LARTC - Feb 2004 - Updated tcng configuration

You helped me earlier, I was wondering if I couldn''t get your advice
again.
I had very simple ingress/egress policing working and I was very happy. 
Unfortunately I quickly reached the maximum throughput and my own 
connections to our FTP server were slow.

I decided it would be best to implement a second filter to give traffic 
from our network priority. I think I''ve done that below, but it
doesn''t
seem to be working. I want to dedicate 5Mbps to the "world" and, an 
additional 10Mbps to my network (12.111.170.0/24).

For whatever reason, it seems that ALL incoming traffic is going to the 
$cta class, despite the source IP address. If I tweak with the settings for 
$cta down to 5Mbps the traffic drops accordingly. 99% of the traffic going 
to the box is "other" I want to leave the possibility that our traffic
gets
priority if and when we need it. Am I missing something simple here?

-----------------------------------------------

dev "eth0" {
    egress {

       /*
       //This is what we were using before we had to optimize traffic for 
our networks
       tbf (mtu 1.5kB,limit 10kB,rate 10Mbps,burst 1000kB) {
          fifo;
       }
       */

       class (<$cta>) if ip_src:24 == 12.111.170.0;
       class (<$other>) if 1;

       htb () {
          class (rate 100Mbps, ceil 100Mbps) {
             $cta = class (rate 10Mbps, ceil 10Mbps) { sfq; };
             $other = class (rate 5Mbps, ceil 5Mbps) { sfq; };
          }
       }
    }

    ingress {
       $p = bucket(rate 10Mbps, burst 1000kB, mpu 200B);
       class (1) if (conform $p && count $p) || drop;
    }
}


Scott Baker - Network Engineer - RHCE
bakers @ web-ster . com - 503.266.8253 

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[ I''m assuming based on your description and the attached configuration
  that this host is a router.  If this is not correct, then correct me,
  and tell us more about your network environment. ]

 : I decided it would be best to implement a second filter to give traffic
 : from our network priority. I think I''ve done that below, but it
doesn''t
 : seem to be working. I want to dedicate 5Mbps to the "world" and, an
 : additional 10Mbps to my network (12.111.170.0/24).

One important question (two parts):

  - If you are using 10Mbps and another host on the Internet is using
    5Mbps, do you have enough bandwidth to satisfy these needs?
  - Is the 12.111.170.0/24 network locally connected?

The reasons for the question:

  - Your traffic shaping and prioritizing router must be the bottleneck.
  - Your traffic shaping device appears to be shaping on only the
    interface from which it transmits packets to the server.

 : For whatever reason, it seems that ALL incoming traffic is going to the
 : $cta class, despite the source IP address.

Are you performing some sort of NAT?  (I don''t see this as likely in
this
situation, but I must ask.)  Note the KPTD, and the likely packet
addressing if there''s any NAT involved. [0]

 : If I tweak with the settings for $cta down to 5Mbps the traffic drops
 : accordingly. 99% of the traffic going to the box is "other" I want
to
 : leave the possibility that our traffic gets priority if and when we
 : need it. Am I missing something simple here?

I think you should add some traffic shaping to your outgoing interface.  A
shaping device can only shape traffic it sends, so delay the outbound
packets to your network (ip_dst:24 == 12.111.170.0), not the packets
inbound to the server.  Inbound to the server on an FTP "download" are
likely to be primarily ACK packets.  Outbound packets are likely to
contain MSS-sized data segments, which means the outbound packets are the
ones consuming your bandwidth.

You might also benefit from learning a bit more about the HTB borrowing
scenario, and how you can make borrowing work to your advantage. [1]

So, in sum:

  - Shape the traffic you are transmitting, which is from the FTP server,
    just before it leaves for ip_src:24 == 12.111.170.0.
  - Learn the borrowing model, and take control of the distribution and
    sharing of bandwidth for network applications with HTB.

Good luck,

-Martin

 [0] http://www.docum.org/stef.coene/qos/kptd/
 [1]
http://www.tldp.org/HOWTO/Traffic-Control-HOWTO/classful-qdiscs.html#qc-htb-borrowing
 [2]

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/