 bits/sec, 701 packets/sec
RYC> 80981176 packets input, 1042153441 bytes
RYC> Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
RYC> 9 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
RYC> 0 watchdog
RYC>
RYC>
RYC>
RYC> ----- Original Message -----
RYC> From: "Pierre Nepveu" <pnepveu@videotron.net>
RYC> To: "Rommel Y. Catabian" <rommel.catabian@eaccelera.com>
RYC> Cc: <cisco-nas@puck.nether.net>
RYC> Sent: Sunday, January 25, 2004 3:46 AM
RYC> Subject: Re: [cisco-nas] IP CEF Problem
RYC>
RYC>
RYC> Rommel,
RYC>
RYC> > rate-limit input 2048000 4000 4000 conform-action transmit exceed-action
RYC> drop
RYC>
RYC> your values for burst and extended-burst are way too low and will result in
RYC> decreased actual thruput when the rate limiting kicks in. I have tested
RYC> different values and the Cisco recommended values really do work best.
RYC> | Cisco recommends the following values for the normal and extended burst
RYC> | parameters:
RYC> |
RYC> | normal burst = configured rate * (1 byte)/(8 bits) * 1.5 seconds
RYC> | extended burst = 2 * normal burst
RYC>
RYC> The above comes from the following document :
RYC> "Policing and Shaping Overview-Cisco IOS Software Releases 12.2 Mainline"
RYC> http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800bd8ed.html
RYC>
RYC> Using the Cisco recommended values, your config should be :
RYC>
RYC> rate-limit input 2048000 384000 768000 conform-action transmit
RYC> exceed-action drop
RYC> rate-limit output 2048000 384000 768000 conform-action transmit
RYC> exceed-action drop
RYC>
RYC> HTH,
RYC>
RYC> -------------------------------------------------------------------
RYC> Pierre Nepveu, CCNP tel: +1 514.380-4289
RYC> Administrateur de reseau +1 888.INFOVTL x 4289
RYC> Ingenierie / Acces Internet fax: +1 514 899-8452
RYC> Videotron Telecom Ltee (VTL) - Montreal (Quebec), Canada
RYC> -------------------------------------------------------------------
RYC>
RYC>
RYC> Le 2004-01-24 à 12:31, Gert Doering a écrit:
RYC>
RYC> GD> Hi,
RYC> GD>
RYC> GD> On Sat, Jan 24, 2004 at 07:28:05PM +0800, Rommel Y. Catabian wrote:
RYC> GD> > As i read it, i need to enable "IP CEF" on the router (Cisco3660)
RYC> which also
RYC> GD> > double as a Remote Access Server, to make rate-limiting work. However,
RYC> GD> > the problem is our dial-up connections become slower when I enable ip
RYC> cef.
RYC> GD>
RYC> GD> CEF is not required for rate-limiting.
RYC> GD>
RYC> GD> > CISCO-3660-NAS2#sh version
RYC> GD> > Cisco Internetwork Operating System Software
RYC> GD> > IOS (tm) 3600 Software (C3660-IS-M), Version 12.2(2)T4, RELEASE
RYC> SOFTWARE
RYC> GD> > (fc3)
RYC> GD>
RYC> GD> ... but this is something you might want to upgrade anyway. It's "T",
RYC> and
RYC> GD> the number in brackets is way too low... there is at least one serious
RYC> GD> security vulnerability in this IOS version, which entitles you to a free
RYC> GD> upgrade.
RYC> GD>
RYC> GD> > interface FastEthernet0/0
RYC> GD> > description **UPLINK CONNECTION**
RYC> GD> > ip address 203.190.xx.xx 255.255.255.252
RYC> GD> > ip nat outside
RYC> GD> > rate-limit input 2048000 4000 4000 conform-action transmit
RYC> exceed-action drop
RYC> GD>
RYC> GD> Why *input*?
RYC> GD>
RYC> GD> You want to do traffic-shaping for *output*.
RYC> GD>
RYC> GD> (Also, traffic-shaping is more gentle to the packets than
RYC> rate-limiting).
RYC> GD>
RYC> GD> gert
RYC> GD>
RYC> GD> --
RYC> GD> USENET is *not* the non-clickable part of WWW!
RYC> GD>
RYC> //www.muc.de/~gert/
RYC> GD> Gert Doering - Munich, Germany
RYC> gert@greenie.muc.de
RYC> GD> fax: +49-89-35655025
RYC> gert@net.informatik.tu-muenchen.de
RYC> GD> _______________________________________________
RYC> GD> cisco-nas mailing list
RYC> GD> cisco-nas@puck.nether.net
RYC> GD> https://puck.nether.net/mailman/listinfo/cisco-nas
RYC> GD>
RYC>
RYC>
RYC>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal