Solved: Limit Internet Bandwidth for a VLAN?

noexistence · ‎03-28-2013

Hi,

I have two VLANs on my network (VLAN10 is servers and VLAN80 is client computers). Each VLAN is on it's own sub interface. What I want to do is to limit the available Internet bandwidth (say 15MB) for VLAN80 but not restrict the local LAN bandwidth between VLAN80 and VLAN10. VLAN10 should have no restrictions at all.

I was thinking I could set something up on the our router's outside interface but I've never worked with traffic shaping, policy maps, or policing. Is what I want possible and if so, can you help be figure out how to set it up?

Thanks.

Bilal Nawaz · ‎03-30-2013

Hello,

There are a few ways of doing this, some people have their own opinions on what should be done in a scenario like this. Whenever it has come to strict limitation of bandwidth for a specified host/networks using particular applications, ports or protocols I have used this method which works quite well and easy to implement:

You can police the outbound traffic (the interface towards the internet or as you mentioned; outbound interface - not your sub-if's).

Lets say i wanted to limit to 15mb (outbound) for vlan 80 which is the 10.10.10.0/24 network, you can do this, for http & https traffic:

### To match the traffic

ip access-list extended ACL_15Mbps

permit tcp 10.10.10.0 0.0.0.255 any eq www

permit tcp 10.10.10.0 0.0.0.255 any eq 443

!

### Class the traffic

class-map Link_15Mbps

match access-group ACL_15Mbps

!

### Apply policy against the class (type of traffic specified by your class-map)

policy-map Policy_15Mbps

class Link_15Mbps

police 15000000 8000 conform-action transmit exceed-action drop (8000 is the burst rate)

!

interface gigabitethernet1/0

### Applies the policy outbound only

service-policy output Policy_15Mbps

Where the ACL is you can specify source and destination or just source or source and port depending on how you configure your ACL. You can change the burst rate if you wish.

Hope this helps.

Link for your reference:

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpoli_ps1835_TSD_Products_Configuration_Guide_Chapter.html#wp1006389

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

Bilal Nawaz · ‎03-30-2013

Hello,

There are a few ways of doing this, some people have their own opinions on what should be done in a scenario like this. Whenever it has come to strict limitation of bandwidth for a specified host/networks using particular applications, ports or protocols I have used this method which works quite well and easy to implement:

You can police the outbound traffic (the interface towards the internet or as you mentioned; outbound interface - not your sub-if's).

Lets say i wanted to limit to 15mb (outbound) for vlan 80 which is the 10.10.10.0/24 network, you can do this, for http & https traffic:

### To match the traffic

ip access-list extended ACL_15Mbps

permit tcp 10.10.10.0 0.0.0.255 any eq www

permit tcp 10.10.10.0 0.0.0.255 any eq 443

!

### Class the traffic

class-map Link_15Mbps

match access-group ACL_15Mbps

!

### Apply policy against the class (type of traffic specified by your class-map)

policy-map Policy_15Mbps

class Link_15Mbps

police 15000000 8000 conform-action transmit exceed-action drop (8000 is the burst rate)

!

interface gigabitethernet1/0

### Applies the policy outbound only

service-policy output Policy_15Mbps

Where the ACL is you can specify source and destination or just source or source and port depending on how you configure your ACL. You can change the burst rate if you wish.

Hope this helps.

Link for your reference:

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpoli_ps1835_TSD_Products_Configuration_Guide_Chapter.html#wp1006389

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Julio Carvajal · ‎03-30-2013

Hello,

Just to add....

On the ACL you should do it like this so It does not involve any traffic from vlan 80 to vlan 10

ip access-list extended ACL_15Mbps

1 deny ip 10.10.10.0 0.0.0.255 192.168.10.0 0.0.0.255 ( Where 192.168.10.0/24 is The server vlans)

permit tcp 10.10.10.0 0.0.0.255 any eq www

permit tcp 10.10.10.0 0.0.0.255 any eq 443

Regards.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Bilal Nawaz · ‎03-30-2013

Hello,

This would be true if we were applying this inbound on the internal LAN interface where the two sub interfaces belong. But we are targeting outbound, external interface here.

Since both LANs exist on sub interfaces (same physical connection) then the routing between the two vlans will not be restricted (as they terminate in a similar place on the router), we are only targeting the outbound interface towards the Internet. This is where the policy will be set.

