02-18-2013 11:07 AM - edited 03-04-2019 07:03 PM
Hi. I've been trying to get policing to work in my environment, but to no avail.
For the sake of context, I'll decribe my network. I have 1 50MB Synchronous WAN connection that is shared among the various VLANs of my facility. I have 5 VLANs: CORP, VLAN10, VLAN20, VLAN30, and VLAN40. VLANs 10 through 40 represent classrooms, for which the WAN bandwidth should be limited to no more than 30Mbps total (i.e. 30Mbps to be shared between those 4 VLANs). The CORP VLAN must have a dedicated 20Mbps that will not be affected by fluctuations in the bandwidth of the other 4 VLANs.
I have ACLs which prevent access from VLANs 10 through 40 into the CORP VLAN. I want to allow inter-VLAN communication between VLANs 10 through 40.
All of these configs are done on a single 2841 router with 2 gigabit ports (g0/0 and g0/1). There are subinterfaces configured on g0/1 for each of the VLANs. g0/0 is the WAN port.
The goal I want to achieve is that there be a total of 30Mbps of WAN bandwidth to be shared among the 4 classroom VLANs (i.e. they should compete for is based on demand) and 20Mbps of dedicated WAN bandwidth for the CORP VLAN. I do not want to limit bandwidth between VLANs 10 through 40, but they must not be able to communicate with the CORP VLAN. The router is currently in operation in my production environment, and there is working WAN connectivity for all VLANs, but the policing elements of the config do not seem to be doing anything.
I will post my current running config (omitting public IP address, of course, for security). I hope that the members of this forum can assist.
Thanks!
Here's the config:
AcademyRouterCore(config)#do show run
Building configuration...
Current configuration : 4003 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname AcademyRouterCore
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
no ip domain lookup
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
class-map match-all CORP
match input-interface GigabitEthernet0/1
class-map match-all VLAN40
match input-interface GigabitEthernet0/1
class-map match-all VLAN10
match input-interface GigabitEthernet0/1
class-map match-all VLAN30
match input-interface GigabitEthernet0/1
class-map match-all VLAN20
match input-interface GigabitEthernet0/1
!
!
policy-map VLAN40
class VLAN40
police cir 30000000
conform-action transmit
exceed-action set-qos-transmit 5
violate-action drop
policy-map VLAN10
class VLAN10
police cir 30000000
conform-action transmit
exceed-action set-qos-transmit 5
violate-action drop
policy-map VLAN30
class VLAN30
police cir 30000000
conform-action transmit
exceed-action set-qos-transmit 5
violate-action drop
policy-map VLAN20
class VLAN20
police cir 30000000
conform-action transmit
exceed-action set-qos-transmit 5
violate-action drop
policy-map VLAN1
class CORP
police cir 20000000
conform-action transmit
exceed-action set-qos-transmit 1
violate-action drop
!
!
!
!
!
!
interface GigabitEthernet0/0
description WAN
ip address *.*.*.* *.*.*.*
ip nat outside
ip nat enable
ip virtual-reassembly
duplex full
speed 100
!
interface GigabitEthernet0/1
description InternalGateway
no ip address
duplex full
speed 1000
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
service-policy output VLAN1
!
interface GigabitEthernet0/1.10
encapsulation dot1Q 10
ip address 192.168.1.254 255.255.255.0
ip access-group 101 in
ip nat inside
ip nat enable
ip virtual-reassembly
no snmp trap link-status
service-policy output VLAN10
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.2.254 255.255.255.0
ip access-group 102 in
ip nat inside
ip nat enable
ip virtual-reassembly
no snmp trap link-status
service-policy output VLAN20
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.3.254 255.255.255.0
ip access-group 103 in
ip nat inside
ip nat enable
ip virtual-reassembly
no snmp trap link-status
service-policy output VLAN30
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
ip address 192.168.4.254 255.255.255.0
ip access-group 104 in
ip nat inside
ip nat enable
ip virtual-reassembly
no snmp trap link-status
service-policy output VLAN40
!
ip default-gateway *.*.*.*
ip classless
ip route profile
ip route 0.0.0.0 0.0.0.0 *.*.*.*
ip route *.*.*.* 255.0.0.0 *.*.*.*
ip route *.*.*.* 255.0.0.0 *.*.*.*
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface GigabitEthernet0/0 overload
!
access-list 100 remark NAT Permit all
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
access-list 101 remark Deny Classroom1 to CORPORATE
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 remark Deny Classroom2 to CORPORATE
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit ip any any
access-list 103 remark Deny Classroom3 to CORPORATE
access-list 103 deny ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 permit ip any any
access-list 104 remark Deny Classroom4 to CORPORATE
access-list 104 deny ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 104 permit ip any any
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
no login
transport input none
!
scheduler allocate 20000 1000
!
end
02-19-2013 03:38 AM
Hello Frank,
you are applying policers outbound on the internal LAN facing subinterfaces.
Each subinterface is limited to 30 Mbps, but you should realize that policing outbound on the LAN interface is simply too late, the precious WAN bandwidth is already gone !! In any case traffic to the 4 subinterfaces can reach 120 Mbps over the 50 Mbps WAN link bandwidth.
In the direction from Internet to your site there is little you can do, the policer should be applied outbound on the upstream router, but you have only one public IP address, so there is no way to discriminate the traffic to the different Vlans.
For the opposite direction, the policer should be applied outbound the WAN interface, but you are doing NAT overloading on the WAN interface, so it may be too late to discriminate traffic coming from the different Vlans. It becomes a question of order of operations inside the router.
All you can do is to police inbound on LAN facing subinterfaces to a quite low rate in such a way to influence indirectly the amount of return TCP traffic downstream.
Hope to help
Giuseppe
03-05-2013 11:51 PM
Hi Frank,
IMHO,
class-map match-all VLAN40
match input-interface GigabitEthernet0/1
is incorrect in your config.
Do you see any matching packets by sh policy-map interface GigabitEthernet0/1.40 out
command output?
All packets you want to match are entering your router via interface GigabitEthernet0/0 (WAN), aren't they?
So matching IP destination address to the VLAN40 subnet (or even matching any packet) would be better?
And the same is valid for the other VLANs, isn't it?
HTH,
Milan
03-06-2013 12:44 AM
Hello,
As Giuseppe wrote you can't influence to trafic from the Internet toward you LAN if you have only one external ip addres.
Only you can do is to police trafic from LAN toward the Internet. And as I understand you need the feature like aggregate policing in Cisco switches. But AFAIK there is no aggregate policing in ISR MQS. So, instead of MQS you can use ZBF. You have to create three zones: INET, CORP, CLASSROOM; and apply police command to CORP and CLASSROOM zones. You have to include interface GigabitEthernet0/1.1 to CORP zone and GigabitEthernet0/1.10-40 interfaces to CLASSROOM zone.
Also with ZBF you can achieve second goal - to deny trafic from CLASROOM vlans toward to CORP vlan.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide