Showing results for 
Search instead for 
Did you mean: 

Policy-map is wasting my BANDWIDTH

hello , i have asr1006 and i used it for PPPOE server for user

 For example 

500 users is connected to router via PPPOE 

and they have all of them downloading file

and i config when user connected he get Policy-map

Policy Map user

  Class class-default

   police cir 100000 bc 3125

     conform-action transmit

      exceed-action drop


so if all of them downloading in same time

they traffic must be 500Mbps ,

but i see they input interface is have 700Mbps traffic And PRTG of my ISP Is read 700Mbps


 why ? and all of users  has policy-map and they traffic speed is limited to 1Mbps?


maybe they have dropped and the Send request to internet and internet replay to them so the traffic is has more of 500Mbps



how to limit user and when he have drop he must can’t send more upload packet 


* i use radus to set policy name when user connect 

* ii need to limit user a thought not just out or in

so if he have downloading 1mbps he can’t send more request to internet and that will save my traffic 

12 Replies 12



how do you have this set up, is this a test lab ? How do you simulate 500 users downloading files at exactly the same time ?

hello we are ISP , now i have my Router with 1000 real user is online ..


But i give you small example to understand my issue ,


another example 

1000 real user is online , and all of them has policy-map 1Mbps

but i can see they traffic more of 800Mbps or 900Mbps , and is imposable all of them downloading  download same ,


what i mean ,i need to policy-map user for thought traffic not two policy - upload/Download 


My analysis is all user have 1Mbps Download limited , but when user downloading and use all his traffic (1m) he have another policy-map for upload so he can send more request for example (browsing) , his request will get replay from internet  to my router , and my router will drop this packer because user have use all of 1mbps , but the packet already delivery to my router and this wasting my BANDWIDTH 





Joseph W. Doherty
Hall of Fame
Hall of Fame

Where are you measuring the aggregate bandwidth usage?

If, for example, as an ingress policy on an interface, ingress could exceed the policing limits, as the traffic enters the interfaces, but shouldn't exceed the aggregate as forwarded to the egress interface(s).

If, the other hand, you have this as an egress policy, on an interface, then I would expect that interface not to exceed the aggregate unless there's other egress bandwidth not subject to the policy.

Hello, thanks for reply

let me give me your details,

my router has two interface

ten 0/0/0 is connect with my ISP

Ten 0/1/0 is has vlans with pppoe to my user's


so interface ten 0/0/0 is input my service


all user's in Ten 0/1/0 has limited with 1Mbps policy-map


but in peak-time traffic, for 500 user's has traffic more of 700Mbps

interface ten 0/0/0 input: 700Mbps
interface Ten0 / 1/0 Ouput : 700Mbps

how that ? and all user's is have limit traffic with 1Mbps

so if they are all of them downloading files in same time (and that's imposable) the Will not exceed 500Mbps , but the real traffic from my ISP is 700Mbps










Again, what interface(s) and what direction(s) (i.e. in or out or both) is policy assigned?

Policy Map user
  Class class-default
   police cir 100000 bc 3125
     conform-action transmit
      exceed-action drop

bba-group pppoe PPPOE-DEFAULT
 virtual-template 101
 sessions per-vc limit 1
 sessions per-mac limit 1
 sessions per-vlan limit 10000 inner 10000
 sessions auto cleanup

interface Virtual-Template100
 description POOL-QINQ
 mtu 1492
 ip unnumbered Loopback0
 ip nat inside
 ip tcp adjust-mss 1440
 keepalive 15
 ppp mtu adaptive
 ppp authentication chap ms-chap ms-chap-v2 eap pap
 ppp ipcp dns
 ppp timeout retry 9
 ppp timeout authentication 20
 ppp timeout idle 172800 either

interface TenGigabitEthernet0/1/0
 description ISP-IN
 ip address 94.X.X.X
 ip nat outside

interface TenGigabitEthernet0/1/0.20
 description USER
 encapsulation dot1Q 913 second-dot1q any
 pppoe enable group PPPOE-QINQ

Type: PPPoE, UID: 9317, State: authen, Identity: adminsaad@o2
IPv4 Address:
Session Up-time: 2d20h   , Last Changed: 2d20h
Interface: Virtual-Access1.7748
Switch-ID: 34067519

