Bandwidth limitation Cisco 1921

Tommy Svensson · ‎10-21-2011

Hi.

I have the following setup:

Cisco 1921 is my core router and connectet to it is a 30 Mbit fiberline

VLAN1

VLAN2

Now, the thing is that i want VLAN2 to have a 5 Mbit bandwidth limit to Internet but full speed to VLAN1.

I have played around with Rate limit without success, any ideas hos to solve this?

I also have access to cisco switches that can limit the bandwidth if that helps.

Kind regards,

Tommy Svensson

Latchum Naidu · ‎10-21-2011

Hi Tommy,

You can achieve this with Policy-map.
See the below two individual steps may help in your scenario.

STEP-1:

Apply rate-limit on each L3 vlan interface in your 2851

Example (for 1024kbits for vlan 2):

Router# conf t
Router(config)# int vlan 2
Router(config-if)#rate-limit input 1000000 187500 375000 conform-action transmit exceed-action drop
Router(config-if)#rate-limit output 1000000 187500 375000 conform-action transmit exceed-action drop

STEP-2:

Policy a specific VLAN number on VLAN interface.

class-map vlan5
match vlan 5
match class-map class-default

policy-map vlan5-limit
class vlan5
police 2000000 250000 exceed-action drop

int vlan5
service-policy input vlan5-limit

After you apply this configuration, the traffic with VLAN 5 coming from any will be policed at 2Mbps.

Hope this will help you.

Please rate the helpfull posts.
Regards,
Naidu.

Tommy Svensson · ‎10-21-2011

Hi.

Im not really sure how to apply this to my case, today i have a rate limit set on the interface of VLAN2 as you did in STEP-1.

However, that does it so that VLAN2 has limited bandwidth to Internet and VLAN1. What i want is for VLAN2 to have full speed to VLAN1 and limited speed to the Internet.

Kind regards,

Tommy Svensson

Joseph W. Doherty · ‎10-21-2011

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

There are a few things you might want to consider.

First, if you don't have access to the other side of the 30 Mbps link, you can't always ideally control inbound bandwidth. You certainly can rate-limit inbound traffic, but that is after the traffic has already hit your device. For example, 30 Mbps coming in can be limited to 5 Mbps going to Vlan2, but I assume you really want to limit Vlan2's usage of the 30 Mbps to only 5 Mbps. In fact you can't, although if the inbound traffic is TCP, it should slow itself as you drop its packets with a rate limiter.

Second, rate-limiters are very severe, as in they drop all packets that exceed the limit. TCP doesn't mind too much, but non-TCP traffic can be totally disrupted by a high drop rate.

An alternative to rate-limiting is shaper. With a shaper, traffic rate is also controlled, but excess traffic is buffered. A shaper's impact to traffic is closer to an interface of the same bandwidth. Unfortunately, shapers can only be used outbound.

An an alternative to shaping, also for egress, advanced queuing might be used. This could allow, for example either Vlan to use all 30 Mbps, but if both wanted it all, it can insure Vlan1 gets 25 Mbps while Vlan2 only gets 5 Mbps.

How to do any of the above would depend on your topology and actual needs. You do need to be clear about what you want to accomplish, for instance Naidu's example would limit Vlan5 interface to 2 Mbps, but this would apply to all its off Vlan traffic, not just to the Internet traffic, nor does it limit what this Vlan can "pull" from the Internet.

Tommy Svensson · ‎10-25-2011

Hi.

I am clear of what i want to accomplish here.

I want so that VLAN2 has full speed to VLAN1 and that VLAN2 has limited speed to the Internet.

What would be the ideal way to accomplish this?

Kind regards,

Tommy Svensson

Kishore Chennupati · ‎10-26-2011

hi tommy,

your requirement

1. Traffic between internet and Vlan 2 - limited to 5Mbps

2 Traffic from Vlan 1 to Vlan 2- no limit

Now, the way your rquirement is pretty hard to achieve given that once you rate limit Vlan 2 it will affect the whole Vlan if you know what I mean. Is there a very strong reason you need to do this?

Tommy Svensson · ‎10-26-2011

The rate limit is not necessary at all, i just want the described functionality.

Kind regards,

Tommy

Kishore Chennupati · ‎10-26-2011

Hi Tommy,

I like your curiosity

ok how about this solution.

+++on the router

access-list 100 < match the Vlan 2 users here>

class-map VLAN2

match access-group 100

policy-map LIMIT_VLAN2_5MBPS

class VLAN2

shape average 5000000

interface < link to the ISP>

service output LIMIT_VLAN2_5MBPS

1 This would sort of rate limit(shape) the traffic of Vlan 2 to 5Mbps. This achieves your first condition

2. Because they will be on a trunk port to a layer 2 switch both vlan's can have full access to each other without any limit.

Hope the above gives you some idea of what I am talking about

HTH

Regards

Kishore

Tommy Svensson · ‎10-26-2011

The 3 interfaces is already part of security zones and i use a ZBF, is it still possible to apply another ACL on my WAN interface?

Kind regards,

Tommy

Kishore Chennupati · ‎10-26-2011

Hi Tommy,

techincally its not an ACL. Its a service policy so you should be able to apply it. If you can share your config of the router maybe i can tell you more

Regards

Kishore

Tommy Svensson · ‎10-27-2011

Hi.

