Hi j.blakey

I'm configuring the router but will not let me configure the following commands, I need some other command to enable these options or a problem with the IOS?

class-map match-all HOTEL_ADMON

match access-group 10

class-map match-all GUEST

match access-group 20

!

!

policy-map DIV

Gw_GARDEN_2901(config)#policy-map DIV

Gw_GARDEN_2901(config-pmap)#class-map HOTEL_ADMON

Gw_GARDEN_2901(config-cmap)#?

Class-map configuration commands:

  description  Class-Map description

  exit         Exit from class-map configuration mode

  match        classification criteria

  no           Negate or set default values of a command

  rename       Rename this class-map

thanks for the help

Hi

How I can show the customer that this effectively dividing the bandwidth?, To efficiently execute the command show policy-map int gi 0/0 out, we get:

Gw_GARDEN_2901#sh policy-map int gi 0/0 out

GigabitEthernet0/0

  Service-policy output: DIV

    Class-map: HOTEL_ADMON (match-all)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: access-group 10

      Queueing

      queue limit 64 packets

      (queue depth/total drops/no-buffer drops) 0/0/0

      (pkts output/bytes output) 0/0

      bandwidth 40% (40000 kbps)

      shape (average) cir 4000000, bc 16000, be 16000

      target shape rate 4000000

    Class-map: GUEST (match-all)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: access-group 20

      Queueing

      queue limit 64 packets

      (queue depth/total drops/no-buffer drops) 0/0/0

      (pkts output/bytes output) 0/0

      shape (average) cir 6000000, bc 24000, be 24000

      target shape rate 6000000

    Class-map: class-default (match-any)

      2053638 packets, 1700513757 bytes

      5 minute offered rate 8000 bps, drop rate 0 bps

      Match: any

      Queueing

      queue limit 64 packets

      (queue depth/total drops/no-buffer drops) 0/0/0

      (pkts output/bytes output) 62574/11332279

      shape (average) cir 10000000, bc 40000, be 40000

      target shape rate 10000000

Thank you

Regards

Yesenia,

First, my apologies for the typo above, it is indeed the command "class" that goes under the policy map. Second, the only thing that I'm aware that you can do is show them the above output. Can you post the final configuration for your policy?

HTH,

John

Hi John

Dont worry , Course this is the configuration of Policy-map:

policy-map DIV

class HOTEL_ADMON

bandwidth percent 40

shape average 4000000

class GUEST

bandwidth percent 60

shape average 6000000

class class-default

shape average 10000000

The above output is correct?

Thank you

Regards

It looks like it You could show them the output for "show policy-map inter g0/0 out" and point out that the measurements are based off of the primary speed of 10Mb.

    Class-map: HOTEL_ADMON (match-all)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: access-group 10

      Queueing

      queue limit 64 packets

      (queue depth/total drops/no-buffer drops) 0/0/0

      (pkts output/bytes output) 0/0

      bandwidth 40% (40000 kbps)

      shape (average) cir 4000000, bc 16000, be 16000

      target shape rate 4000000

    Class-map: GUEST (match-all)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: access-group 20

      Queueing

      queue limit 64 packets

      (queue depth/total drops/no-buffer drops) 0/0/0

      (pkts output/bytes output) 0/0

      shape (average) cir 6000000, bc 24000, be 24000

      target shape rate 6000000

I am curious as to why the Guest class doesn't show a percentage like the Hotel class does. What you could do is generate some traffic to see if it starts to shape. Here's another concern that you'll have. The shape command only works on outbound policy maps which means a user on this subnet sending traffic. If this is the last point that your user goes out before the internet, you'll also want to police traffic inbound going toward that subnet. If you're natting on this interface, then you'll need to map an ip to this subnet and then police inbound on the public address that you've natted to. Does this make sense?

HTH,

John

I requested that the network had 60 guests some bandwidth, covering the nat is this?