Policy information:
  Context 7FE3FF8300D8: Handle 90020080
  AAA_id 0003F65B: Flow_handle 0
  Authentication status: authen

Class-id    Dir   Packets    Bytes                  Pri.  Definition
0           In    71395279   7947823856             0    Match Any
1           Out   126300009  154445884464           0    Match Any


QoS Policy Map:
Class-id    Dir   Policy Name   Source
0           Out          user            Peruser

IP Config:
M=Mandatory, T=Tag, Mp=Mandatory pool
Flags  Peer IP Address                  Pool Name             Interface                          subscriber2           [None]
       ::                               [None]                [None]

Absolute Timeout:
Class-id   Timeout Value    Time Remaining       Source
0          2741505          4w0d                 Peruser

Idle Timeout:
Class-id   Dir  Timeout value   Idle-Time            Source
0          In   172800          00:00:02             Virtual-Template100
1          Out  172800          00:00:02             Virtual-Template100

Configuration Sources:
Type  Active Time  AAA Service ID  Name
USR   2d20h        -               Peruser
INT   2d20h        -               Virtual-Template100


Type: PPPoE, UID: 9317, State: authen, Identity: adminsaad@o2
IPv4 Address:
Session Up-time: 2d20h   , Last Changed: 2d20h
Interface: Virtual-Access1.7748
Switch-ID: 34067519

Policy information:
  Context 7FE3FF8300D8: Handle 90020080
  AAA_id 0003F65B: Flow_handle 0
  Authentication status: authen

Class-id    Dir   Packets    Bytes                  Pri.  Definition
0           In    71395279   7947823856             0    Match Any
1           Out   126300009  154445884464           0    Match Any


QoS Policy Map:
Class-id    Dir   Policy Name   Source
0           Out          user            Peruser

IP Config:
M=Mandatory, T=Tag, Mp=Mandatory pool
Flags  Peer IP Address                  Pool Name             Interface                          subscriber2           [None]
       ::                               [None]                [None]

Absolute Timeout:
Class-id   Timeout Value    Time Remaining       Source
0          2741505          4w0d                 Peruser

Idle Timeout:
Class-id   Dir  Timeout value   Idle-Time            Source
0          In   172800          00:00:02             Virtual-Template100
1          Out  172800          00:00:02             Virtual-Template100

Configuration Sources:
Type  Active Time  AAA Service ID  Name
USR   2d20h        -               Peruser
INT   2d20h        -               Virtual-Template100

  Service-policy output: ussr

    Class-map: class-default (match-any)
      14559817 packets, 2670943646 bytes
      30 second offered rate 18000 bps, drop rate 0000 bps
      Match: any
          cir 10000000 bps, bc 2500000 bytes
        conformed 14515097 packets, 2569676143 bytes; actions:
        exceeded 75791 packets, 105166670 bytes; actions:
        conformed 18000 bps, exceeded 0000 bps



looking at your output:


Class-map: class-default (match-any)
14559817 packets, 2670943646 bytes
30 second offered rate 18000 bps, drop rate 0000 bps
Match: any
cir 10000000 bps, bc 2500000 bytes
conformed 14515097 packets, 2569676143 bytes; actions:
exceeded 75791 packets, 105166670 bytes; actions:
conformed 18000 bps, exceeded 0000 bps


--> cir 10000000 bps equals 10Mbps, not 1Mbps

hello , thanks for replay,  yes in config i was open 10Mbps in night time



but i mean in peak-time traffic  i give user1' 1Mpbs 



Policy Map user

  Class class-default

   police cir 100000 bc 3125

     conform-action transmit

      exceed-action drop

but the are using  more than expected traffic



Policy Map user

Class class-default

police cir 100000 bc 3125

conform-action transmit

exceed-action drop


I think the value is in bits per second, so you need to add a '0' for one Mbit. 100000 means 0.1 Mbit.

hello ,thanks for reply 

don't care about some text error 



i mean when use limit


Policy Map user

Class class-default

police cir 1000000 bc 3125

conform-action transmit

exceed-action drop


for 500 user'

the in interface traffic is going to more of 500Mbps (600 or 700 )

so how that's and all user's has limit traffic for 1Mbps






any idea how to limit use for throughput not just upload or download  
so if he download file with speed 1Mbps
he can't upload file in  same time 

Review Cisco Networking for a $25 gift card