Hi,

True, you can apply a one policy-map in either direction. But you have to create two policy maps. You can't use the same in both directinos on the interface if you know what i mean.

so you can apply something lke the below. just make sure to create the right policy maps

int gi1/0

service-policy input limit-5mbps-inbound

service-policy output limit-5mbps-outbound

give it a try and let me know hwo you go

HTH

Regards

Kishore

Hi again,

I have now tested your tips and i cant seem to get this working at all.

When i try and download something or when i do a test of the Internet connection i still have over 20 Mbit in both directions.

My IP address as of this moment is 10.0.21.103 so i should hit the access-lists i have set up but i dont get any hits when i do the show ip access-lists.

This is what i have config so far:

access-list 150 permit ip any 10.0.21.0 0.0.0.255

access-list 160 permit ip 10.0.21.0 0.0.0.255 any

class-map match-all LIMIT_IN

  match access-group 150

class-map match-all LIMIT_OUT

  match access-group 160

policy-map LIMIT_IN_5MBIT

  class LIMIT_IN

police 64000 conform-action transmit  exceed-action drop

policy-map LIMIT_OUT_5MBIT

  class LIMIT_OUT

police 64000 conform-action transmit  exceed-action drop

interface gigabit ethernet 0/0

service-policy input LIMIT_IN_5MBIT

service-policy output LIMIT_OUT_5MBIT

Here is some output on the matter:

IOSOFT_ROUTER(config)#do sh policy-map interface GigabitEthernet0/0

GigabitEthernet0/0

  Service-policy input: LIMIT_IN_5MBIT

    Class-map: LIMIT_IN (match-all)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: access-group 150

      police:

          cir 64000 bps, bc 2000 bytes

        conformed 0 packets, 0 bytes; actions:

          transmit

        exceeded 0 packets, 0 bytes; actions:

          drop

        conformed 0 bps, exceed 0 bps

    Class-map: class-default (match-any)

      504563 packets, 692545765 bytes

      5 minute offered rate 10317000 bps, drop rate 0 bps

      Match: any

  Service-policy output: LIMIT_OUT_5MBIT

    Class-map: LIMIT_OUT (match-all)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: access-group 160

      police:

          cir 64000 bps, bc 2000 bytes

        conformed 0 packets, 0 bytes; actions:

          transmit

        exceeded 0 packets, 0 bytes; actions:

          drop

        conformed 0 bps, exceed 0 bps

    Class-map: class-default (match-any)

      289935 packets, 70694463 bytes

      5 minute offered rate 803000 bps, drop rate 0 bps

      Match: any

IOSOFT_ROUTER(config)#

Kind regards,

Tommy

Disclaimer

The     Author of this posting offers the information contained within this     posting without consideration and with the reader's understanding  that    there's no implied or expressed suitability or fitness for any   purpose.   Information provided is for informational purposes only and   should not   be construed as rendering professional advice of any kind.   Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In     no event shall Author be liable for any damages whatsoever   (including,   without limitation, damages for loss of use, data or   profit) arising  out  of the use or inability to use the posting's   information even if  Author  has been advised of the possibility of  such  damage.

Posting

If g0/0 is 10.0.21.1, it looks like your ACLs are "backwards".

Try:

access-list 150 permit ip 10.0.21.0 0.0.0.255 any

access-list 160 permit ip any 10.0.21.0 0.0.0.255

No im sorry i should have said that g0/0 is my WAN interface as i just want VLAN21 to have limited speed to the Internet and full speed to other internal VLANs.

Kind regards,

Tommy

I see what the problem here is. I have tested this outbound using the same config in my prev post but this time outbound

and the reason why it doesn't work is because of NAT. However, I do see matches on my ACL but the policy-map doesn't work because of the ip nat inside. The NAT takes place first and hence your packets don't hit the policy-map. but the moment I take the ip nat inside off it works smoothly.

+++++ with ip nat inside

R1#sh policy-map interface  gigabitEthernet 2/0 output

GigabitEthernet2/0

  Service-policy output: LIMIT_VLAN21_5MBIT_OUT

    Class-map: LIMIT_LAN (match-any)

     0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: access-group 102

        0 packets, 0 bytes

        5 minute rate 0 bps

      police:

          cir 64000 bps, bc 2000 bytes

        conformed 0 packets, 0 bytes; actions:

          transmit

        exceeded 0 packets, 0 bytes; actions:

          drop

        conformed 0 bps, exceed 0 bps

    Class-map: class-default (match-any)

      594 packets, 67500 bytes

      5 minute offered rate 4000 bps, drop rate 0 bps

      Match: any

R1#sh ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

icmp 192.168.1.1:3     10.0.21.1:3        192.168.1.2:3      192.168.1.2:3

R1#sh ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

icmp 192.168.1.1:3     10.0.21.1:3        192.168.1.2:3      192.168.1.2:3

R1#sh ip access-lists

Extended IP access list 100

    10 permit ip any 10.0.21.0 0.0.0.255 (308 matches)

Extended IP access list 102

    10 permit ip 10.0.21.0 0.0.0.255 any (12 matches)

R1#

+++++ after I take off the ip nat inside

R1#sh policy-map interface  gigabitEthernet 2/0 output

GigabitEthernet2/0

  Service-policy output: LIMIT_VLAN21_5MBIT_OUT

    Class-map: LIMIT_LAN (match-any)

      70 packets, 7980 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: access-group 102

        70 packets, 7980 bytes

        5 minute rate 0 bps

      police:

          cir 64000 bps, bc 2000 bytes

        conformed 70 packets, 7980 bytes; actions:

          transmit

        exceeded 0 packets, 0 bytes; actions:

          drop

        conformed 0 bps, exceed 0 bps

    Class-map: class-default (match-any)

      793 packets, 90011 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: any

HTH.

Kishore

So how can i configure this so that it works with NAT?

Do i need to go about it in a different way or something?

Kind regards,

Tommy