02-10-2015 12:52 AM - edited 03-05-2019 12:45 AM
I would like to control the bandwidth limit from the router interface with policy map. But, it does not work. Below is the configuration. Please help me to take a look. I suspect it is due to the NAT setting cause the bandwidth limit does not work. If I remove the NAT, users with that subnet will not be able to access internet.
class-map match-all subnet-a
match access-group 101
policy-map physical
class subnet-a
police 1200000 8000000 conform-action transmit exceed-action drop
interface FastEthernet0/0
ip address 10.1.3.254 255.255.255.0
ip nat inside
speed auto
full-duplex
service-policy input physical
service-policy output physical
!
interface FastEthernet0/1
ip address 192.168.2.29 255.255.255.0
ip nat outside
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 192.168.2.1 permanent
ip nat inside source list 101 interface FastEthernet0/1 overload
access-list 101 permit ip 10.1.3.0 0.0.0.255 any
Solved! Go to Solution.
02-10-2015 06:46 AM
Hi,
The inbound traffic - the traffic coming to the interface - will be policed as the class-map is matching traffic sourced from 10.1.3.X range. On the other hand, for the outbound traffic - the outgoing traffic from the interface - will not be policed as the class-map is matching traffic sourced from 10.1.3.X range and this is the destination instead the source.
So, for this to work you must create another class-map matching the traffic destined to 10.1.3.X, then create another policy-map and apply it to the interface with service-policy output. Another option would be to match all the traffic coming from interface Fa0/1 with match input-interface in the class-map and in this way you do not have to create another ACL.
Hope this helps,
Jose.
02-10-2015 06:46 AM
Hi,
The inbound traffic - the traffic coming to the interface - will be policed as the class-map is matching traffic sourced from 10.1.3.X range. On the other hand, for the outbound traffic - the outgoing traffic from the interface - will not be policed as the class-map is matching traffic sourced from 10.1.3.X range and this is the destination instead the source.
So, for this to work you must create another class-map matching the traffic destined to 10.1.3.X, then create another policy-map and apply it to the interface with service-policy output. Another option would be to match all the traffic coming from interface Fa0/1 with match input-interface in the class-map and in this way you do not have to create another ACL.
Hope this helps,
Jose.
02-10-2015 11:27 PM
Thanks. It is working fine now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide