Solved: Limiting bandwidth on Cisco router (possible 1800 series)

Difan Zhao · ‎07-29-2010

Hi experts,

I'm just seeking some ideas in my setup scenario.

I will have this one router. Its f0/0 will be for the Internet connection with bandwidth of 30Mbps. Its f0/1 will be connected to a switch for internal networks. This link will be separated to 3 VLANs for 3 internal networks. I'm wondering if there is a way to gurantee 10Mbps for each VLAN but allow use up to 30Mbps when another two VLANs are not using any Internet bandwidth? I only worry about download bandwidth from internet.

The 3 internal networks will all have public IPs and they belong to their own subnets. There won't be NAT/PAT.

A sample config is greatly appreciated!

Thanks!

Difan

gatlin007 · ‎08-02-2010

The following example polices the inside interface to 30Mbps. It also utilizes a fair queue mechanism so that all subnets are queued equally yet can use the entire purchased rate in the absence of competing traffic.

access-list 101 permit ip any a.a.a.a w.w.w.w ## Subnet A

access-list 102 permit ip any b.b.b.b w.w.w.w ## Subnet B

access-list 103 permit ip any c.c.c.c w.w.w.w ## Subnet C

class-map subnet-a
match access-group 101

class-map subnet-b
match access-group 102

class-map subnet-c
match access-group 103

policy-map subnets
class-map subnet-a
bandwidth percent 33
class-map subnet-b
bandwidth percent 33
class-map subnet-c
bandwidth percent 33
exit

policy-map physical
class class-default
police 30000000 conform-action transmit exceed-action drop
service-policy subnets
exit

int fa0/1
service-policy output physical
exit

View solution in original post

rechard_hk · ‎08-02-2010

Dear christopher,

Thanks you for your post!!!!

So i would like to ask you some question that on your configuration you mean that Vlan A bandwidth 10MB,Vlan B bandwidth 10MB and Vlan C bandwidth 10MB right? if conrrect, so how can we know that the traffice can share 10 MB?

Best Regards,

Rechard

View solution in original post

gatlin007 · ‎08-02-2010

The following example polices the inside interface to 30Mbps. It also utilizes a fair queue mechanism so that all subnets are queued equally yet can use the entire purchased rate in the absence of competing traffic.

access-list 101 permit ip any a.a.a.a w.w.w.w ## Subnet A

access-list 102 permit ip any b.b.b.b w.w.w.w ## Subnet B

access-list 103 permit ip any c.c.c.c w.w.w.w ## Subnet C

class-map subnet-a
match access-group 101

class-map subnet-b
match access-group 102

class-map subnet-c
match access-group 103

policy-map subnets
class-map subnet-a
bandwidth percent 33
class-map subnet-b
bandwidth percent 33
class-map subnet-c
bandwidth percent 33
exit

policy-map physical
class class-default
police 30000000 conform-action transmit exceed-action drop
service-policy subnets
exit

int fa0/1
service-policy output physical
exit

rechard_hk · ‎08-02-2010

Dear christopher,

Thanks you for your post!!!!

So i would like to ask you some question that on your configuration you mean that Vlan A bandwidth 10MB,Vlan B bandwidth 10MB and Vlan C bandwidth 10MB right? if conrrect, so how can we know that the traffice can share 10 MB?

Best Regards,

Rechard

gatlin007 · ‎08-02-2010

Rechard,

You are correct.

The parent policy (physical) limits the traffic to 30Mbps. The child policy (subnets) allocates 33% of available bandwidth to each subnet. In this case it should be very close to 10Mbps for each subnet. This is a fair queue mechanism so it will only enforce the 10Mbps limit if all subnets are in contention with each other. If subnet A and B are idle subnet C can take all 30Mbps.

Chris

Difan Zhao · ‎08-02-2010

Hi Chris,

Thank you very much for the config and the diagram!

However does it mean that I have to use secondard IPs instead of using VLAN sub-interfaces? I was going to create three sub-interfaces f0/1.10, f0/1.20 and f0/1.30. In this case I think I probably can still use your policy-map and class-map. However where do I implement the policy? If I put it under f0/1, will it affect all three sub-interfaces?

Thanks!

Difan

gatlin007 · ‎08-03-2010

Difan,

Yes, applying it to the physical interface should affect all traffic traversing that interface; which includes all sub-interfaces. This link has one example of this approach, but you must dig to find it.

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/Ethernet_Access_for_NG_MAN_WAN_V3.1_external.html

I'm not sure if this technique is supported on the 1800, but it's worth a try.

If not you could police each sub-interface. This would ensure good service for everyone but leave bandwidth unused and unavailable during idle times.

Chris

Difan Zhao · ‎08-04-2010

Hi Chris,

It works great! I put it on f0/1 and it does affect all the sub-interfaces. Awesome solution! Thank you!

