cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
667
Views
0
Helpful
9
Replies

Restrict up and download speeds

I am restricting throughput speeds on a connection using policy-maps on a subnet with police rules. While this works to restrict download speeds to the desired amount, it does nothing to restrict upload speeds. I had thought the service-policy output would do it, but it seems not. What can I do to restrict upload speeds?

Example: (2851 Router)

interface GigabitEthernet0/1.3

encapsulation dot1Q 7

ip address 10.237.7.1 255.255.255.0

ip access-group GUEST in

ip helper-address 10.237.2.119

ip flow ingress

ip nat inside

ip virtual-reassembly

service-policy input RESTRICTGUEST

service-policy output RESTRICTGUEST

policy-map RESTRICTGUEST

class GUEST

    police 3000000 37500 conform-action transmit  exceed-action drop

9 Replies 9

cadet alain
VIP Alumni
VIP Alumni

Hi,

police input on the nat outside interface

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Wouldn't that limit the traffic on all my subnets? I only want to limit the traffic on the /1.3 subnet, but leave the the others (/1.1, /1.2, /1.4, etc) to have full access.

Hi,

match corresponding traffic with ACL in a class-map and police this class.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Joseph W. Doherty
Hall of Fame
Hall of Fame

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Service policy with policer, should work for both ingress or egress.

You didn't show all the match criteria for class GUEST.  Is your matching sensitive to flow direction, i.e. the need to "swap" source and destination if using an ACL for both ingress and egress?

My GUEST ACL only has permits and denies to limit what resouces and time ranges are allowed, but is not sensitive to direction.

For example: (IPs changed to protect the innocent)

ip access-list extended GUEST

permit udp any eq bootpc any eq bootps time-range OFFICEHOURS

permit tcp any host 10.10.10.10 eq 443 www time-range OFFICEHOURS

permit ip any 10.10.0.0 0.0.255.255 time-range OFFICEHOURS

deny   ip any 10.0.0.0 0.255.255.255

deny   ip any 172.16.0.0 0.15.255.255

deny   ip any 192.168.0.0 0.0.255.255

permit ip any any time-range OFFICEHOURS

EDIT:

However, I do have my class-map match-all GUEST matching ACL 101:

access-list 101 permit ip 10.237.7.0 0.0.0.255 any

access-list 101 permit ip any 10.237.7.0 0.0.0.255

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

My GUEST ACL only has permits and denies to limit what resouces and time ranges are allowed, but is not sensitive to direction.

For example: (IPs changed to protect the innocent)

ip access-list extended GUEST

permit udp any eq bootpc any eq bootps time-range OFFICEHOURS

permit tcp any host 10.10.10.10 eq 443 www time-range OFFICEHOURS

permit ip any 10.10.0.0 0.0.255.255 time-range OFFICEHOURS

deny   ip any 10.0.0.0 0.255.255.255

deny   ip any 172.16.0.0 0.15.255.255

deny   ip any 192.168.0.0 0.0.255.255

permit ip any any time-range OFFICEHOURS

EDIT:

However, I do have my class-map match-all GUEST matching ACL 101:

access-list 101 permit ip 10.237.7.0 0.0.0.255 any

access-list 101 permit ip any 10.237.7.0 0.0.0.255

I may be mistaken, but your GUEST ACL looks direction sensitive to me.  Most your permit and deny statements match destination, which swaps in the opposite direction.

Your ACL 101, though, matches in either direction.

I can see where you say that. I'm only allowing traffic to certain locations, because I don't want initiating traffic coming those locations to gain access. I am allowing all other taffic (with deny excpetions) with the ip any any. I thought I was being covered with the any any going either direction. (the other traffic is what I'm concerned about.)

Do I need to specify direction in an any any statement?

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

 

Do I need to specify direction in an any any statement?

No, not if your denies are what you desire.

They are. That still leaves me with my issue. I thought the service-policy input/output pointing back to the policy-map on the interface was the proper method. Where did my thought process go wrong?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco