Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1566
Views
15
Helpful
7
Replies

887VA-K9 Bandwidth shaping policy Issue

Go to solution
mrdavies2066
Level 1
Level 1

‎12-01-2020 02:23 AM

Hi All,

 

I have been trying to add a basic bandwidth shaping policy to my Cisco 887-K9 and seem to be having a few issues, I am running firmware version 15.7(3)M7.

 

In my config i have four vlans with one assigned to each of the four fast ethernet adapters:

vlan 100 - WAN - DHCP

vlan 110 - SecureLAN - IP-192.168.1.1

vlan 120 - GuestLAN - IP-192.168.1.2 

vlan 130 - IoTLAN - IP-192.168.1.3

Each LAN side vlan has a DHCP scope configured

All three LAN vlans NAT via the WAN (vlan100)

 

I am trying to apply traffic shaping to fe1 or vlan110 (i have tried both)

class-map match-any ClassSecure
match any
!
policy-map SecureTrafficShape
class ClassSecure
shape average percent 1  (have also tried "shape average 1000") - these are both test values

 

When trying to add the above config to an interface vlan or fe i receive the following error:

Router(config)#interface vlan 110
Router(config-if)#service-policy output SecureTrafficShape
Configuration failed!

 

When this happens I can see not event logged explaining why, despite having added the following logging options:

logging history debugging

logging buffer debugging

 

I have found that if i remove the shape command I am then able to apply the policy map to an interface I can the re-add the shape command after:

no shape average percent 1

 

Running "show policy-map interface" seems to confirm the class map is picking up the traffic but no matter what I try to limit the traffic to, either 1% or 1000bits/s iPerf shows no reduction in throughput on the interface.
Vlan110

Service-policy output: SecureTrafficShape

Class-map: ClassSecure (match-any)
41052 packets, 4864553 bytes
5 minute offered rate 118000 bps, drop rate 0000 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 173/30161
shape (average) cir 1000000, bc 10000, be 10000
target shape rate 1000000

Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any

queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0

 

iPerf Results:

Accepted connection from 192.168.0.24, port 51022
[ 5] local 192.168.0.205 port 5201 connected to 192.168.0.24 port 51023
[ ID] Interval Transfer Bandwidth
[ 5] 0.00-1.00 sec 10.6 MBytes 88.7 Mbits/sec
[ 5] 1.00-2.00 sec 10.6 MBytes 89.2 Mbits/sec
[ 5] 2.00-3.00 sec 10.9 MBytes 91.4 Mbits/sec
[ 5] 3.00-4.00 sec 10.9 MBytes 91.5 Mbits/sec
[ 5] 4.00-5.00 sec 10.9 MBytes 91.6 Mbits/sec
[ 5] 5.00-6.00 sec 11.0 MBytes 92.5 Mbits/sec
[ 5] 6.00-7.00 sec 11.0 MBytes 92.0 Mbits/sec
[ 5] 7.00-8.00 sec 10.9 MBytes 91.8 Mbits/sec
[ 5] 8.00-9.00 sec 11.0 MBytes 92.6 Mbits/sec
[ 5] 9.00-10.00 sec 11.0 MBytes 92.6 Mbits/sec
[ 5] 10.00-10.04 sec 493 KBytes 93.5 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth
[ 5] 0.00-10.04 sec 0.00 Bytes 0.00 bits/sec sender
[ 5] 0.00-10.04 sec 109 MBytes 91.4 Mbits/sec receiver

 

Am i missing something here? Any advice gratefully received.

 

See below for full config details

 

Router#show run
Building configuration...

Current configuration : 3028 bytes
!
! Last configuration change at 23:07:19 UTC Mon Nov 30 2020
!
version 15.7
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no logging console
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.2.1 192.168.2.10
ip dhcp excluded-address 192.168.3.1 192.168.3.10
!
ip dhcp pool name DHCP
network 192.168.1.0 255.255.255.0
domain-name ******.local
dns-server 192.168.1.1
netbios-name-server 192.168.1.1
default-router 192.168.1.1
!
ip dhcp pool DHCP
import all
!
ip dhcp pool name DHCP-Guest
import all
network 192.168.2.0 255.255.255.0
domain-name ******.local
dns-server 192.168.2.1
netbios-name-server 192.168.2.1
default-router 192.168.2.1
!
ip dhcp pool name DHCP-IoT
import all
network 192.168.3.0 255.255.255.0
domain-name ******.local
dns-server 192.168.3.1
netbios-name-server 192.168.3.1
default-router 192.168.3.1
!
!
!
ip domain name ******.local
ip host ap.******.local 192.168.1.10
ip host printer.******.local 192.168.1.5
ip hostname strict
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip cef
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn F000000000
!
!
!
!
!
!
!
controller VDSL 0
shutdown
!
!
class-map match-any ClassSecure
match any
!
policy-map SecureTrafficShape
class ClassSecure
shape average percent 1
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
switchport access vlan 100
switchport mode access
no ip address
!
interface FastEthernet1
switchport access vlan 110
switchport mode access
no ip address
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 120
switchport mode access
no ip address
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 130
switchport mode access
no ip address
spanning-tree portfast
!
interface Vlan1
no ip address
!
interface Vlan100
description WAN
ip address dhcp
ip nat outside
ip virtual-reassembly in
!
interface Vlan110
description Secure
ip address 192.168.1.1 255.255.255.0

service-policy output SecureTrafficShape
ip nat inside
ip virtual-reassembly in
!
interface Vlan120
description Guest
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan130
description IoT
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list NATACL interface Vlan100 overload
!
ip access-list standard NATACL
permit 192.168.1.0 0.0.0.255
permit 192.168.2.0 0.0.0.255
permit 192.168.3.0 0.0.0.255
!
logging history debugging

logging buffer debugging

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP

‎12-01-2020 05:50 AM

Hello,

 

what are you trying to accomplish ? Do you want to limit the amount of traffic users in Vlan 10 can use outbound ? Try the below (traffic for Vlan 110 is shaped to 10Mbit in this example):

 

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

!

class-map match-all VLAN110_CM

match ip address 101

!

policy-map VLAN110_PM

class VLAN110_CM

shape average 10000000

class-class default

fair-queue

!

interface Vlan100

service-policy output VLAN110_PM 

View solution in original post

7 Replies 7

Go to solution
Georg Pauwen
VIP
VIP

‎12-01-2020 05:50 AM

Hello,

 

what are you trying to accomplish ? Do you want to limit the amount of traffic users in Vlan 10 can use outbound ? Try the below (traffic for Vlan 110 is shaped to 10Mbit in this example):

 

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

!

class-map match-all VLAN110_CM

match ip address 101

!

policy-map VLAN110_PM

class VLAN110_CM

shape average 10000000

class-class default

fair-queue

!

interface Vlan100

service-policy output VLAN110_PM 

Go to solution
mrdavies2066
Level 1
Level 1
In response to Georg Pauwen

‎12-01-2020 10:56 AM

Hi Georg,

 

Thanks for your reply.

What I am hoping to do is ensure that no one endpoint can consume all available bandwidth of my internet connection. I have tried to enter your example which gave the following result:

 

Router(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 any

Router(config)#class-map match-all VLAN110_CM

Router(config-cmap)#match ip address 101
^
% Invalid input detected at '^' marker.

Router(config-cmap)#policy-map VLAN110_PM
Router(config-pmap)#
Router(config-pmap)#class VLAN110_CM
Router(config-pmap-c)#
Router(config-pmap-c)#shape average 10000000
Router(config-pmap-c)#
Router(config-pmap)#class-class default
^
% Invalid input detected at '^' marker.

Router(config-pmap-c)#fair-queue
exit
Router(config)#interface Vlan100
Router(config-if)#service-policy output VLAN110_PM
Configuration failed!

 

From what I can gather the most similar (i think) commands to those which were not accepted were as follows:

 

access-list 101 permit ip 192.168.1.0 0.0.0.255 any
exit

class-map match-all VLAN110_CM
match access-group 101
exit

policy-map VLAN110_PM
class VLAN110_CM
shape average 10000000
exit
class class-default
fair-queue
exit

interface Vlan100
service-policy output VLAN110_PM
Configuration failed!

 

This resulted in the following config (not sure if this is quite the same):

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

 

class-map match-all VLAN110_CM
match access-group 101
!
policy-map VLAN110_PM
class VLAN110_CM
shape average 10000000
class class-default
fair-queue

 

interface Vlan100
description WAN
ip address dhcp
ip nat outside
ip virtual-reassembly in

 

So still getting "Configuration failed!" failed when trying to apply to the vlan interface, not sure why. Also seems odd/unhelpful that nothing is logged.

 

Many thanks

 

Mark

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to mrdavies2066

‎12-01-2020 11:18 AM

Hello,

 

apply the service policy outbound to the physical interface that is the uplink to the ISP (which one is that, actually, as I cannot see that in your config)?

0 Helpful

Go to solution
mrdavies2066
Level 1
Level 1
In response to Georg Pauwen

‎12-01-2020 11:37 AM

Hi,

 

The physical interface I am using to connect to my ISP is fast ethernet 0 (vlan 100). This currently has a class c subnet applied but will be connected directly to a modem and receive an IP via DHCP from my ISP once the config is finished.

 

Attempting this seems to yield the same result:

Router(config)#interface fastEthernet 0

Router(config-if)#service-policy output VLAN110_PM
Configuration failed!

 

Mark

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to mrdavies2066

‎12-01-2020 12:25 PM

Hello,

 

I think on this platform, you can only apply a service policy to a physical layer 3 interface. FastEthernet0 is layer 2 only, so that won't work anyway.

Go to solution
mrdavies2066
Level 1
Level 1
In response to Georg Pauwen

‎12-01-2020 12:55 PM

Well that i a shame but good to have a reason as to why it won't play ball, i imagined there would be one.

 

Do you have any other ideas of how I may achieve my aim via another method?

 

Thanks very much for your input on this.

 

Mark

0 Helpful

Go to solution
mrdavies2066
Level 1
Level 1
In response to Georg Pauwen

‎12-03-2020 05:12 AM

I notice I am able to apply this policy-map to ethernet 0 (internal virtual interface).

 

I know this is a long shot but i don't suppose there is anyway to bridge/link fe0 to ethernet0 in a way which may allow this to work?

 

Thanks

 

Mark

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card