Network Police

The following examples show how to limit excess traffic to a set of "servers" to 500 Kbps and limit bandwidth to a particular "site" to 2 Mbps.  This is useful for throttling traffic on WAN interfaces.

1) Define a the servers and site

object-group network servers
 host 1.1.1.1
 host 1.1.1.2
 host 1.1.1.3
 host 1.1.1.4
!
object-group network site
 2.2.2.0 255.255.255.0
!

2) Define the class maps (will correllate to the access-lists in step 3)

class-map match-any site_traffic
 match access-group 199
 match  precedence 3
class-map match-any server_traffic
 match access-group 198
 match  precedence 3
!

3) Define an access-list that matches both the "access-group" in step 2 and the "object-group" in step 1.

access-list 198 permit ip any object-group servers
access-list 199 permit ip any object-group site
!

4) Define the limits that you want to apply.

policy-map QoS
 class servers
    police 500000
 class site
   police cir 2000000
!

5) Apply the policy to the interface that you wish to control.

interface FastEthernet0/1
 service-policy output QoS

Without these rules the network traffic could easily exceed the bandwidth available.  For example without the rules, attempted traffic across a 10 Mbps circuit for the site and servers might look like this.

Once the rules are applied, netflow allows us to see the containment of the traffic:

Visualize the Flow

Understanding what is flowing across the network is essential.  Products like Solarwinds Netflow Traffic Analyzer help provide a view into what is (and has been) happening on the network.

With Netflow Data: IT teams can quickly zero in on what is currently impacting performance.  

Without Netflow Data:  IT teams often scramble through ineffective actions like rebooting various devices. Sometimes by  guessing through the problem, IT teams can actually create additional issues.








Fortunately, gathering this information is fairly easy.  First you need to get the SolarWinds NTA product setup on one of your servers.  Afterward, the NTA site should show what port the service is listing on.  This "collection port" information is used later when setting up the devices that your want to collect NetFlow data on.

The next step is start to add points on the network that you want to monitor.  For example, if a remote T1 connected site is having recurring difficulties with WAN performance, it would be great to know what specific types of traffic is moving across the T1 connection.

Adding the device to NTA is fairly easy.  If you wanted to collect T1 connection information from the Cisco router in the example above, you simply add a few configuration lines to the router where the T1 is connected.  There are two simple parts to the addition:

• Add the following to the base configuration of the router you want to monitor:

ip flow-export version 9

ip flow-export destination 2.2.2.2 2055     

(2.2.2.2 should be replaced with the IP address of your SolarWinds server and 2055 is the collection port of your NetFlow collector service on that server)

• Add the following to the specific interface that you want to monitor (ex: Serial 0/0/0):

ip flow ingress

ip flow egress

There is a lot of information available on the Solarwinds NTA product, but the key point here is that setting up your devices to report this type of NetFlow data is very easy.