Restricting bandwidth from a particular vlan

jomo frank · ‎01-18-2012

Hello Expert,

I have a 2900 router at branch office.

This router has a 4 port switch card and two gigabyte ports.

The gigabyte port is use for wan connection and the 4 port switch card is use for lan connection.

I have two separate networks on my lan side. (network 1 and network 2)

I have assigned port 0,1 of the switch card to vlan1 for network 1

Ports 2,3 of the switch card is assigned vlan 20 for network 2

My problem is I would like to applied a bandwidth restriction for all data coming out from vlan20

capping same to 384 kb.

Note I do not want use QOS because this will only kickin when saturation occurs, I would

like this to apply regards if there is saturation or not.

How can I achieve the above.

Regards

jomo

adamclarkuk_2 · ‎01-18-2012

Hi Jomo

Not all QoS features operate when the link is saturated. The enhanced etherswitch module for the 2900 does support policing, see below. Without knowing the part number for the module you have installed, I cannot say if your module supports policing.

Policing

Note To use policy maps, the enhanced EtherSwitch service module must be running the LAN Base image

–Traffic-policing policies on the enhanced EtherSwitch service module port for managing how much of the port bandwidth should be allocated to a specific traffic flow

–In Cisco IOS Release 12.2(25)SED and later, iIf you configure multiple class maps for a hierarchical policy map, each class map can be associated with its own port-level (second-level) policy map. Each second-level policy map can have a different policer.

–Aggregate policing for policing traffic flows in aggregate to restrict specific applications or traffic flows to metered, predefined rates

This would allow you the limit traffic using an ACL then apply the policy-map the the SVI interface for VLAN 20.

jomo frank · ‎01-18-2012

Hello adam,

Below is the spec from the router:

Cisco CISCO2901/K9 (revision 1.0) with 483328K/40960K bytes of memory.
Processor board ID FTX143701HR
4 FastEthernet interfaces
2 Gigabit Ethernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
254464K bytes of ATA System CompactFlash 0 (Read/Write)

License Info:

License UDI:

-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO2901/K9 FTX143701HR

Technology Package License Information for Module:'c2900'

----------------------------------------------------------------
Technology    Technology-package          Technology-package
              Current       Type          Next reboot
-----------------------------------------------------------------
ipbase        ipbasek9      Permanent     ipbasek9
security      securityk9    Permanent     securityk9
uc            None          None          None
data          None          None          None

Configuration register is 0x2102

adamclarkuk_2 · ‎01-18-2012

Hi I'm not 100% sure but from what I can tell, you might be in luck.

Create an ACL but with the details you need, ( ie standard or extended, my example uses standard )

access-list 1 permit any

Create your class and attach your ACL

class-map test

match access-group 1

Create your policy-map and attach your class

policy-map test

class test

police cir (value you want in bits)

apply the policy map to your SVI

interface vlan 20

service-policy input test

You can monitor that the policer is doing as expected using the command

show policy-map interface vlan20

Job done, good luck

rizwanr74 · ‎01-18-2012

When applying the service policy on the interface, be sure to apply for input and output.

service-policy input test

service-policy output test

Thanks

Rizwan Rafeek

jomo frank · ‎01-18-2012

Thanks for the policy map instructions I adjust my configuration to include as per post.

Nobody is current using that vlan, hence when i did show policy-map interface vlan20

no info returned

Will generate some traffic on the vlan to test the restriction.

A quick question if i use traffic shape will how this affect the restriction.

Regards

jomo frank · ‎01-24-2012

hello Adamclarke,

I notice when i applied the service policy input to the vlan interface i am able to save, but for some strange

reason when i recheck the config next day the policy is not there.

I should be mention i am using Cisco Sdm software to applied the policy to the interface.

Can you shed an light on this issuse.

Regards

Jomo

jomo frank · ‎01-24-2012

hello Adamclarke,

When i use 'putty' to connect to the router and applied the service-policy to the interface the following error was return

Diamond(config-if)#service-policy input Vlan_limiting

Configuration failed!

I tring to recheck my access list, class-mappings and service policy to find the error.

Regards

Jomo

jomo frank · ‎01-24-2012

hello AdamClarke,

Below is copy of my config for the service-policy

sh object-group

Network object group InternalService

Description Internal Service Security Group

170.1.0.0 255.255.0.0

sh access-list

Extended IP access list 102

10 permit ip object-group InternalService any (259783 matches)

#sh class-map

Class Map match-all Internal_Sec_out (id 6)

Match access-group 102

Policy Map Vlan_limiting

Class Internal_Sec_out

police cir 384000 bc 12000

conform-action transmit

exceed-action drop

Regards

Jomo