07-29-2012 05:55 AM - edited 03-04-2019 05:06 PM
I am new here and looking for a configuration example to help me prioritize specific IP addreses from a subnet to two or three specific internal ip addresses. If anyone has a link or an example they would be willing to share I would greatly appreciate your help.
+================+ +=============+
= Subnet 10.2.2.0/x = -----> rtr ---->rtr = General Network =
+================+ +=============+
I have never done this before. It is to help a site where we have limited bandwidth and need to prioritize the packets. Naturally processes and machines at the site have priority but we are unwilling to pay for a higher bandwidth.
Thanks!!
Solved! Go to Solution.
07-29-2012 09:56 AM
Yes, you can create your acls like that as well and it will match any traffic coming from host to host.
access-list 101 permit ip host 10.2.2.1 host 172.16.1.1
access-list 101 permit ip host 10.2.2.2 host 172.16.1.2
etc.
You can set a dscp value outbound on the wan side, or set it on the lan side to make a decision on the wan side. The latter would require a separate service policy inbound on the lan side. If you set the value outbound on the wan side, depending on the way your connection is the ISP might strip your tag and you won't receive what you think you should be on the other side.
To set the tag, you can do something like:
class-map match-any SetTag
match access-group 101
class-map match-all Web
match dscp af21
policy-map SetTag
class SetTag
set dscp af21
policy-map Web
class Web
bandwidth 512
police 768000 conform transmit exceed drop
int
service-policy output Web
int
service-policy input SetTag
This would set your host traffic to tag af21 inbound on the lan side and then match that tag outbound on the wan side. Generally, you would match on the other side though for managing the traffic inbound on the wan side. You can also set your tag outbound at the same time of setting the tag:
policy-map Web
class Web
set dscp af21
bandwidth 512
police 768000 conform transmit exceed drop
Then you'd match on af21 on the inbound direction on the wan side of the other end. Along with that, you can also set the tag on the police command:
police 768000 conform transmit exceed set-dscp-transmit af21
This is usually in response to when you don't want to necessarily drop the traffic here, but you may need to drop the traffic later on down the path.
Just remember that whatever you do outbound on your router can possibly be overwritten by the ISP. If you're on an mpls network, you usually have to go through the ISP to have them honor your tags so they won't overwrite them.
HTH,
John
* Please rate if it helps *
07-29-2012 06:14 AM
You can use acls to identify the traffic. Something like:
access-list 101 permit 10.2.2.0 0.0.0.255 host 172.25.25.25 eq www
access-list 101 permit 10.2.2.0 0.0.0.255 host 172.25.25.50 eq ftp
Then you apply to a class map:
class-map match-any Web
match access-group 101
Then apply to a policy-map:
policy-map Web
class Web
bandwidth 512
police 768000 conform transmit exceed drop
Then apply to the outside interface:
int s0/0
service-policy output Web
The bandwidth command reserves that amount (512K) for this subnet when going to these hosts. The police command will start policing this traffic if it goes above 768k. This isn't a low latency queue, so if you're needing something for voice, you'll want to use the "priority" command instead of bandwidth and then remove the policer because the priority command polices for you.
HTH,
John
* Please rate useful posts *
07-29-2012 09:33 AM
Thank you for the speedy reply. I just want to ask one more question.
Is it possible to do this without the "eq" statements? Another way to ask the question would be to use specific IP addresses such as:
access-list 101 permit host 10.2.2.1 host 172.16.1.1
access-list 101 permit host 10.2.2.2 host 172.16.1.2
Also, I have never done this but understand that you can mark or color the packet going in and out with a dsfp (sp) bit?
If so how do you do this?
Thank you again for your help.
07-29-2012 09:56 AM
Yes, you can create your acls like that as well and it will match any traffic coming from host to host.
access-list 101 permit ip host 10.2.2.1 host 172.16.1.1
access-list 101 permit ip host 10.2.2.2 host 172.16.1.2
etc.
You can set a dscp value outbound on the wan side, or set it on the lan side to make a decision on the wan side. The latter would require a separate service policy inbound on the lan side. If you set the value outbound on the wan side, depending on the way your connection is the ISP might strip your tag and you won't receive what you think you should be on the other side.
To set the tag, you can do something like:
class-map match-any SetTag
match access-group 101
class-map match-all Web
match dscp af21
policy-map SetTag
class SetTag
set dscp af21
policy-map Web
class Web
bandwidth 512
police 768000 conform transmit exceed drop
int
service-policy output Web
int
service-policy input SetTag
This would set your host traffic to tag af21 inbound on the lan side and then match that tag outbound on the wan side. Generally, you would match on the other side though for managing the traffic inbound on the wan side. You can also set your tag outbound at the same time of setting the tag:
policy-map Web
class Web
set dscp af21
bandwidth 512
police 768000 conform transmit exceed drop
Then you'd match on af21 on the inbound direction on the wan side of the other end. Along with that, you can also set the tag on the police command:
police 768000 conform transmit exceed set-dscp-transmit af21
This is usually in response to when you don't want to necessarily drop the traffic here, but you may need to drop the traffic later on down the path.
Just remember that whatever you do outbound on your router can possibly be overwritten by the ISP. If you're on an mpls network, you usually have to go through the ISP to have them honor your tags so they won't overwrite them.
HTH,
John
* Please rate if it helps *
07-29-2012 12:24 PM
Thank you for helping me. This helps me a quite a bit. Again I am new to this and learning. I read all around of CCO and couldn't find anythign like this.
It was very nice of you to help me and to do as quickly as you did.
Thank You!!
07-29-2012 01:09 PM
No problem at all Here is some documentation to look at:
http://www.cisco.com/en/US/docs/ios-xml/ios/qos_mqc/configuration/12-4/qos-mqc.html
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/fqos_c.html
The first one is on 12.4 IOS and will walk you through configuring qos with mqc. The 2nd link are the different commands like police, shape, bandwidth, etc.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide