10-21-2011 05:35 AM - edited 03-07-2019 02:57 AM
Hi.
I have the following setup:
Cisco 1921 is my core router and connectet to it is a 30 Mbit fiberline
VLAN1
VLAN2
Now, the thing is that i want VLAN2 to have a 5 Mbit bandwidth limit to Internet but full speed to VLAN1.
I have played around with Rate limit without success, any ideas hos to solve this?
I also have access to cisco switches that can limit the bandwidth if that helps.
Kind regards,
Tommy Svensson
10-27-2011 05:58 AM
Hi again and thank you so much for your answer.
So if im understanding correct i apply two service-policys to my WAN interface? One for outgoing and one for incoming traffic?
Kind regards,
Tommy
10-27-2011 06:08 AM
Hi,
True, you can apply a one policy-map in either direction. But you have to create two policy maps. You can't use the same in both directinos on the interface if you know what i mean.
so you can apply something lke the below. just make sure to create the right policy maps
int gi1/0
service-policy input limit-5mbps-inbound
service-policy output limit-5mbps-outbound
give it a try and let me know hwo you go
HTH
Regards
Kishore
11-01-2011 08:22 AM
Hi again,
I have now tested your tips and i cant seem to get this working at all.
When i try and download something or when i do a test of the Internet connection i still have over 20 Mbit in both directions.
My IP address as of this moment is 10.0.21.103 so i should hit the access-lists i have set up but i dont get any hits when i do the show ip access-lists.
This is what i have config so far:
access-list 150 permit ip any 10.0.21.0 0.0.0.255
access-list 160 permit ip 10.0.21.0 0.0.0.255 any
class-map match-all LIMIT_IN
match access-group 150
class-map match-all LIMIT_OUT
match access-group 160
policy-map LIMIT_IN_5MBIT
class LIMIT_IN
police 64000 conform-action transmit exceed-action drop
policy-map LIMIT_OUT_5MBIT
class LIMIT_OUT
police 64000 conform-action transmit exceed-action drop
interface gigabit ethernet 0/0
service-policy input LIMIT_IN_5MBIT
service-policy output LIMIT_OUT_5MBIT
Here is some output on the matter:
IOSOFT_ROUTER(config)#do sh policy-map interface GigabitEthernet0/0
GigabitEthernet0/0
Service-policy input: LIMIT_IN_5MBIT
Class-map: LIMIT_IN (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 150
police:
cir 64000 bps, bc 2000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
Class-map: class-default (match-any)
504563 packets, 692545765 bytes
5 minute offered rate 10317000 bps, drop rate 0 bps
Match: any
Service-policy output: LIMIT_OUT_5MBIT
Class-map: LIMIT_OUT (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 160
police:
cir 64000 bps, bc 2000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
Class-map: class-default (match-any)
289935 packets, 70694463 bytes
5 minute offered rate 803000 bps, drop rate 0 bps
Match: any
IOSOFT_ROUTER(config)#
Kind regards,
Tommy
11-01-2011 09:35 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
If g0/0 is 10.0.21.1, it looks like your ACLs are "backwards".
Try:
access-list 150 permit ip 10.0.21.0 0.0.0.255 any
access-list 160 permit ip any 10.0.21.0 0.0.0.255
11-01-2011 11:24 AM
No im sorry i should have said that g0/0 is my WAN interface as i just want VLAN21 to have limited speed to the Internet and full speed to other internal VLANs.
Kind regards,
Tommy
11-01-2011 05:34 PM
I see what the problem here is. I have tested this outbound using the same config in my prev post but this time outbound
and the reason why it doesn't work is because of NAT. However, I do see matches on my ACL but the policy-map doesn't work because of the ip nat inside. The NAT takes place first and hence your packets don't hit the policy-map. but the moment I take the ip nat inside off it works smoothly.
+++++ with ip nat inside
R1#sh policy-map interface gigabitEthernet 2/0 output
GigabitEthernet2/0
Service-policy output: LIMIT_VLAN21_5MBIT_OUT
Class-map: LIMIT_LAN (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 102
0 packets, 0 bytes
5 minute rate 0 bps
police:
cir 64000 bps, bc 2000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
Class-map: class-default (match-any)
594 packets, 67500 bytes
5 minute offered rate 4000 bps, drop rate 0 bps
Match: any
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 192.168.1.1:3 10.0.21.1:3 192.168.1.2:3 192.168.1.2:3
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 192.168.1.1:3 10.0.21.1:3 192.168.1.2:3 192.168.1.2:3
R1#sh ip access-lists
Extended IP access list 100
10 permit ip any 10.0.21.0 0.0.0.255 (308 matches)
Extended IP access list 102
10 permit ip 10.0.21.0 0.0.0.255 any (12 matches)
R1#
+++++ after I take off the ip nat inside
R1#sh policy-map interface gigabitEthernet 2/0 output
GigabitEthernet2/0
Service-policy output: LIMIT_VLAN21_5MBIT_OUT
Class-map: LIMIT_LAN (match-any)
70 packets, 7980 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 102
70 packets, 7980 bytes
5 minute rate 0 bps
police:
cir 64000 bps, bc 2000 bytes
conformed 70 packets, 7980 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
Class-map: class-default (match-any)
793 packets, 90011 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
HTH.
Kishore
11-02-2011 03:46 AM
So how can i configure this so that it works with NAT?
Do i need to go about it in a different way or something?
Kind regards,
Tommy
11-03-2011 07:58 AM
Bump!
It must be possible to accompish this in some way.
Hoping someone could shine some light on this matter.
Kind regards,
Tommy
11-11-2011 01:31 AM
Bump!
I am still stuck on this issue and would apriciate it if someone could share some knowledge regarding this issue.
Kind regards,
Tommy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide