ISP Large flow/elephant policing

mikeygit

I have a 10Gbit service from spectrum. Due to my area, their equipment only has 10Gb interfaces and are required to enable large flow policing to avoid over saturation on their gear and drop any traffic above 2.5Gb. I am told by their engineers I need to have multiflows configured on my device, either 5 2Gb parallel streams or 10 1Gb parallel streams. Does anyone have any knowledge on how I can configure this on pfsense through a single physical WAN interface?

michmoor

@mikeygit

I'll be honest, i have no idea what your ISP is asking.
I did a google search and some interesting links came up.

https://www.reddit.com/r/networking/comments/148k7yb/overcoming_isp_imposed_2gb_per_flow_policing_on_a/

Its still not clear to me what is being asked at all. You purchased a 10Gbps service? They offer a 10Gbps offer? Whats the issue? What are you trying to achieve?

stephenw10

What interface(s) are actually available to you on their equipment?

It does sound like they want you to limit any single flow to 2.5Gbps. Potentially you could do that with Limiters.

What happens if you don't?

michmoor

@stephenw10 I’ve never heard of an ISP asking a paying customer to rate limit in order to not utilize what you are paying for. This is a thing?!

stephenw10

I've seen it in commercial/enterprise style providers. The end user/customer is required to police their own bandwidth. Often under the threat of being massively limited or disconnected entirely if the providers policing systems kick in. Very rare though. And I have always thought it was pretty ridiculous, so perhaps we're misunderstanding the requirement here.

JKnott

@stephenw10 said in ISP Large flow/elephant policing:

I've seen it in commercial/enterprise style providers.

Years ago, in the X.25 days, it was common to have committed and available rates. The committed rate was guaranteed but available wasn't. There may have been additional charge for using beyond the committed rate.

mikeygit

@stephenw10 On spectrums ADVA there is 4 10G ports. One of which is used for their connection to the outside and the other is the hand off to our pf. They are saying that any service they offer in our area that is above 2Gbps has to be policed to protect their network and to not oversaturate their LAGs. They also said once their set of core interconnects are upgraded to 40G 100G the large flow policing wont need to be enforced. From what I’ve read, it’s fairly common for ISPs to do this but in my experience, this is the largest pipe I’ve had so never ran into the issue.

stephenw10

But they definitely require you to do it? And have they said what will happen if you don't?

What are you actually connecting to it? Most networks won't pull that over a single flow anyway.

mikeygit

@stephenw10 If we don’t do it, all traffic above 2Gbps will be dropped at the ADVA. The handoff connects directly to a 10G nic in our pfsense.

stephenw10

So if any one 'flow' exceeds 2Gbps then all other traffic will be dropped?

You can apply limiters with masks set retrict any particular flow to 2Gbps, or just below that.
https://docs.netgate.com/pfsense/en/latest/trafficshaper/limiters.html#creating-limiters