Hello, - Page 2

gasparmenendez · ‎08-03-2017

Hi folks,

I have a problem with bandwidth limitation on a Cisco 1841 Router. The thing is that I need to limit the internet bandwidth with class and policy maps in my 1841 but it's not working... when I check my Cacti (monitoring system) it shows 1841 is using more than 2 Mbps, when apparently I limited to 1 Mbps. Here's is my configuration:

Building configuration...

Current configuration : 2548 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname IntRegManzanas
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$r/qO$L.tQ0JnkA
enable password 7 1511021
!
aaa new-model
!
!
aaa authentication login default local
!
!
aaa session-id common
clock timezone MX -6
clock summer-time MX recurring
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.50
!
ip dhcp pool REDINTERNA
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 189.194.28.161 200.52.167.161
!
!
ip domain name somosggl.com
!
multilink bundle-name authenticated
!
!
!
!
username gaspar privilege 15 password 7 094B4F1A0
username extra privilege 15 password 7 10692E3500
archive
log config
hidekeys
!
!
!
!
ip ssh version 2
!
class-map match-all CLASS1M
match access-group name ACL1M
!
!
policy-map POLICE1M
class CLASS1M
   police cir 1000000 bc 187500 pir 1000000
!
!
!
!
interface FastEthernet0/0
description *** Externa ***
ip address 10.227.225.33 255.255.252.0
ip nat outside
ip virtual-reassembly
rate-limit input 1000000 187500 375000 conform-action transmit exceed-action drop
rate-limit output 1000000 187500 375000 conform-action transmit exceed-action drop
duplex auto
speed auto
!
interface FastEthernet0/1
description *** Interna ***
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
service-policy output POLICE1M
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.227.224.1
!
!
ip http server
no ip http secure-server
ip nat inside source list 110 interface FastEthernet0/0 overload
!
ip access-list standard ELCACTI
permit 10.227.224.11
deny   any
!
ip access-list extended ACL1M
deny   ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
!
logging 10.227.224.11
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
snmp-server community ******** RO ELCACTI
snmp-server location Canatlan
snmp-server contact Irma Mtz
!
!
!
!
!
!
control-plane
!
!
banner login ^C

*******************************
*******************************

    Acceso restringido
   Solo personal autorizado

*******************************
*******************************
^C
!
line con 0
password 7 040F5D515
logging synchronous
line aux 0
line vty 0 4
password 7 040F5D515
logging synchronous
transport input all
!
scheduler allocate 20000 1000
end

Can somebody help me please??

Thanks in advence. BR.

paul driver · ‎08-10-2017

Hello
Policing is applicable for egress traffic but its more relevant for ingress traffic, So all you need is to police ingress as close to you source traffic as possible

As shown by Georg and myself you can match via a access-list or interface for you traffic

access-list 100 permit ip any any

class-map match-any Police_cm
match ip address 100
or
match input-interface x/x

Policy-Map Police _lan_pm
class Police_cm
police 1024000 conform-action transmit exceed-action drop

Int x/x
description Lan_facing_interface
service-policy input Police _lan_pm

Note: dropping you exceed traffic can be very disruptive, usually you would reclassify the excesses so it at least gets through be it at a more lower classification.

Looking at you testing, you still have the load-interval set a 5 minute, can you drop it to show a more realistic utilization value and change you class-map to a mach-any

Test the example above and share you results.

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

gasparmenendez · ‎08-11-2017

hello Paul, just one detail ( I think I asked you about this before), Router don't accept match ip address 100 so I changed by match access-group 100, is that ok???

anyway I configured like you suggested and now I have this:

IntRegManzanas#show policy-map interface FastEthernet0/1
FastEthernet0/1

Service-policy input: Police_lan_pm

    Class-map: Police_cm (match-any)
      10398 packets, 1025352 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: access-group 100
        10115 packets, 996651 bytes
        30 second rate 0 bps
      police:
          cir 1024000 bps, bc 32000 bytes
        conformed 10398 packets, 1025352 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps

    Class-map: class-default (match-any)
      104 packets, 11044 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: any

now I'm going to wait and see what happens.

Thanks.

Georg Pauwen · ‎08-11-2017

Hello,

just one question: in your original post you say that you are using Cacti to monitor traffic. What are you monitoring, individual IP flows from end users ? And if, how have you set this up ?

I am just asking because I only know Cacti as a network traffic monitoring solution,and not necessarily one that can measure individual end user traffic...

gasparmenendez · ‎08-11-2017

that's correct Georg, I'm using Cacti to monitor individual end users, by IP address. Here's the graffic for the client:

this is from right now:

IntRegManzanas#show policy-map interface FastEthernet0/1
FastEthernet0/1

Service-policy input: Police_lan_pm

    Class-map: Police_cm (match-any)
      166605 packets, 23895063 bytes
      30 second offered rate 4000 bps, drop rate 0 bps
      Match: access-group 100
        166322 packets, 23866362 bytes
        30 second rate 4000 bps
      police:
          cir 1024000 bps, bc 32000 bytes
        conformed 166452 packets, 23696060 bytes; actions:
          transmit
        exceeded 153 packets, 199003 bytes; actions:
          drop
        conformed 4000 bps, exceed 0 bps

    Class-map: class-default (match-any)
      104 packets, 11044 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: any

Georg Pauwen · ‎08-11-2017

Hello,

which IP address belongs to that graphic ?

gasparmenendez · ‎08-11-2017

interface FastEthernet0/0
description *** Externa ***
ip address 10.227.225.33 255.255.252.0

Georg Pauwen · ‎08-11-2017

Hello,

sorry for the confusion. What I meant to say: the graph represents an IP address in the 192.168.1.0/24 range, right ? Which one ?

gasparmenendez · ‎08-12-2017

oh I'm sorry Georg, I missunderstood your question...

graffic represents ALL traffic in the interface, not just one IP address. That would be traffic for all 192.168.1.0/24. But in this case specific that's traffic for the OUTSIDE interface (the one NOT facing the LAN).