Difan

sunkarwall · ‎08-28-2010

.

Joseph W. Doherty · ‎09-22-2011

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

For the policy described, it might appear to be working correctly, but from what you've noted as your requirements, don't believe it does.

The issue I see is that parent is configured with a policer, not a shaper. This indeed will limit overall bandwidth to 30 Mbps, but will not cause packets to queue in the child policy where each is guaranteed 1/3 of the bandwidth.

Other issues include: if the ingress link from Internet actually only provides 30 Mbps, how would there be excess bandwidth to manage on the egress link to the LAN? If the ingress link actually provides more than 30 Mbps, an overall shaper or policer, applies to all traffic, i.e. it negates the excess bandwidth. Additionally, downstream policers or shapers, although they can control bandwidth downstream of them, are not fully effective managing upsteam bandwidth.

The right way to apply this policy is to apply in at egress on the Internet side that's sending to you. Unfortunately, often not possible because it's ISP equipment and they often will not cooperate.

Deathshar · ‎09-22-2011

Actulally i have in my control the 2 routers that the fiber link is connected and i want to slice the 50Mbit to 3 vlans

so if i apply this tou both routers then it will work for in and out for each router as as they would not be able to send mor than their limit resulting the other to receive at the same speed that it sends......

or am i wrong?

Joseph W. Doherty · ‎09-23-2011

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

No, you're not wrong.

If you control the two ends of the link, that's exactly want you want, a policy as described on both ends egress (to the fiber).

The parent policy's shaper restricts the overall bandwidth, since it's less than what the physical interface offers. (NB: wouldn't be needed if you were using all the physical interface bandwidth, e.g. 100 Mbps fiber).

The child policy controls bandwidth sharing when there's congestion.

Kishore Chennupati · ‎09-25-2011

Just my 2 cents on this. You have a policer of 30Mbps on the interface between the router and the switch. This means that any communcation between the subnets will also be restricted to 30mbps. not sute if u like that

Deathshar · ‎10-03-2011

What IOS does it need to work ?? because i have Entbase on my 2801 and it doesnt have the bandwidth command.

Deathshar · ‎09-22-2011

Hello, can i apply this to 3 different interfaces instead of subinterfaces?

I have 3 vlans on 3 different interfaces on a router and i want them to limit their bandwith throuth the out interface

the one vlan is for internet and the other 2 are private vlans.

Thanks for you time.

Alan Daniel Chavira Rodriguez · ‎07-06-2012

Hello everybody,

I have the same scenario, One internet (50mbps) and 3 vlans on the lan and I need shape each vlan (vlan1 25mbps, vlan2 15mbps and vlan3 10mbps) so I follow your instruccionts but if I connect to any vlan ever I have 50mbps then I make the test with 2 PC´s each in different vlan download and upload but the shape not work well.

If a show policy-map physical I can see that all traffic go to default class but I do not why?

Here is my config:

class-map match-any subnet-b

match access-group 102

class-map match-any subnet-c

match vlan 3

match input-interface FastEthernet4

match access-group 101

access-list 101 permit ip 10.1.1.0 0.0.0.255 any

access-list 102 permit ip 10.1.2.0 0.0.0.255 any

access-list 103 permit ip 10.1.3.0 0.0.0.255 any

policy-map subnets

class subnet-a

bandwidth 25000

class subnet-b

bandwidth 15000

class subnet-c

bandwidth 9999

policy-map physical

class class-default

shape average 50000000

service-policy subnets

interface FastEthernet0

ip address 172.16.1.10 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

service-policy output physical

end

interface Vlan1

ip address 10.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

no autostate

end

interface Vlan2

ip address 10.1.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly

no autostate

end

interface Vlan3

ip address 10.1.3.1 255.255.255.0

ip nat inside

ip virtual-reassembly

no autostate

end

Here the show policy-map....

Router1811#sh policy-map interface fa0

FastEthernet0

Service-policy output: physical

Class-map: class-default (match-any)

5259740 packets, 7474775689 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 5259739/7474776995

shape (average) cir 50000000, bc 1250000, be 1250000

target shape rate 50000000

Service-policy : subnets

Class-map: subnet-a (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group 101

0 packets, 0 bytes

5 minute rate 0 bps

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0

bandwidth 25000 kbps

Class-map: subnet-b (match-any)

1137 packets, 95142 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group 102

1 packets, 66 bytes

5 minute rate 0 bps

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 1137/95142

bandwidth 15000 kbps

Class-map: subnet-c (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: vlan 3

0 packets, 0 bytes

5 minute rate 0 bps

Match: input-interface FastEthernet4

0 packets, 0 bytes

5 minute rate 0 bps

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0

bandwidth 9999 kbps

Class-map: class-default (match-any)

5258603 packets, 7474680547 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 5258602/7474681853