Re: QOS with nbar

From: Ivan Walker (ivan@itpro.co.nz)
Date: Tue Feb 24 2009 - 05:35:47 ARST

• Next message: Dale Shaw: "Re: QOS with nbar"
• Previous message: Joseph L. Brunner: "RE: OT: By Michael Heart"
• Maybe in reply to: olumayokun fowowe: "QOS with nbar"
• Next in thread: Dale Shaw: "Re: QOS with nbar"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Great testing Dale. Thanks. You beat me to it but I finished my tests
before I saw your email so here are my results :-) Overall very
similar. I only tested matching url or mime type and policing or dropping.

I found
* that for input and output policies classification occurred when
matching on url or mime type.
* for output mime polices dropping didn't work properly - smaller images
loaded but larger images didn't.
* for output mime policies policing didn't stop small or large images -
they loaded quickly.

It would seem that either the mime classification outbound is not 100%,
policies can always use these classified packets or both.

I checked the documentation to try and find some more detail but only
found the following:

http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_traffic_nbar_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1051880
"When matching by MIME type, NBAR matches a packet containing the MIME
type and all subsequent packets until the next HTTP transaction."
"NBAR does not classify packets that are part of a pipelined request.
With pipelined requests, multiple requests are pipelined to the server
before previous requests are serviced"

http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m1.html#wp1024534
"When matching by host, NBAR performs a regular expression match on the
host field contents inside the HTTP packet and classifies all packets
from that host.

Now that I look I have pipelining on....

Initial setup
-------------

Internet
|
! Fa1/0
Router
| Fa2/0
|
Server

class-map match-all MIME
 match protocol http mime "image/*"
class-map match-all URL
 match protocol http url "*\.jpg*"
     
policy-map MIMEDROP
 class MIME
   drop
policy-map URLDROP
 class URL
   drop
policy-map MIMEPOLICE
 class MIME
   police cir 8000 bc 1000 be 1000
     conform-action transmit
     exceed-action drop
     violate-action drop
policy-map URLPOLICE
 class URL
   police cir 8000 bc 1000 be 1000
     conform-action transmit
     exceed-action drop
     violate-action drop

Tests
-----

Test 1 Config:

interface FastEthernet1/0
 description Internet
 service-policy input URLDROP

Test 1 Result:

Definitely matches to the policy even thought the http requests are made
in an outbound direction. Images don't load.

router#show policy-map int fa1/0
 FastEthernet1/0

  Service-policy input: URLDROP

    Class-map: URL (match-all)
      30 packets, 35260 bytes
      30 second offered rate 7000 bps, drop rate 7000 bps
      Match: protocol http url "*\.jpg*"
      drop

Test 2 Config:

interface FastEthernet1/0
 description Internet
 service-policy output URLDROP

Test 2 Result:

Matches to the policy and images don't load.

router#show policy-map int fa1/0
 FastEthernet1/0

  Service-policy output: URLDROP

    Class-map: URL (match-all)
      19 packets, 8414 bytes
      30 second offered rate 1000 bps, drop rate 1000 bps
      Match: protocol http url "*\.jpg*"
      drop

Test 3 Config:

interface FastEthernet1/0
 description Internet
 service-policy input MIMEDROP

Test 3 Result:

Again matches to the policy and images don't load.

router#show policy-map int fa1/0
 FastEthernet1/0

  Service-policy input: MIMEDROP

    Class-map: MIME (match-all)
      7 packets, 9144 bytes
      30 second offered rate 2000 bps, drop rate 2000 bps
      Match: protocol http mime "image/*"
      drop

Test 4 Config:

interface FastEthernet1/0
 description Internet
 service-policy output MIMEDROP

Test 4 Result:

Matches to the policy but some images manage to load - generally the
small ones. Seems a bit flaky.

router#show policy-map int fa1/0
 FastEthernet1/0

  Service-policy output: MIMEDROP

    Class-map: MIME (match-all)
      524 packets, 28296 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: protocol http mime "image/*"
      drop

Test 5 Config:

interface FastEthernet1/0
 description Internet
 service-policy input URLPOLICE

Test 5 Result:

Definitely matches to the policy even thought the http requests are made
in an outbound direction. Images eventually load.

router#show policy-map int fa1/0
 FastEthernet1/0

  Service-policy input: URLPOLICE

    Class-map: URL (match-all)
      683 packets, 719454 bytes
      30 second offered rate 22000 bps, drop rate 21000 bps
      Match: protocol http url "*\.jpg*"
      police:
          cir 8000 bps, bc 1000 bytes, be 1000 bytes
        conformed 122 packets, 14214 bytes; actions:
          transmit
        exceeded 26 packets, 3961 bytes; actions:
          drop
        violated 535 packets, 701279 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps, violate 21000 bps

Test 6 Config:

interface FastEthernet1/0
 description Internet
 service-policy output URLPOLICE

Test 6 Result:

Matches to the policy and images load slowly.

router#show policy-map int fa1/0
 FastEthernet1/0

  Service-policy output: URLPOLICE

    Class-map: URL (match-all)
      91 packets, 58267 bytes
      30 second offered rate 9000 bps, drop rate 8000 bps
      Match: protocol http url "*\.jpg*"
      police:
          cir 8000 bps, bc 1000 bytes, be 1000 bytes
        conformed 31 packets, 8191 bytes; actions:
          transmit
        exceeded 6 packets, 4909 bytes; actions:
          drop
        violated 54 packets, 45167 bytes; actions:
          drop
        conformed 1000 bps, exceed 0 bps, violate 7000 bps

Test 7 Config:

interface FastEthernet1/0
 description Internet
 service-policy input MIMEPOLICE

Test 7 Result:

Policing definitely working - Police rate so low I don't bother waiting
for the images.

router#show policy-map int fa1/0
 FastEthernet1/0

  Service-policy input: MIMEPOLICE

    Class-map: MIME (match-all)
      205 packets, 264093 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: protocol http mime "image/*"
      police:
          cir 8000 bps, bc 1000 bytes, be 1000 bytes
        conformed 30 packets, 4925 bytes; actions:
          transmit
        exceeded 2 packets, 1812 bytes; actions:
          drop
        violated 173 packets, 257356 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps, violate 0 bps

Test 8 Config:

interface FastEthernet1/0
 description Internet
 service-policy output MIMEPOLICE

Test 8 Result:

Matches to the policy but images load quickly.

router#show policy-map int fa1/0
 FastEthernet1/0

  Service-policy output: MIMEPOLICE

    Class-map: MIME (match-all)
      1794 packets, 102096 bytes
      30 second offered rate 6000 bps, drop rate 0 bps
      Match: protocol http mime "image/*"
      police:
          cir 8000 bps, bc 1000 bytes, be 1000 bytes
        conformed 1764 packets, 100464 bytes; actions:
          transmit
        exceeded 30 packets, 1632 bytes; actions:
          drop
        violated 0 packets, 0 bytes; actions:
          drop
        conformed 6000 bps, exceed 0 bps, violate 0 bps

    Class-map: class-default (match-any)
      448 packets, 156373 bytes
      30 second offered rate 18000 bps, drop rate 0 bps
      Match: any

Blogs and organic groups at http://www.ccie.net

• Next message: Dale Shaw: "Re: QOS with nbar"
• Previous message: Joseph L. Brunner: "RE: OT: By Michael Heart"
• Maybe in reply to: olumayokun fowowe: "QOS with nbar"
• Next in thread: Dale Shaw: "Re: QOS with nbar"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:12 ARST