Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3025
Views
27
Helpful
28
Replies

Manage and configure an external Switch and Router

Edson Vuma
Level 1
Level 1

‎04-04-2013 01:45 AM - edited ‎03-07-2019 12:38 PM

Hi guys.

Take a good look at my topology here:

teste.jpg         

I have a few questions regarding to this:

1. How I can manage those devices, the Switch and the router?

What is the BEST SOLUTION to manage this devices?

2. I want to monitor the traffic on this environment, how I can do it? How I can monitor the traffic from customer A, Customer B, and my own LAN traffic, in terms of bandwidth that has passed throught my devices? Is it possible to monitor on MY LAN, or I have to monitor from the EXTERNAL switch?

3. How I can limit the bandwidth?

I was trying to configure it using access list, with policy-map, etc....and limit this on each interface.....

Using this commands:

ip access-list extended ACL_3Mbps

permit ip any any

class-map Link_3Mbps

match access-group ACL_3Mbps

policy-map Policy_3Mbps

class Link_3Mbps

police 3000000 8000 exceed-action drop

Switch(config)# interface gigabitethernet1/0/12                           <----EXAMPLE

Switch(config-if)# service-policy input Policy_3Mbps

This configuration was going so well, but on the last command that I tried to run, it denied:
Switch(config-if)# service-policy output Policy_3Mbps                    <----It doesnt accept the "OUTPUT" word....ONLY THAT TO FINISH MY CONFIGS.

The interface does not support the specified policy configuration and/or parameter values.

Warning: Assigning a policy map to the output side of an interface not supported

With I few reading, I could see that the SWITCH 3750 doesnt support this configs.

So I searched and found this:

http://www.techrepublic.com/blog/networking/limit-bandwidth-on-a-cisco-catalyst-switch-port/404

But, now I have a concern.

My INTERNET LINK is 30 Mbps, the ports on the Switch (WS-C3750X-48P-L) are Gigabit Ethernet.

How I can limit the bandwidth here? For example, How I can limit a interface to 3Mbps

I was thinking about this:

- Limit the interface to 10Mbps: speed 10

- and limit the interface with 30% of this speed:  srr-queue bandwidth limit 30

Is this correct, is this a good practice?

Does this work for both UPLOAD and DOWNLOAD?

When the packets passes that 3Mbps limitation, will they be droped?

I hope I have clarified very well about my questions in order to have full support on this.

Any help, guys?

--
Regards
Edson Vuma       

-- Regards Edson Vuma
Labels:
0 Helpful
28 Replies 28

Edson Vuma
Level 1
Level 1

‎04-04-2013 02:49 AM

Any help, guys?

--
Regards
Edson Vuma

-- Regards Edson Vuma
0 Helpful

Bilal Nawaz
VIP Alumni
VIP Alumni

‎04-04-2013 02:51 AM

Hi Edson, I see my example here you wont be able to use the 'output' option on the 3750's.

Edson Vuma wrote:

I was thinking about this:
- Limit the interface to 10Mbps: speed 10
- and limit the interface with 30% of this speed:  srr-queue bandwidth limit 30

Using the speed 10 command wont be of use to you, this will not restrict the bandwidth. Best we can do is limit with the srr-queue bandwidth limit command.

Depends how you plan to monitor them?

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Edson Vuma
Level 1
Level 1
In response to Bilal Nawaz

‎04-04-2013 03:00 AM

My interfaces are Gigabit...

I have a 30 Mbps Internet LINK.

How, for example I can limit to 3Mbps?

Please

--
Regards
Edson Vuma

-- Regards Edson Vuma
0 Helpful

Edson Vuma
Level 1
Level 1
In response to Edson Vuma

‎04-04-2013 04:31 AM

Hi,

Any help?

--
Regards
Edson Vuma

-- Regards Edson Vuma
0 Helpful

Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Edson Vuma

‎04-04-2013 05:17 AM

Hey, you asked the question here about limiting before: https://supportforums.cisco.com/thread/2205845

Where abouts in your diagram are you? Is it in 'my lan' How are you intending on monitoring and managing these?

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Edson Vuma
Level 1
Level 1
In response to Bilal Nawaz

‎04-04-2013 05:21 AM

Yes, Boss Bilal.

On MY LAN.

--
Regards
Edson Vuma

-- Regards Edson Vuma
0 Helpful

Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Edson Vuma

‎04-04-2013 05:28 AM

On your Juniper FW you need to permit your LAN to 'any' for now, and if you want to lock this down to ports and protocols later you can. How are you going to be managing the devices? e.g. via ssh

How will you be monitoring devices, snmp?

Is it clear about the bandwidth limitation on the 3750?

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

Edson Vuma
Level 1
Level 1
In response to Bilal Nawaz

‎04-04-2013 05:31 AM

About the bandwidth is not clear for me....

My interfaces are Gigabit...

I have a 30 Mbps Internet LINK.

How, for example I can limit to 3Mbps?

Please

using srr-queue bandwidth limit ?

Thanks

--
Regards
Edson Vuma

-- Regards Edson Vuma
0 Helpful

Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Edson Vuma

‎04-04-2013 06:15 AM

Hi Edson,

You cant limit to 3mbps with the 3750. What exactly do you want to limit? If you want to limit the internet traffic out to the ISP you can do on the 1921 I think.