This is what i have done so far.

interface GigabitEthernet0/1.21

encapsulation dot1Q 21

ip address 10.0.21.254 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security VLAN21_ZONE

!

access-list 100 permit ip 10.0.21.0 0.0.0.255 any

class-map match-all LIMIT_VLAN21

match access-group 100

policy-map LIMIT_VLAN21_5MBIT

class LIMIT_VLAN21

shape average 5000000

interface GigabitEthernet0/0

description WAN

ip address xxx.xxx.xx.194 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security WAN_ZONE

duplex auto

speed auto

no mop enabled

crypto map VPNMAP

service-policy output LIMIT_VLAN21_5MBIT

Even though im on the VLAN21 subnet i cant seem to get hits on access-list 100. So my limitation is not working and im going out on the Internet att full speed.

Any thoughts?

Kind regards,

Tommy

Kishore Chennupati · ‎10-27-2011

Tommy,

Can you do a " sh policy-map interface GigabitEthernet0/0" and paste the results here. Also try to download some big files or videos or whatever for testing and do the command i mentioned an paste the results here.

Tommy Svensson · ‎10-27-2011

Here it is.

Im not in office right now but i will try to download big files and type in the command again later.

GigabitEthernet0/0

Service-policy output: LIMIT_MGNS_5MBIT

Class-map: MGNS (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group 100

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0

shape (average) cir 5000000, bc 20000, be 20000

target shape rate 5000000

Class-map: class-default (match-any)

31569834 packets, 14342194992 bytes

5 minute offered rate 2000000 bps, drop rate 0 bps

Match: any

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 31564456/14343562742

Can you make something out of this?

Kind regards,

Tommy

Kishore Chennupati · ‎10-27-2011

umm.. the config I have given you works but it restricts traffic from your network(Vlan2) to the outside world.I have tested this before and it works. But, you need to rate-limit the traffic coming from the internet into your vlan2.

.

So , we need to police it I have labbed it and I will put the paste the configs here for you ok?

network is very simple

R3----------(your LAN)R1(Your WAN)------------R2(internet)

R3

R3#sh run

ip cef

!

interface GigabitEthernet1/0

ip address 10.0.21.1 255.255.255.0

negotiation auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.0.21.254

R1

R1#sh run

!

class-map match-all LIMIT_VLAN21

match access-group 100

!

policy-map LIMIT_VLAN21_5MBIT

class LIMIT_VLAN21

police 64000 conform-action transmit exceed-action drop

!

interface GigabitEthernet1/0

ip address 192.168.1.1 255.255.255.0

ip nat outside

negotiation auto

service-policy input LIMIT_VLAN21_5MBIT

!

interface GigabitEthernet2/0

ip address 10.0.21.254 255.255.255.0

negotiation auto

!

ip nat inside source route-map ALLOW interface GigabitEthernet1/0 overload

!

access-list 100 permit ip any 10.0.21.0 0.0.0.255

access-list 102 permit ip 10.0.21.0 0.0.0.255 any

!

route-map ALLOW permit 10

match ip address 102

!

R2

R2#sh run

hostname R2

!

boot-start-marker

boot-end-marker

!

no aaa new-model

ip subnet-zero

!

no ip domain lookup

!

ip cef

!

interface GigabitEthernet1/0

ip address 192.168.1.2 255.255.255.0

negotiation auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.1.1

I will post the results in my next post

Kishore Chennupati · ‎10-27-2011

Now when I ping from R2(internet) to the LAN its pretty much like downloading a file. As you can see the NAT works good . Here 192.168.1.1 is your WAN IP

R2#ping 10.0.21.254 re 1000 size 1500 ,< pinging your LAN GW

Type escape sequence to abort.

Sending 1000, 1500-byte ICMP Echos to 10.0.21.254, timeout is 2 seconds:

!!!!!.!!.!.!!!!.!!!!.!!.!!!!.!!!!.!!.

Success rate is 75 percent (28/37), round-trip min/avg/max = 92/167/268 ms

R1#

*Oct 27 21:41:08.331: NAT: s=10.0.21.254->192.168.1.1, d=192.168.1.2 [44]

*Oct 27 21:41:08.619: NAT: s=10.0.21.254->192.168.1.1, d=192.168.1.2 [45]

*Oct 27 21:41:08.799: NAT: s=10.0.21.254->192.168.1.1, d=192.168.1.2 [46]

*Oct 27 21:41:08.971: NAT: s=10.0.21.254->192.168.1.1, d=192.168.1.2 [47]

R1#

*Oct 27 21:41:11.091: NAT: s=10.0.21.254->192.168.1.1, d=192.168.1.2 [49]

*Oct 27 21:41:11.231: NAT: s=10.0.21.254->192.168.1.1, d=192.168.1.2 [50]

Here you can see that the policer drops anything going above 64kbps. I have set a policer that says that anything more than 64kbps should be dropped

R1#sh policy-map int gi1/0

GigabitEthernet1/0

Service-policy input: LIMIT_VLAN21_5MBIT

Class-map: LIMIT_VLAN21 (match-all)

37 packets, 56018 bytes

5 minute offered rate 4000 bps, drop rate 2000 bps

Match: access-group 100

police:

cir 64000 bps, bc 2000 bytes

conformed 28 packets, 42392 bytes; actions:

transmit

exceeded 9 packets, 13626 bytes; actions:

drop

conformed 4000 bps, exceed 2000 bps

Class-map: class-default (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

Hope this gives you the idea of policing stuff coming from the internet into you Vlan 2.

HTH

Regards

Kishore