QOS Bandwidth limitation Not working

MohammadSalih · ‎06-16-2022

hi every one ,

i have more than vlan and i have 100 mbps internet access ,

i want to divide the 100mbps on my vlans .

i do QOS command and it doesn't work , i have 2951 router

the command is :

access-list 110 permit ip 192.168.110.0 0.0.0.255 any

access-list 120 permit ip 192.168.120.0 0.0.0.255 any

class-map match-all 110
match access-group 110

class-map match-all 120
match access-group 120

policy-map BAND
class 110

police 20000000 conform-action transmit exceed-action drop

class 120

police 20000000 conform-action transmit exceed-action drop

interface GigabitEthernet0/1

service-policy input BAND
service-policy output BAND

________________

this is the show version

Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 20-Mar-12 19:11 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)

UCIDN-NOC-RT uptime is 11 weeks, 5 days, 21 minutes
System returned to ROM by power-on
System restarted at 08:44:07 UTC Sat Mar 26 2022
System image file is "flash0:c2951-universalk9-mz.SPA.151-4.M4.bin"
Last reload type: Normal Reload

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco CISCO2951/K9 (revision 1.1) with 472064K/52224K bytes of memory.
Processor board ID FGL202510F3
7 Gigabit Ethernet interfaces
1 terminal line
1 Virtual Private Network (VPN) Module
DRAM configuration is 72 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
255488K bytes of ATA System CompactFlash 0 (Read/Write)

License Info:

License UDI:

-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO2951/K9 FGL202510F3

Technology Package License Information for Module:'c2951'

-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security securityk9 Permanent securityk9
uc uck9 Permanent uck9
data None None None

Configuration register is 0x2102

balaji.bandi · ‎06-16-2022

I have done some test way back check below config may help you :

https://www.balajibandi.com/?p=1606

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MohammadSalih · ‎06-16-2022

thanks for replying still not working,

balaji.bandi · ‎06-16-2022

Can you post updated config ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MohammadSalih · ‎06-16-2022

when i write the command

#sh policy-map interface gigabitEthernet 0/1
GigabitEthernet0/1

Service-policy input: limit

Class-map: 120 (match-all)
16165 packets, 3345584 bytes
5 minute offered rate 56000 bps, drop rate 10000 bps
Match: access-group 120
police:
cir 2000000 bps, bc 62500 bytes
conformed 14983 packets, 2773433 bytes; actions:
transmit
exceeded 1182 packets, 572151 bytes; actions:
drop
conformed 387000 bps, exceed 68000 bps

Class-map: class-default (match-any)
9722 packets, 1715733 bytes
5 minute offered rate 28000 bps, drop rate 0 bps
Match: any

Service-policy output: limit

Class-map: 120 (match-all)
5 packets, 370 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 120
police:
cir 2000000 bps, bc 62500 bytes
conformed 5 packets, 370 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps

Class-map: class-default (match-any)
2259731 packets, 2733676456 bytes
5 minute offered rate 44111000 bps, drop rate 0 bps

int shows that only input work (upload)

the output didn't work (Download)

MohammadSalih · ‎06-16-2022

when i write the command

#sh policy-map interface gigabitEthernet 0/1

it shows that only input work (upload)

the output didn't work (Download)

paul driver · ‎06-16-2022

Hello

@MohammadSalih wrote:

when i write the command

#sh policy-map interface gigabitEthernet 0/1

it shows that only input work (upload)

the output didn't work (Download)

The service policy is only apllicable for ingress traffic into the vlan

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MohammadSalih · ‎06-16-2022

Hello

wrote:

when i write the command

#sh policy-map interface gigabitEthernet 0/1

it shows that only input work (upload)

the output didn't work (Download)

The service is only apllicable for ingress traffic into the vlan

is there any other way to limit output bandwidth for subnets ?

balaji.bandi · ‎06-16-2022

as per my testing and understanding -

Policy maps can be configured on ingress or egress devices

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MohammadSalih · ‎06-16-2022

in my case only the ingress is work

the egress not work ,

my device is 2951 is there any problem with this series or there are problem with the ios ?

balaji.bandi · ‎06-16-2022

That is the Limitation, most case we intiate the traffic from Lan, if any traffic coming from outside you can apply on outside interface.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul driver · ‎06-16-2022

Hello
Append the vlan to the class map related to polucy map applied to the interface.

class-map match-all 110
match vlan 110

class-map match-all 120
match vlan 120

int x/x
service-policy input BAND

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MohammadSalih · ‎06-16-2022

when i write the command

#sh policy-map interface gigabitEthernet 0/1
GigabitEthernet0/1

Service-policy input: limit

Class-map: 120 (match-all)
16165 packets, 3345584 bytes
5 minute offered rate 56000 bps, drop rate 10000 bps
Match: access-group 120
police:
cir 2000000 bps, bc 62500 bytes
conformed 14983 packets, 2773433 bytes; actions:
transmit
exceeded 1182 packets, 572151 bytes; actions:
drop
conformed 387000 bps, exceed 68000 bps

Class-map: class-default (match-any)
9722 packets, 1715733 bytes
5 minute offered rate 28000 bps, drop rate 0 bps
Match: any

Service-policy output: limit

Class-map: 120 (match-all)
5 packets, 370 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 120
police:
cir 2000000 bps, bc 62500 bytes
conformed 5 packets, 370 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps

Class-map: class-default (match-any)
2259731 packets, 2733676456 bytes
5 minute offered rate 44111000 bps, drop rate 0 bps

int shows that only input work (upload)

the output didn't work (Download)

Joseph W. Doherty · ‎06-16-2022

BTW, regarding why "in" policy appears to work but "out" policy doesn't, might be because you're using the same policy in both directions using underlying ACLs, that would only correctly work in one direction.

Try:

access-list 110 permit ip 192.168.110.0 0.0.0.255 any
access-list 110 permit ip any 192.168.110.0 0.0.0.255

access-list 120 permit ip 192.168.120.0 0.0.0.255 any
access-list 120 permit ip any 192.168.120.0 0.0.0.255

Also BTW, although an ingress policer will limit bandwidth to your inside hosts, it cannot truly limit ingress bandwidth usage because its downsteam of your Internet link.