There could be times when you have a single (or multiple) workstations/servers using up a large amount of bandwidth on a particular interface, or you simply need to control the overall flow of ingress or egress traffic on an interface to decrease load on CPU of the router. If the CPU on the router is near 100% sustained utilization, it could interfere with other functions such as routing protocols and neighbourships etc causing the routes to flap, which could lead to other headaches.
As an example, one of my network implementations at a branch office consists of 2 Cisco routers and a multi-layer switch. The routers and the switch use EIGRP to build neighbour relationships with each other on the LAN to assist the switch with route selection. Route via Primary router is preffered using EIGRP metrics. I also use the secondary router, as the primary (via HSRP) for internet browsing just to keep web traffic segregated from the corporate VPN traffic onto a separate device.
Occasionally I run into an issue where a single user or a server starts to generate large amounts of traffic during office hours causing the CPU on the primary router to spike and causing slowness on the WAN link of this router. This causes the EIGRP relationship between the router and the switch to flap, causing the switch to dump it's routing table and insert the routes from the secondary router into the routing table, only to re-insert the routes from the primary moments later.
I use traffic policing to rate-limit the overall traffic flow into my LAN interface on the primary router to approx. 50Mbps. I have worked this figure out simply by experimenting with the highest amount of encrypted traffic that the router can process while also keeping the CPU usage low enough for the routes to NOT flap.
Here is how this is done:
Step 1: Create an ACL to identify the traffic that should be controlled. In my case it's ALL traffic inbound on the router's inside interface (LAN). This can be configured for specific IPs as well
access-list 10 permit any
Step 2: Configure the inside interface on the router with rate-limiting based on the ACL
interface gig0/1
rate-limit input access-group 10 50000000 25000 25000 conform-action transmit exceed-action drop
By using the above configuration, I am able to control the flow of traffic as mentioned above.
As an example, one of my network implementations at a branch office consists of 2 Cisco routers and a multi-layer switch. The routers and the switch use EIGRP to build neighbour relationships with each other on the LAN to assist the switch with route selection. Route via Primary router is preffered using EIGRP metrics. I also use the secondary router, as the primary (via HSRP) for internet browsing just to keep web traffic segregated from the corporate VPN traffic onto a separate device.
Occasionally I run into an issue where a single user or a server starts to generate large amounts of traffic during office hours causing the CPU on the primary router to spike and causing slowness on the WAN link of this router. This causes the EIGRP relationship between the router and the switch to flap, causing the switch to dump it's routing table and insert the routes from the secondary router into the routing table, only to re-insert the routes from the primary moments later.
I use traffic policing to rate-limit the overall traffic flow into my LAN interface on the primary router to approx. 50Mbps. I have worked this figure out simply by experimenting with the highest amount of encrypted traffic that the router can process while also keeping the CPU usage low enough for the routes to NOT flap.
Here is how this is done:
Step 1: Create an ACL to identify the traffic that should be controlled. In my case it's ALL traffic inbound on the router's inside interface (LAN). This can be configured for specific IPs as well
access-list 10 permit any
Step 2: Configure the inside interface on the router with rate-limiting based on the ACL
interface gig0/1
rate-limit input access-group 10 50000000 25000 25000 conform-action transmit exceed-action drop
By using the above configuration, I am able to control the flow of traffic as mentioned above.
No comments:
Post a Comment