Solved: How to limit a business partner's bandwidth usage

Tod Larson · ‎09-21-2011

We manage an ip network with about 50 sites all connected in a partial mesh if t3 and t1 circuits all terminated onto various ISRs. Management has told a business partner that they can "ride our network" between a few of the sites. Our partner has said they'll only need 1 Mbit of bandwidth. We are going to provision two 1GE interfaces at each site for the partner to connect to their switche(s).

How would I best limit their traffic to really only use 1Mbit over the wan? Rate limiting the input was my first though, but the partner could load balance and get 2Mbits. QoS using DSCP is another option but I'd rather reserve my QoS markings for types of traffic that doesn't care "who" the traffic is for. I don't really want to be in the service provider business either so a full MPLS deployment with VRFs seems like overkill.

Any suggestions?

lgijssel · ‎09-22-2011

You must put the policy on the output interface of your WAN router.

We had to solve a similar problem and it works fine. Please check the sample config below:

class-map match-any CM_DC2HGT-PL
match access-group name DC2HGT-PL

policy-map PM_FAULT_MS
class CM_DC2HGT-PL
police 1000000 10000
class class-default
shape average

ip access-list extended DC2HGT-PL
permit ip host 10.2.0.100 10.0.0.0 0.0.255.255
permit ip host 10.2.0.101 10.0.0.0 0.0.255.255

int gi ..
descr WAN-side
service-policy output PM_FAULT_MS

regards,

Leo

View solution in original post

lgijssel · ‎09-22-2011

You must put the policy on the output interface of your WAN router.

We had to solve a similar problem and it works fine. Please check the sample config below:

class-map match-any CM_DC2HGT-PL
match access-group name DC2HGT-PL

policy-map PM_FAULT_MS
class CM_DC2HGT-PL
police 1000000 10000
class class-default
shape average

ip access-list extended DC2HGT-PL
permit ip host 10.2.0.100 10.0.0.0 0.0.255.255
permit ip host 10.2.0.101 10.0.0.0 0.0.255.255

int gi ..
descr WAN-side
service-policy output PM_FAULT_MS

regards,

Leo

Tod Larson · ‎09-22-2011

Thank you, I like that for a single homed site since it polices based on subnet and not dscp as I was thinking. For a dual homed site this still gives the partner a chance to load balance and get 2 Mbits. Perhaps I need to use pbr to force all their traffic out one interface.( I know this is being stingy with bandwidth but my requirement is to give then no more than 1 Meg,...while still being redundant. Not sure if I can even do it.)

Joseph W. Doherty · ‎09-22-2011

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Yes you could PBR, or perhaps compromise and configure each router to allow 750 Kbps. This permits an aggregate of 1.5 Mbps, but unless you're doing some form of packet-by-packet load balancing, aggregate will often be less. Adjust to taste.

PS:

You might want to shape you're partner's bandwidth rather than police.

If physical interface is the maximum possible WAN bandwidth, no need to shape in the class-default.