So, I've previously blogged here and here about our recent network changes. We now have a 100meg AT&T EaMIS burstable (Hi-Cap Flex is what they call it) connection. Two of them actually (redundancy, you know). But, like most burstable products, we have a CIR (committed rate) and are billed at 95% usage. We have a 30meg CIR – which means – if our monthly 95% is 40meg, we pay our base rate plus a per-meg overage charge. We really wanted the 100meg circuit for some processes we use for Church Online and **NOT** so people could tweet or browse youtube faster.
The Problem
How do we keep our "normal" internet surfing under the 30meg CIR yet still allow our weekend processes to have full bandwidth (100meg) ???
The Solution (One of Many Possible)
Well, there are MANY ways to do this. I could use "service-policy" on our internet router (Cisco 3825), or I could use "service-policy" on our firewall cluster (Cisco ASA 5520) or perhaps even find some other fun ways to handle this.
I chose the easy way for now. We have a list of IP addresses that need full bandwidth. It just comes down to a dozen or so lines in Cisco IOS at my network edge router.
First of all, we're going to identify the traffic. This is done with an extended access-list and looks a little something like this:
router(config)#access-list 101 deny ip any host 1.1.1.1
router(config)#access-list 101 deny ip any host 2.2.2.2
router(config)#access-list 101 deny ip any host 3.3.3.3
router(config)#access-list 101 deny ip any host 4.4.4.4
router(config)#access-list 101 remark "and throttle everything else"
router(config)#access-list 101 permit ip any any
Next, we want to apply that ACL on our interfaces in a useful way. It looks a little something like this
router(config-if)#traffic-shape group 101 29000000
router(config-if)#exit
router(config)#int gig0/1
router(config-if)#traffic-shape group 101 29000000
router(config-if)#exit
router(config)#exit
router#copy run start
That's it. I chose 29000000 because in reality, IOS will choose some "bursting" capabilities for me that push the 29000000 closer to 29750000 and I only want a 30meg (30000000) CIR – so – 29000000 made the most sense for my situation. Your mileage may vary. I could tune the busting if I chose to, but I don't care for this situation.
For those of you that don't work in IOS – and/or don't deal with ACLs – that may appear backwards. The "permit" on the ACL, combined with the "traffic-shape group" command on the router inteface means "adhere to the shaping" – conversely – the "deny" on the ACL means "ignore the shaping and go as fast as you can."
Again, there are many ways to do this, this is just how I chose to do it since I'm only wanting to identify "full bandwidth" traffic by destination IP.
Who else is shaping their traffic at the edge? How are YOU doing it?
We just did the exact same thing on our network a few weeks ago. We did it for internal traffic though. Our file servers are located at a central site and when we do our HD Simulcast to or other sites we needed to restrict the bandwidth of file transfers. This is because the file transfers max out the circuit and would cause pixilation on the receive end. We also set this policy as a Time-of-day policy to only kick in during certain times on the weekend. So far it is working out well.
Thanks for sharing your networking experience with the rest of us!
Hey jeremy, would love for you to share a few “scrubbed” details of your time-of-day policy. Where did you set it? router or switch or firewall? what did the code look like? if you’ve blogged it, link up here! 🙂