Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3421
Views
0
Helpful
8
Replies

Traffic Shaping on 3650

Go to solution
williamehmke1
Level 1
Level 1

‎03-03-2016 11:04 AM - edited ‎03-05-2019 03:29 AM

Has anyone been able to successfully configure traffic shaping on a Cisco 3650? I am trying to shape my 300Mb internet pipe for 250Mb for internet traffic and 50Mb for vpn traffic. Is there a simple way to limit bandwidth on the 2 interfaces or would I need to define policy maps and setup QOS 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎03-03-2016 01:31 PM

I haven't tried, but I'm 99% confident this approach will work.  This will guarantee that VPN (aka IPSEC) gets 50Mb/s of your pipe.  If the VPN is not using that traffic then it is available for general Internet access.

ip access-list extended ipsec 
  permit esp any any
  permit udp any any eq 500
  permit udp any any eq 4500
  permit udp any eq 500 any
  permit udp any eq 4500 any

class-map match-any cm-qos-ipsec
  match access-group ipsec

policy-map pm-QoS
  class cm-qos-ipsec
     bandwidth 50000

policy-map pm-Internet
 class class-default
  shape average 300M
    service-policy pm-QoS

interface Gigabit a/b/c
  service-policy output pm-Internet

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎03-03-2016 01:31 PM

I haven't tried, but I'm 99% confident this approach will work.  This will guarantee that VPN (aka IPSEC) gets 50Mb/s of your pipe.  If the VPN is not using that traffic then it is available for general Internet access.

ip access-list extended ipsec 
  permit esp any any
  permit udp any any eq 500
  permit udp any any eq 4500
  permit udp any eq 500 any
  permit udp any eq 4500 any

class-map match-any cm-qos-ipsec
  match access-group ipsec

policy-map pm-QoS
  class cm-qos-ipsec
     bandwidth 50000

policy-map pm-Internet
 class class-default
  shape average 300M
    service-policy pm-QoS

interface Gigabit a/b/c
  service-policy output pm-Internet
0 Helpful

Go to solution
williamehmke1
Level 1
Level 1
In response to Philip D'Ath

‎03-03-2016 01:54 PM

Philip, thanks for the quick response. It definitly looks like what I'm trying to accomplish. My only question (and forgive my bad judgement) but shouldn't the Internet policy shape average be 250M if IPSEC is getting 50 (even though) it doesn't use it all?

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to williamehmke1

‎03-03-2016 01:59 PM

Negative.  The top policy shapes the circuit to what you actually get.  Everything is carved out of that.

0 Helpful

Go to solution
williamehmke1
Level 1
Level 1
In response to Philip D'Ath

‎03-03-2016 02:00 PM

OK great, thanks

0 Helpful

Go to solution
frroy
Level 1
Level 1
In response to Philip D'Ath

‎11-23-2017 01:35 PM - edited ‎11-23-2017 01:37 PM

I'm trying suggested config on a 3650 (running 16.6.2) and get following error when applying

service-policy to interface:   Invalid queuing class-map!!! Queuing actions supported only with dscp/cos/qos-group/precedence/exp based classification!!!

 

 

0 Helpful

Go to solution
Bhudson1
Level 1
Level 1
In response to Philip D'Ath

‎03-07-2018 08:16 PM - edited ‎03-07-2018 08:17 PM

I have run this config and when i specify the service policy to the interface, and then run the "show policy-map interface" the policy is not applied.

@Philip D'Ath wrote:

I haven't tried, but I'm 99% confident this approach will work.  This will guarantee that VPN (aka IPSEC) gets 50Mb/s of your pipe.  If the VPN is not using that traffic then it is available for general Internet access.

 

ip access-list extended ipsec 
  permit esp any any
  permit udp any any eq 500
  permit udp any any eq 4500
  permit udp any eq 500 any
  permit udp any eq 4500 any

class-map match-any cm-qos-ipsec
  match access-group ipsec

policy-map pm-QoS
  class cm-qos-ipsec
     bandwidth 50000

policy-map pm-Internet
 class class-default
  shape average 300M
    service-policy pm-QoS

interface Gigabit a/b/c
  service-policy output pm-Internet


command the policy is not showing...  Ideas?

0 Helpful

Go to solution
mauricetolson
Level 1
Level 1
In response to Bhudson1

‎08-09-2020 12:07 AM

You may need to remove the existing service policy before adding the new one.

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎08-09-2020 07:23 AM - edited ‎08-09-2020 07:24 AM

So, you really want to shape at 250 and 50 Mbps for the two classes, or are you looking to guarantee those as minimum bandwidth guarantees?

What Philip provided does the latter. If you want the former (if supported on a 3650), might be something like:

policy-map pm-QoS
class cm-qos-ipsec
bandwidth 50000
shape average 50000000
class class-default
bandwidth 250000
shape average 250000000

BTW, if you do this, you don't need the "parent"'s policy-map. (This because you cannot exceed 300 Mbps, aggregate.)

Also BTW, if you go with Philip's recommendation (which, I suggest, is often "better"), you may want to add to his policy:
class class-default
bandwidth 250000
This because to "guarantee" you obtain the bandwidth allocations you want, you should allocate 100% of the bandwidth. Not defining a class-default allocation leaves it to the device to allocate the bandwidth proportion, which w/o an explicit class-default, we "hope" is the remaining 250 Mbps.

Lastly, I suspect some Cisco device shapers don't account for L2 overhead. If not, shape slower for the average or expected overhead.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card