You also haven't confirmed how you want to manage your devices and monitor them?

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Edson Vuma
Level 1
Level 1
In response to Bilal Nawaz

‎04-04-2013 06:22 AM

Hi, Bilal

I want to manage on MY LAN.

How I can do it?

For the router, on the f0/0 I have sub-interfaces....f0/0.1, f0/0.2, f0/03

--
Regards
Edson Vuma

-- Regards Edson Vuma
0 Helpful

Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Edson Vuma

‎04-04-2013 06:45 AM

From MY LAN, can you ping the management SVI for the 3750 and the 1921? Please explain how things are set up a bit more. e.g. type of routing? the network addresses etc...

What network is customer A in?

What network is customer B in?

What network is MYLAN in?

Is the SSG doing any NAT or firewalling?

Do you need to be able to SSH to the 3750 and 1921?

You can enable SNMP on the 3750 which can give you stats but you need snmp server. If you want more granularity, you could use netflow to monitor too.

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Edson Vuma
Level 1
Level 1
In response to Bilal Nawaz

‎04-10-2013 03:22 AM

Hi, Bilal.

Sorry for the delay, had some personal probs

Here are my answers,

On the external switch, I have set 3 VLANs, and for the default VLAN, VLAN 1, I have set an IP for management.

I have a certain range of IP Addresses, so have configured 3 sub-nets on the gigabitethernet0/1 connected to the external switch..

!

interface GigabitEthernet0/1.10

description COMPANY_PUBLIC_LAN

encapsulation dot1Q 10

ip address

!

interface GigabitEthernet0/1.11

description CLIENTS_STATIC_IPs

encapsulation dot1Q 11

ip address

!

interface GigabitEthernet0/1.12

description CLIENTS_DYNAMIC_IPs

encapsulation dot1Q 12

ip address

!

I can access to the Switch being connected to any port on this switch that is on the VLAN 1, and give an IP to the PC, on the same network of the IP address of the Switch.

I cant access the router.

interface GigabitEthernet0/1.10       -    Is going to MY LAN

interface GigabitEthernet0/1.11       -    Is for a customer's LAN, with statics IPs

interface GigabitEthernet0/1.12       -    Is for a customer's LAN, with DHCP addresses.

The SSG does NAT and firewalling.

We have a 30 Mbps Internet link coming from our ISP, we have set for us a portion of this and for our customers too.

But I would like to monitor the traffic that is being generated.

Where is the best part to monitor all this?

On “MY LAN” or on the EXTERNAL ENVIRONMENT?

--
Regards
Edson Vuma

-- Regards Edson Vuma
0 Helpful

Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Edson Vuma

‎04-10-2013 04:41 AM

Hi Edson, I'm working on a lab for this and will share configs with you a little later. What is the default gateway for the CUSTOMER A and CUSTOMER B? Is it the firewall or the 1921?

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Bilal Nawaz

‎04-13-2013 02:28 PM

Hello Edson, I have replicated the topology with the exception of the firewall since the SSG is more advanced. I am able to ping everywhere which is the main thing. Everything terminates on the firewall, so your cust1 and cust2 have to go through the firewall for security reasons.

With reachability everywhere it means you are able to set policies on your FW to allow things like SNMP and SSH to your switch and router. The config of the 1900, 3750 and the FW are below, I will also attach this PT in the case that you are able to download and open in packet tracer - if you have it.

1900:

hostname 1900

!

spanning-tree mode pvst

!

interface FastEthernet0/0

ip address dhcp

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 1.0.0.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

router ospf 1

log-adjacency-changes

network 1.0.0.1 0.0.0.0 area 0

default-information originate

!

ip nat inside source list 1 interface FastEthernet0/0 overload

ip classless

!

access-list 1 permit any

3750:

hostname 3750

!

spanning-tree mode pvst

!

interface FastEthernet0/1

description 1900

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface FastEthernet0/2

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface FastEthernet0/3

switchport access vlan 5

!

interface FastEthernet0/4

switchport access vlan 6

FW:

hostname FW

!

spanning-tree mode pvst

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.1

encapsulation dot1Q 1 native

ip address 1.0.0.254 255.255.255.0

ip nat outside

!

interface FastEthernet0/0.5

encapsulation dot1Q 5

ip address 5.5.5.1 255.255.255.0

ip nat inside

!

interface FastEthernet0/0.6

encapsulation dot1Q 6

ip address 6.6.6.1 255.255.255.0

ip nat inside

!

interface FastEthernet0/1

ip address 10.0.0.1 255.255.255.0

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

router ospf 1

log-adjacency-changes

network 1.0.0.254 0.0.0.0 area 0

!

ip nat inside source list 1 interface FastEthernet0/0.1 overload

With this configuration, I am able to reach everywhere, so you will be able to use management and monitoring tools and protocols like SNMP, SSH, Telnet, Netflow, but i have not included the configuration in this, since the config will have to be done on the FW policies to allow this traffic.

Hope this helps.

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
15358362-TEST.pkt.zip
0 Helpful
Customers Also Viewed These Support Documents