Restrict 512Kbps bandwidth to some workstations

hamidrezaaf · ‎03-31-2012

Hello,

we have 3 workstations which have static nats.

How can you restrice at most 512 kbps bandwidth to these workstations ?

Regards

Hamid

sean_evershed · ‎03-31-2012

Hi,

Do you manage the firewall? If so you could police bandwidth based on IP addresses. See below

https://supportforums.cisco.com/docs/DOC-1230

Don't forget to rate posts that are helpful.

hamidrezaaf · ‎03-31-2012

>>

Do you manage the firewall? If so you could police bandwidth based on IP addresses. See below

https://supportforums.cisco.com/docs/DOC-1230

<<

sorry for my unattention

we want to config a router cisco 2851(c2800nm-adventerprisek9-mz.124-24.T6.bin ios).

John Blakley · ‎03-31-2012

You're probably going to have to shape outbound and police inbound to 512k to your natted addresses.

Let's say that you have addresses 192.168.1.50 - 52 and they map to 5.5.5.50 - 52, you could do something like this:

ip access-list ext Shape

permit ip host 5.5.5.50 any

permit ip host 5.5.5.51 any

permit ip host 5.5.5.52 any

ip access-list ext Police

permit ip any host 5.5.5.50

permit ip any host 5.5.5.51

permit ip any host 5.5.5.52

class-map match-any Shape

match access-group name Shape

class-map match-any Police

match access-group name Police

policy-map Police

class Police

police 512000

exceed-action drop

policy-map Shape

class Shape

shape average 512000

int s0/0 (outside interface)

service-policy input Police

service-policy output Shape

HTH,

John

Please rate useful posts...

HTH, John *** Please rate all useful posts ***

hamidrezaaf · ‎03-31-2012

Many thnaks for your comment

Does below configs convey us to our desired purpose ?

----------------------------------------------------

ip nat inside source static 192.168.10.50 X.X.X.10 extendable

ip nat inside source static 192.168.10.51 X.X.X.11 extendable

ip nat inside source static 192.168.10.52 X.X.X.12 extendable

interface GigabitEthernet0/0

description $ETH-LAN$

ip address 192.168.10.1 255.255.255.0

ip access-group 150 in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface GigabitEthernet0/1

description $ETH-WAN$

ip address X.X.X.226 255.255.255.224

ip access-group 150 in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

service-policy input Police

service-policy output Shape

ip access-list ext Shape

permit ip host X.X.X.50 any

permit ip host X.X.X.51 any

permit ip host X.X.X.52 any

ip access-list ext Police

permit ip any host X.X.X.50

permit ip any host X.X.X.51

class-map match-any Shape

match access-group name Shape

class-map match-any Police

match access-group name Police

policy-map Police

class Police

police 512000

exceed-action drop

policy-map Shape

class Shape

shape average 512000

access-list 150 deny tcp any eq 1034 any log

access-list 150 deny tcp any eq 1080 any log

access-list 150 deny tcp any eq 1214 any log

access-list 150 deny tcp any eq 2535 any log

access-list 150 deny tcp any eq 1433 any log

access-list 150 deny tcp any eq 3127 any log

access-list 150 deny tcp any eq 2745 any log

access-list 150 deny tcp any eq 4444 any log

access-list 150 deny udp any eq 1434 any log

access-list 150 deny udp any range 135 netbios-ss any

access-list 150 deny tcp any range 1036 1037 any log

access-list 150 deny tcp any any eq 81 log

access-list 150 deny tcp any any eq 445 log

access-list 150 deny tcp any any eq 1080 log

access-list 150 deny tcp any any eq ident

access-list 150 deny tcp any any eq 1214

access-list 150 deny tcp any any eq 2745

access-list 150 deny tcp any any eq 5101

access-list 150 deny tcp any any eq 5554

access-list 150 deny tcp any any eq 6129

access-list 150 deny tcp any any eq 9996

access-list 150 deny udp any any eq 1434

access-list 150 deny tcp any any eq 11768

access-list 150 deny tcp any any eq 15118

access-list 150 deny tcp any any range 1022 1025

access-list 150 deny tcp any any range 135 139

access-list 150 deny udp any any range 135 netbios-ss

access-list 150 permit tcp any any eq 443

access-list 150 permit udp any any eq domain

access-list 150 permit tcp any any eq domain

access-list 150 permit tcp any any eq 8181

access-list 150 permit tcp any any eq 8080

access-list 150 permit tcp any any eq 1433

access-list 150 permit ip any any

--------------------------------------------------

Regards

Hamid

John Blakley · ‎03-31-2012

Hamid,

You police on the traffic before it's natted and shape after it's natted. So you're acl will reflect the public addresses.

John

HTH, John *** Please rate all useful posts ***

hamidrezaaf · ‎04-01-2012

Dear j,blakley,

>>

You police on the traffic before it's natted and shape after it's natted. So you're acl will reflect the public addresses.

>>

do you have a better solution ?

Regards

Hamid

Vasileios Bouloukos MSc, ITIL, CCIE · ‎04-01-2012

Hi Hanidrezaaf,

A different approach to your problem is to use GTS (generic traffic shaping)

The syntax of the command is the next

traffic-shape rate bit-rate burst-size excess-burst-size

The next config can be applied to the ethernet (LAN) interface in order to limit all output to 512k

interface LAN-per user

 traffic-shape rate 512000

Then you can apply the next config to the WAN interface to limit the output to 512 for each of the 3 users

interface

traffic-shape group 101 512000

traffic-shape group 102 512000

traffic-shape group 103 512000

Where 101,102,103 are the Access lists that match the user traffic

Hope that helps,

Vasilis

Please rate the useful posts