Showing results for 
Search instead for 
Did you mean: 

Re: Please Help me to Verify Our Configuration with policy map (

all my clinet access to intenet with this configuration or shoud use nat ?

I mean University X Clinet ?

and you mean with  central site router The Core Router (Co-location router //see my topology) ? or One of the university x

Because i see this setting should applied to my core router ?

Notes : not all univerisy use Cisco router  we shoud take care with these university .

Please amendment to the configuration so that everything is clear to me (configuration
previously has been added)

I am not good in english

Q1)  ON central site router

int tunnel GRE x

ip nat inside

int tunnel GRE y

ip nat inside

int tunnel GRE z

ip nat inside

! you need also an ip nat inside on internal network of central site and an ip nat outside on the interface facing the internet

You need an extended ACL to avoid to NAT between universities

access-list 161 deny ip

access-list 161 permit ip 10.x.0.0 any

access-list 161 permit ip 10.y.0.0 any

access-list 161 permit ip 10.z.0.0 any

access-list 161 permit ip 10.k.0.0 any

Hall of Fame Expert

Please Help me to Verify Our Configuration with policy map (Band

Hello Fadi,

central site router = Core router

NAT is needed  in one place: or you do it on Core router or you do it in each client site/university.

Client site with indipendent internet access will have a static default route pointing to the interface with public IP address instead of pointing to GRE tunnel.

WARNING: my statements are suggestions you need to understand NAT in order to be able to achieve this.

Hope to help



Re: Please Help me to Verify Our Configuration with policy map (

hello Giuseppe

i hope you are fine

you know i have 25MBPS (Link Speed via VPN) for each university

All universities communicate with each other as  internal  network


and the policy applied to interface that connect all university (GigabitEthernet0/1)

the internet came on interface (GigabitEthernet0/2)

my problem :

i think this policy not working  as I expect (the internal and extenal traffic limited to 34 MBPS )

I need the internal network  working without any problems and without limitation on link speed

the  Internet only limited to each university

i think the policy should applied to interface ---> internet  (GigabitEthernet0/2)

please i need your advise ?

class-map match-all Class_144

match access-group 144

class-map match-all Class_132

match access-group 132

class-map match-all Class_120

match access-group 120

class-map match-all Class_112

match access-group 112

class-map match-all Class_104

match access-group 104

class-map match-all Class_140

match access-group 140

class-map match-all Class_136

match access-group 136

class-map match-all Class_124

match access-group 124

class-map match-all Class_116

match access-group 116

class-map match-all Class_108

match access-group 108

class-map match-all Class_128

match access-group 128

class-map match-all Class_148

match access-group 148



policy-map All_Class

class Class_104

    bandwidth 2901

class Class_108

    bandwidth 2901

class Class_112

    bandwidth 2901

class Class_116

    bandwidth 2901

class Class_120

    bandwidth 2901

class Class_124

    bandwidth 2901

class Class_128

    bandwidth 2901

class Class_132

    bandwidth 2901

class Class_136

    bandwidth 2901

class Class_140

    bandwidth 2901

class Class_144

    bandwidth 2901

class Class_148

    bandwidth 2901

class class-default


policy-map Egress

class class-default

    shape average 34816000

  service-policy All_Class

interface GigabitEthernet0/1

mtu 1524

ip address

service-policy output Egress

access-list 104 permit ip any

access-list 108 permit ip any

access-list 112 permit ip any

access-list 116 permit ip any

access-list 120 permit ip any

access-list 124 permit ip any

access-list 128 permit ip any

access-list 132 permit ip any

access-list 136 permit ip any

access-list 140 permit ip any

access-list 144 permit ip any

access-list 148 permit ip any

Hall of Fame Expert

Re: Please Help me to Verify Our Configuration with policy map (

Hello Fadi,

I agree that the internet facing interface would be the interface to apply the QoS policy but you control only the upstream direction not the downstream direction.

By applying the policy map to the internet facing interface you would control the upstream direction of traffic from universities to the internet, that is lower in traffic volume and not the traffic from internet to the universities.

Actually the downstream direction is not under your control.

On the other hand, if the policy would be able to discriminate between traffic coming from internet and traffic between universities, it could be applied outbound on the interface towards the universities and would control the downstream direction from the internet.

Traffic between universities travel on GRE tunnels making difficult to discriminate.

There is a special command for these cases that is qos pre-classify to be configured on all tunnel interfaces. It should allow the router to examine the traffic before GRE encapsulation.

The only doubt I have is if the service policy should be applied to each tunnel interface to take advantage of the qos pre-classify command.

A totally different configuration of the policy map would be needed.

At this point a different policy map for each GRE Tunnel would be needed using two traffic classes on each.


access-list 181 deny  ip 10.0.k.0

access-list 181 permit ip any  10.0.k.0

class-map INTERNET-K

match  access-group 181

policy-map  TO-UNI-K


shape average 2900000

class class-default


interface tunnel K

description to university K

qos pre-classify

service-policy output TO-UNI-K

Hope to help



Re: Please Help me to Verify Our Configuration with policy map (

Hello Giuseppe,

Tired of all this

I Need something simple to apply on my router .

i need to know how ISP COMPANY Limit Traffic ?

you know I have 34meg internet i need to distribute to 12 university without effect internal traffic . (Traffic base idle use  )


All branch = 34/12 =2.8 MEG

BUT when one branch  not using internet


All branch = 34/11 =3 MEG


12 branch  exchange data internaly  with all the line speed (25meg vpn) but when the brancj need to use internet () traffic policy must applied to use the quota .

Best Regards

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards