Limit egress traffic 2960G

jzamani · ‎01-07-2015

This is to support a user who has the requirement of simulating specific speeds for download/upload. We have configured a limit using service-policy that as successfully limiting upload speed (ingress on the interface) but we (more importantly) need to limit download speed (egress on the interface). I know of using srr-queue but we need specific speeds (such as 512KB). Been banging away at this for a few days now and can't find a working method. I pursued shaping via:

class-map match-any CLASS_EgressLimit_512KB
match access-group name ACL_RateLimit_512KB
policy-map POLICY_EgressLimit_512KB
class CLASS_EgressLimit_512KB
shape average 512000
interface gi0/6
service-policy output POLICY_EgressLimit_512KB

but shaping doesn't seem to be supported in this context on our switch (WS-C2960G-8TC-L 15.0(2)SE4 C2960-LANBASEK9-M)

Any help is sincerely appreciated!

devils_advocate · ‎01-08-2015

Shaping is designed to work Outbound on an interface, not inbound.

If you want to limit traffic in both directions on an interface you need to look at policing.

The information above does not include the details on the Access List called 'ACL_RateLimit_512KB'

If you wanted to create a Policy which policed an interface down to 512Kb for a specific subnet of 192.168.1.0 /24, you would first create the access list:

ip access-list extended ACL_RateLimit_512KB
permit ip any 192.168.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any

Bear in mind, you need to ensure you have both lines above because we need to match on both the source address (for outbound packets) and the destination address (for inbound packets).,

You then create your class maps:

class-map match-any CLASS_EgressLimit_512KB
match access-group name ACL_RateLimit_512KB

class-map match-any CLASS_IngressLimit_512KB
match access-group name ACL_RateLimit_512KB

We are referencing the same access list for both class maps but this is not an issue really.

Then we create our policy maps:

policy-map POLICY_EgressLimit_512KB
class CLASS_EgressLimit_512KB
police 512000

policy-map POLICY_IngressLimit_512KB
class CLASS_IngressLimit_512KB
police 512000

Then we apply the policing both inbound and outbound on the interface:

interface gi0/6
service-policy output POLICY_EgressLimit_512KB
service-policy inbound POLICY_IngressLimit_512KB

Bear in mind that Policing is fairly brutal, it will not queue packets like shaping does, it will just drop them if they do not conform.

As you are doing this on a switch (as opposed to a Router), there is a chance that the commands above may not work.

Hope this helps!

jzamani · ‎01-08-2015

Let me clarify the current configuration for all and hopefully this will help. I've already used policing to limit the input rate of the interface (upload speed for the user).

Here is how I accomplished the service-policy using policing to limit input speed.

Extended IP access list ACL_RateLimit_1024KB
10 permit ip any any
Extended IP access list ACL_RateLimit_512KB
10 permit ip any any

Policy Map POLICY_RateLimit_1024KB
Class CLASS_RateLimit_1024KB
police 1024000 100000 exceed-action drop

Policy Map POLICY_RateLimit_512KB
Class CLASS_RateLimit_512KB
police 512000 100000 exceed-action drop

Class Map match-all CLASS_RateLimit_512KB (id 2)

Match access-group name ACL_RateLimit_512KB

Class Map match-all CLASS_RateLimit_1024KB (id 1)

Match access-group name ACL_RateLimit_1024KB

interface GigabitEthernet0/6
switchport access vlan 42
switchport mode access
switchport nonegotiate
switchport port-security maximum 6
switchport port-security
switchport port-security aging time 10
switchport port-security aging type inactivity
no logging event link-status
no cdp enable
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
service-policy input POLICY_RateLimit_512KB
!
interface GigabitEthernet0/7
switchport access vlan 42
switchport mode access
switchport nonegotiate
switchport port-security maximum 6
switchport port-security
switchport port-security aging time 10
switchport port-security aging type inactivity
no logging event link-status
no cdp enable
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
service-policy input POLICY_RateLimit_1024KB

Hopefully this clarifies and makes providing a solution easier! I appreciate everyone's time here!

devils_advocate · ‎01-09-2015

If you have the upload limit working using the 'service-policy input' command on the interface, you just need to configure the output to limit the download.

interface GigabitEthernet0/7
switchport access vlan 42
switchport mode access
switchport nonegotiate
switchport port-security maximum 6
switchport port-security
switchport port-security aging time 10
switchport port-security aging type inactivity
no logging event link-status
no cdp enable
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
service-policy input POLICY_RateLimit_1024KB
service-policy output POLICY_RateLimit_1024KB

jzamani · ‎01-09-2015

Is this something that you've tried given similar limitations? Because running service-policy output errors out as an unsupported action.

police command is not supported for this interface
Configuration failed!
Warning: Assigning a policy map to the output side of an interface not supported