Anyway bandwidth is still uncontrolled, yesterday it reached 3 Mbps....

Hard to believe, isn't it??

Thanks.

paul driver · ‎08-12-2017

Hello

something is a miss here -Can you please confirm

1)are you applying the policy- map to lan facing interface of your wan rtr ?

2) is your Acl matching traffic coming off that lan interface ?

3) are you checking the corrct service policy it again should.be applied to the lan interface

Res

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

gasparmenendez · ‎08-12-2017

hi Paul, allow me to send you the running config (the one running right now). Only most relevant parts:

IntRegManzanas#sh running-config
Building configuration...

Current configuration : 2335 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname IntRegManzanas
!
boot-start-marker
boot-end-marker
!
aaa new-model
!
!
aaa authentication login default local
!
!
aaa session-id common
clock timezone MX -6
clock summer-time MX recurring
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.50
!
ip dhcp pool REDINTERNA
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 189.194.28.161 200.52.167.161
!
!
!
multilink bundle-name authenticated
!
!
!
hidekeys
!
!
!
!
ip ssh version 2
!
class-map match-any Police_cm
match access-group 100
!
!
policy-map Police_lan_pm
class Police_cm
    police 1024000 conform-action transmit exceed-action drop
!
!
!
!
interface FastEthernet0/0
description *** Externa ***
ip address 10.227.225.33 255.255.252.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description *** Interna ***
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
service-policy input Police_lan_pm
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.227.224.1
!
!
ip http server
no ip http secure-server
ip nat inside source list 110 interface FastEthernet0/0 overload
!
ip access-list standard ELCACTI
permit 10.227.224.11
deny   any
!
logging 10.227.224.11
access-list 100 permit ip any any
access-list 110 permit ip 192.168.1.0 0.0.0.255 any

and this is right now:

IntRegManzanas#show policy-map interface FastEthernet0/1
FastEthernet0/1

Service-policy input: Police_lan_pm

    Class-map: Police_cm (match-any)
      1074079 packets, 151048164 bytes
      30 second offered rate 1000 bps, drop rate 0 bps
      Match: access-group 100
        1073796 packets, 151019463 bytes
        30 second rate 1000 bps
      police:
          cir 1024000 bps, bc 32000 bytes
        conformed 1071493 packets, 148576338 bytes; actions:
          transmit
        exceeded 2586 packets, 2471826 bytes; actions:
          drop
        conformed 1000 bps, exceed 0 bps

    Class-map: class-default (match-any)
      104 packets, 11044 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: any

Thanks.

Georg Pauwen · ‎08-12-2017

Here is what I think needs clarification:

1. Your configuration limits individual users on the 192.168.1.0/24 subnet to 1MB.

2. Cacti measures the throughput of the ENTIRE interface, which is the SUM of all individual users.

In order to see if the policing works for individual users, use the site below on the clients. Upload and download should be limited to 1MB.

http://beta.speedtest.net/

gasparmenendez · ‎08-12-2017

hi Georg,

my configuration limits the traffic to 1Mbps in the interface, to the whole network (192.168.1.0/24) regardless the client's office use 1, 2, 3 or 254 PC's (or at least is what I need to do). That's why I use Cacti to monitor the traffic for the LAN interface. I need that total bandwidth in the LAN interface don't be more than 1Mbps. Sorry if I don't made myself clear.

Thanks.

paul driver · ‎08-12-2017

Hello

cir 1024000 bps, bc 32000 bytes
        conformed 1071493 packets, 148576338 bytes; actions:
          transmit
        exceeded 2586 packets, 2471826 bytes; actions:
          drop
        conformed 1000 bps

I guess it isn't 3 mb at present!

Can you do this please, and then test once more

1) class-map match-any Police_cm
match access-group 100
match input-interface FastEthernet0/1

2) from inside you network ( that's from a host originating from within fa0/1) can you create an extended ping to a outside destination with with 1500 bytes

ping x.x.x.x -l 1500 -n 100000000 ( this is a windows command)

3) clear counter interface fa0/1

then post results

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

gasparmenendez · ‎08-16-2017

hi Paul, after did what you suggested me:

1) class-map match-any Police_cm
match access-group 100
match input-interface FastEthernet0/1

I've got this:

IntRegManzanas#show policy-map interface FastEthernet0/1
FastEthernet0/1

Service-policy input: Police_lan_pm

    Class-map: Police_cm (match-any)
      519163 packets, 47598897 bytes
      30 second offered rate 34000 bps, drop rate 0 bps
      Match: input-interface FastEthernet0/1
        519162 packets, 47598897 bytes
        30 second rate 34000 bps
      police:
          cir 1024000 bps, bc 32000 bytes
        conformed 497454 packets, 45210276 bytes; actions:
          transmit
        exceeded 21709 packets, 2388621 bytes; actions:
          drop
        conformed 34000 bps, exceed 0 bps

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: any

sorry but I don't have access to inside network since that's client's side...

Traffic still going above 1Mbps.

Thanks.

paul driver · ‎08-16-2017

Hello

where you do see the traffic hitting over 1mb

Class-map: Police_cm (match-any)
519163 packets, 47598897 bytes
30 second offered rate 34000 bps, drop rate 0 bps
Match: input-interface FastEthernet0/1
519162 packets, 47598897 bytes
30 second rate 34000 bps <-------------- and this isn't exceeding 1mb

Res

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

1841 bandwidth limitation (traffic shapping) not working