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Julio Carvajal · ‎03-30-2013

Hello Bilal,

Got it, Did not see the outbound interface to the internet as the one being used

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

noexistence · ‎04-04-2013

Thanks Bilal!

So just so I understand correctly (since I am just learning traffic classification and policing) is this how it works:

### Class the traffic

class-map Link_15Mbps

match access-group ACL_15Mbps

This essentially says "classify any traffic that matches ACL_15Mps as Link_15Mbps"?

### Apply policy against the class (type of traffic specified by your class-map)

policy-map Policy_15Mbps

class Link_15Mbps

police 15000000 8000 conform-action transmit exceed-action drop (8000 is the burst rate)

This then says "any traffic classified as Link_15Mbps limit to 15Mbps with a burst of 8Kb?"

So other than the "8000 burst rate" the way our outbound Internet traffic will work is "when the traffic tries to go to the Internet, the policy examines the traffic to see if it matches ACL_15Mbps, if it does Classifiy it as "Link_15Mbps" and trottle the bandwidth to 15Mbps. If it doesn't match ACL_15Mbps (for example, VLAN10) then don't trottle the speed and give the traffic all available bandwidth (in this case 50Mbps)? Am I understanding this correctly?

Thanks again! HUGE help!

Bilal Nawaz · ‎04-04-2013

Hello, yes - this is my interpretation too! :-)

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

noexistence · ‎04-05-2013

Hi Guys,

So I talked to a Cisco guy who knows my routers configuration and he said:

You might have some issues with your proposed config because I already have a service policy applied to Gi0/0 to shape your traffic to 50Meg (to match your internet connection speed).  To implement your service policy, you may have to do a nested policy under the 50Meg policy which is a bit more complicated.
You can try your config and see how it turns out, but if you end up requiring a nested policy, let me know and I’ll see what I can come up with.

I found this in the running config

policy-map 50MEG-SHAPE
 class class-default
  shape average 45000000 4500000 0

Is there any modifications I need to make to get this to work?

Thanks again!

Bilal Nawaz · ‎04-05-2013

Hey, I understand what is being stated here. You can only have one policy on an interface so we require to build a nested policy (I didn't know about your policy already applied). Do you mind showing us your config so I can suggest the modifications/additions required please.

Is your Cisco guy able to give you config to your requirements?

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

noexistence · ‎04-05-2013

I'm sorry but I'm just not comfortable posting our config.

Bilal Nawaz · ‎04-05-2013

Okay, no problem - you could have hid any sensitive information and becomes difficult for us to help. Also you didnt state whether you had a policy in place or not. But I'll try my best with this example:

R1#

class-map match-all Link_15Mbps

match access-group name ACL_15Mbps

!

policy-map Policy_15Mbps

class Link_15Mbps

police cir 15000000 bc 8000

conform-action transmit

exceed-action drop

!

policy-map 50MEG-SHAPE

class class-default

shape average 45000000 4500000 0

service-policy Policy_15Mbps

!

ip access-list extended ACL_15Mbps

permit tcp 10.10.10.0 0.0.0.255 any eq www

permit tcp 10.10.10.0 0.0.0.255 any eq 443

!

interface Gi0/0

service-policy output 50MEG-SHAPE

If anyone can see mistakes in the config - please do correct me!

You can do this to check:

R1#show policy-map interface Gi0/0

GigabitEthernet0/0

Service-policy output: 50MEG-SHAPE

Class-map: class-default (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

Traffic Shaping

Target/Average Byte Sustain Excess Interval Increment

Rate Limit bits/int bits/int (ms) (bytes)

45000000/45000000 562500 4500000 0 100 562500

Adapt Queue Packets Bytes Packets Bytes Shaping

Active Depth Delayed Delayed Active

- 0 0 0 0 0 no

Service-policy : Policy_15Mbps

Class-map: Link_15Mbps (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group name ACL_15Mbps

police:

cir 15000000 bps, bc 8000 bytes

conformed 0 packets, 0 bytes; actions:

transmit

exceeded 0 packets, 0 bytes; actions:

drop

conformed 0 bps, exceed 0 bps

Class-map: class-default (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

Hope this helps.

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.