cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
934
Views
0
Helpful
5
Replies

Rate Limit for guest internet access

Hi

I would like to limit the internet access bandwith for guest users on a Catalyst 3750 Stack (see attachment for layout) in the core.

I saw that this is possible with the srr-queue limit command, but as I understand, this is relative value to the link attached, in our case the FortiGate FW is attached to an Gigabit Ethernet port. So if i would configure a value of 10, then the limit rate would be 10% of 1'000'000'000 ~= 100 Mbit/s right?!

What I would like to have is, that the guest users (wired and wireless) only have 2 out of 6 Mbit/s for the internet access. Can you please help my, on how to configure this?

Thanks in advance for your help!

1 Accepted Solution

Accepted Solutions

Marwan ALshawi
VIP Alumni
VIP Alumni

hi Dominic

as it shown in ur topology u have firewall

now the srr-queue is sechdualing methoed rathar than policing method

u can limit the bandwith based on source IPs two ways

first limit it on te switch by useing policing

or u can make the bandwidth managment on the internet edge device

on the firewall outise interface u can based on source IP make the limitations

if u use cisco ASA the following link is the solution:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml

for bandwidth managment and rate limit on switch have a look at the foolwoing post of min regarding a similer case to urs:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cc1eb66/2#selected_message

if helpful Rate

View solution in original post

5 Replies 5

Marwan ALshawi
VIP Alumni
VIP Alumni

hi Dominic

as it shown in ur topology u have firewall

now the srr-queue is sechdualing methoed rathar than policing method

u can limit the bandwith based on source IPs two ways

first limit it on te switch by useing policing

or u can make the bandwidth managment on the internet edge device

on the firewall outise interface u can based on source IP make the limitations

if u use cisco ASA the following link is the solution:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml

for bandwidth managment and rate limit on switch have a look at the foolwoing post of min regarding a similer case to urs:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cc1eb66/2#selected_message

if helpful Rate

Joseph W. Doherty
Hall of Fame
Hall of Fame

On the 3750, the srr-queue limit command trys to emulate a slower interface, although it's not exact. (I recall, because of hardware, it might have something like six speed notches.) You might try running the interface at 10 Mbps and then setting the configuration for 20%.

As an alternative, you could police your guest traffic to 2 Mbps.

[edit]

I've just looked at Marwan's link to his prior post -- there he shows an example of using policing.

hi Joseph

i think srr-queue is sechdualing method not policing so if there is no conjistion the traffic will be able to utilize the link right?

while with policing u cam rate limit the traffic at the maximum rate !!

Marwan, not sure I understand your comment.

The srr-queue command I think we're discussing, the "srr-queue bandwidth limit" (forgot to add "bandwidth" in prior post), does not allow full utilization of the link.

To quote from Cisco's reference manual:

"Usage Guidelines

If you configure this command to 80 percent, the port is idle 20 percent of the time. The line rate drops to 80 percent of the connected speed. These values are not exact because the hardware adjusts the line rate in increments of six. "

Effectively, as I noted in my prior post, the port behaves like a slower port, because of it being idle some of the time. Or, the effect would be somewhat like using a shaper (which I believe isn't supported on the 3750).

It's also not clear to me exactly what you mean by "while with policing u cam rate limit the traffic at the maximum rate !! "

One advantage of using the policier, it can be much more precise in the bit rate. However, as policers do, traffic above the bit rate will be dropped but traffic delayed by "srr-queue bandwidth limit" should be queued in the port queues.

[edit]

PS:

BTW:

Reading the above, you can see the "six" I remembered, but I now recall there are not six notches but jumps of six. I believe percentages of 1..6, 6...12, 13..18, etc., are treated something like 6%, 12%, 18%, etc.

hi everybody

thanks a lot for your help, I will try the way it is supposed under the link Marwan posted.

I will give you feedback.