GigabitEthernet0/1.10 interface

  EQUIPMENT_HOTEL description

  encapsulation dot1Q 10

  ip address 192.168.10.1 255.255.255.0

  no ip redirects

  no ip unreachables

  no ip proxy-arp

  ip nat inside

  ip virtual-reassembly in

!

GigabitEthernet0/1.20 interface

  EQUIPMENT_GUEST description

  encapsulation dot1Q 20

  ip address 192.168.20.1 255.255.255.0

  no ip redirects

  no ip unreachables

  no ip proxy-arp

  ip nat inside

  ip virtual-reassembly in

Thanks

Regards

You have nat enabled on the inside. Do you have public addresses that were assigned to you? If so, you'll want to nat your guests out a different public address than what the hotel does. If that's the case, then you'll apply your guest network to a pool of addresses that you can use (one address is enough) and then you can police back in on the public side interface to that address that you've assigned to the guest network. That way the guest network won't be able to download more than 60Mb and send out (shaped) at 60Mb.

John

I mean do I have to create another nat to output the guest network? have two public IP network one for the hotel's own teams and one for the guest network? it currently has a pat configured: ip nat inside source list 1 interface GigabitEthernet0 / 0 overload

In order to control the guest side, you'll need to know what address it's going out as. In order to do that, you'll nat your guest internal subnet out as a certain address. Suppose you have 5 addresses 1.1.1.1 - 1.1.1.5. Your router gets 1.1.1.1. If you're natting everything out the g0/0 (where assumed 1.1.1.1 is assigned), then your hotel and guest both look like they're coming from 1.1.1.1. You wouldn't want to police the traffic to a certain speed, say 60% inbound, to this address because it would also affect the hotel side as well.

Instead, what you should do is create a nat pool for the hotel and guest side, or at least the guest side:

ip nat pool Guest 1.1.1.2 1.1.1.2 prefix 29

ip access-list ext Guest

permit ip 192.168.20.0 0.0.0.255 any

ip nat inside source list Guest pool Guest overload

Now the outbound traffic from the Guest side is seen as 1.1.1.2 and the Hotel side is seen as 1.1.1.1. Now it's easier to police the return traffic:

access-list 101 permit ip any host 1.1.1.2

class-map PoliceGuest

match access-group 101

policy-map PoliceInbound

class PoliceGuest

police cir percent 60

int g0/0 (assuming WAN facing)

service-policy input PoliceInbound

I haven't seen the WAN interface yet, so I'm assuming your outbound policy is configured there as well. If that's the case, you'll have one output and one input on the WAN interface. The policing would only happen to the public address that the guest side goes out of.

HTH,

John

**** Please rate useful posts *****

clear to me thanks! I have to have a public IP for each traffic and so to define both inbound traffic as the output.

I'll do the tests next week and will report how everything went, thank you!

Regards

I look forward to hearing the outcome!

Hi J.Blakley,

I'm doing tests again, when placing the command: service-policy output DIV

I check this error:

w_GARDEN_2901 (config-if) # service-policy output DIV

Insufficient bandwidth 10000 kbps bandwidth for the percent (60%) guarantee

In the interface configure: bandwidth 10000, but still will not let me

I leave as was configured:

class-map match-all HOTEL_ADMON

  match access-group 20

class-map match-all GUEST

  match access-group 10

class-map match-all PoliceGuest

  match access-group 101

!

!

policy-map DIV

  HOTEL_ADMON class

   bandwidth percent 40

   shape average 4000000

class GUEST

  bandwidth percent 60

  shape average 6000000

class class-default

  shape average 10000000

policy-map PoliceInbound

class PoliceGuest

  police cir percent 60

interface GigabitEthernet0/0

description INTERNET

bandwidth 10000

ip address 201.X.X.X 255.255.255.248

ip flow ingress

ip nat outside

no ip virtual-reassembly in

duplex auto

speed auto

service-policy input PoliceInbound

ip nat pool Guest 201.X.X.X 201.X.X.X prefix-length 29

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip nat inside source list Guest pool Guest overload

know will be happening?

Are correct? Commands I added to the inbound policy?

Thank you

Regards