11-12-2013 08:57 AM - edited 03-04-2019 09:33 PM
I am restricting throughput speeds on a connection using policy-maps on a subnet with police rules. While this works to restrict download speeds to the desired amount, it does nothing to restrict upload speeds. I had thought the service-policy output would do it, but it seems not. What can I do to restrict upload speeds?
Example: (2851 Router)
interface GigabitEthernet0/1.3
encapsulation dot1Q 7
ip address 10.237.7.1 255.255.255.0
ip access-group GUEST in
ip helper-address 10.237.2.119
ip flow ingress
ip nat inside
ip virtual-reassembly
service-policy input RESTRICTGUEST
service-policy output RESTRICTGUEST
policy-map RESTRICTGUEST
class GUEST
police 3000000 37500 conform-action transmit exceed-action drop
11-12-2013 09:34 AM
Hi,
police input on the nat outside interface
Regards
Alain
Don't forget to rate helpful posts.
11-12-2013 09:40 AM
Wouldn't that limit the traffic on all my subnets? I only want to limit the traffic on the /1.3 subnet, but leave the the others (/1.1, /1.2, /1.4, etc) to have full access.
11-12-2013 09:43 AM
Hi,
match corresponding traffic with ACL in a class-map and police this class.
Regards
Alain
Don't forget to rate helpful posts.
11-12-2013 09:37 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Service policy with policer, should work for both ingress or egress.
You didn't show all the match criteria for class GUEST. Is your matching sensitive to flow direction, i.e. the need to "swap" source and destination if using an ACL for both ingress and egress?
11-12-2013 09:47 AM
My GUEST ACL only has permits and denies to limit what resouces and time ranges are allowed, but is not sensitive to direction.
For example: (IPs changed to protect the innocent)
ip access-list extended GUEST
permit udp any eq bootpc any eq bootps time-range OFFICEHOURS
permit tcp any host 10.10.10.10 eq 443 www time-range OFFICEHOURS
permit ip any 10.10.0.0 0.0.255.255 time-range OFFICEHOURS
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any time-range OFFICEHOURS
EDIT:
However, I do have my class-map match-all GUEST matching ACL 101:
access-list 101 permit ip 10.237.7.0 0.0.0.255 any
access-list 101 permit ip any 10.237.7.0 0.0.0.255
11-12-2013 05:56 PM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
My GUEST ACL only has permits and denies to limit what resouces and time ranges are allowed, but is not sensitive to direction.For example: (IPs changed to protect the innocent)
ip access-list extended GUEST
permit udp any eq bootpc any eq bootps time-range OFFICEHOURS
permit tcp any host 10.10.10.10 eq 443 www time-range OFFICEHOURS
permit ip any 10.10.0.0 0.0.255.255 time-range OFFICEHOURS
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any time-range OFFICEHOURS
EDIT:
However, I do have my class-map match-all GUEST matching ACL 101:
access-list 101 permit ip 10.237.7.0 0.0.0.255 any
access-list 101 permit ip any 10.237.7.0 0.0.0.255
I may be mistaken, but your GUEST ACL looks direction sensitive to me. Most your permit and deny statements match destination, which swaps in the opposite direction.
Your ACL 101, though, matches in either direction.
11-18-2013 09:35 AM
I can see where you say that. I'm only allowing traffic to certain locations, because I don't want initiating traffic coming those locations to gain access. I am allowing all other taffic (with deny excpetions) with the ip any any. I thought I was being covered with the any any going either direction. (the other traffic is what I'm concerned about.)
Do I need to specify direction in an any any statement?
11-18-2013 10:19 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Do I need to specify direction in an any any statement?
No, not if your denies are what you desire.
11-18-2013 01:49 PM
They are. That still leaves me with my issue. I thought the service-policy input/output pointing back to the policy-map on the interface was the proper method. Where did my thought process go wrong?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide