Hi,

Thanks for the reply.

Meanwhile i want to restrict only  traffic destined to one network (168.161.247.0 0.0.0.255). rest all access should be allowed get full bandwidth. is that can be done?is there  anyway to do it?

Can you please post the output of:

show interface

show ip interface

show service-policy

We need this only for the intrface concerned.

Perhaps the config of the interface (sh run int xx) with nthe servce policy is also useful.

regards,

Leo

Please find the out put from the router.  sh service-policy command is not working ...RTR2800-1#sh service-policy
                    ^
% Invalid input detected at '^' marker.

RTR2800-1#  sh int
FastEthernet0/0 is up, line protocol is up
  Hardware is Gt96k FE, address is 0026.9973.1892 (bia 0026.9973.1892)
  Description: To_ASA_Outside
  Internet address is 94.200.*.*/30
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 39/255, rxload 4/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 1951000 bits/sec, 521 packets/sec
  5 minute output rate 15602000 bits/sec, 1538 packets/sec
     1010061414 packets input, 3700189164 bytes
     Received 173988 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog
     0 input packets with dribble condition detected
     1510902221 packets output, 1019151491 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     8 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
FastEthernet0/1 is up, line protocol is up
  Hardware is Gt96k FE, address is 0026.9973.1893 (bia 0026.9973.1893)
  Description:_ILL_12Mbps
  Internet address is 94.200.*.*/29
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 2/255, rxload 30/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:03:59, output 00:00:00, output hang never
  Last clearing of "show interface" counters 2d12h
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 93
  Queueing strategy: Class-based queueing
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/2/256 (active/max active/max total)
     Reserved Conversations 2/2 (allocated/max allocated)
     Available Bandwidth 74925 kilobits/sec
  5 minute input rate 12013000 bits/sec, 1134 packets/sec
  5 minute output rate 902000 bits/sec, 223 packets/sec
     155893362 packets input, 472298840 bytes
     Received 705 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog
     0 input packets with dribble condition detected
     15958800 packets output, 2293346779 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

RTR2800-1#  sh ip int b
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            94.200.*.*   YES NVRAM  up                    up
FastEthernet0/1            94.200.*.*   YES NVRAM  up                    up

RTR2800-1#sh run
Building configuration...

Current configuration : 2115 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RTR2800-1
!
boot-start-marker
boot system flash c2801-advsecurityk9-mz.124-15.T10.bin
boot-end-marker
!
enable secret 5 $1$Xmda$2dLKaP7LGVPG3wLulCTK7.
!
aaa new-model
!
!
!
!
aaa session-id common
clock timezone
dot11 syslog
ip cef
!
!
!
!
no ip domain lookup
ip domain name gadm.corp
!
multilink bundle-name authenticated
!
!
!
!
!
username admin privilege 15 password 7 1306281B180F540A2C252C3E
archive
log config
  hidekeys
!
!
!
!
ip ssh time-out 30
!
class-map match-all vpntraffic
match access-group 101
class-map match-all http
match access-group 102
!
!
policy-map outbound-policy
class vpntraffic
  bandwidth 25
class http
  bandwidth 50
!
!
!
!
interface FastEthernet0/0
description To_ASA_Outside
ip address 94.200.*.* 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
description_ILL_12Mbps
ip address 94.200.*.* 255.255.255.248
rate-limit output access-group 100 6000000 30000 30000 conform-action transmit exceed-action drop
duplex auto
speed auto
service-policy output outbound-policy
!

!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 94.200.*.*
ip route 94.200.*.* 255.255.255.248 94.200 .*.*
ip route 94.200.*.* 255.255.255.252 94.200.*.*
!
!
no ip http server
no ip http secure-server
!

!

access-list 100 permit tcp any any eq ftp-data
access-list 100 permit tcp any any eq ftp
access-list 101 permit ip host 94.200.*.* host 78.93.243.130
access-list 102 permit ip host 94.200.*.* any
!
!

!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
scheduler allocate 20000 1000
end

RTR2800-1#

Yes, the command "show service-policy" does not work on your platform. Sorry for that.

You should rather use the command: show policy-map int

I have also found a document which may help you to resolve the problem:

http://www.cisco.com/en/US/docs/ios/12_0/qos/configuration/guide/qccar.html#wp6974

Please also note that bandwidth in a policy map is interpreted using the interface bandwidth.

regards,

Leo

pl see the out put . if i change bandwidth command in interface will there be any impact

RTR2800-1#sh int fastEthernet 0/1 rate-limit
FastEthernet0/1 Du_ILL_12Mbps
  Output
    matches: access-group 100
      params:  6000000 bps, 30000 limit, 30000 extended limit
      conformed 82486 packets, 98363983 bytes; action: transmit
      exceeded 92 packets, 124840 bytes; action: drop
      last packet: 15023884ms ago, current burst: 1889 bytes
      last cleared 04:17:54 ago, conformed 50000 bps, exceeded 0 bps
RTR2800-1#sh plo
-RTR2800-1#sh policy-map interface fa0/1
FastEthernet0/1

  Service-policy output: outbound-policy

    Class-map: vpntraffic (match-all)
      538965 packets, 156409366 bytes
      5 minute offered rate 40000 bps, drop rate 0 bps
      Match: access-group 101
      Queueing
        Output Queue: Conversation 265
        Bandwidth 25 (kbps)Max Threshold 64 (packets)
        (pkts matched/bytes matched) 4/528
        (depth/total drops/no-buffer drops) 0/0/0

    Class-map: http (match-all)
      1635687 packets, 217395532 bytes
      5 minute offered rate 102000 bps, drop rate 0 bps
      Match: access-group 102
      Queueing
        Output Queue: Conversation 266
        Bandwidth 50 (kbps)Max Threshold 64 (packets)
        (pkts matched/bytes matched) 17/2678
        (depth/total drops/no-buffer drops) 0/0/0

    Class-map: class-default (match-any)
      478606 packets, 308086852 bytes
      5 minute offered rate 80000 bps, drop rate 0 bps
      Match: any
-RTR2800-1#

The bandwidth under policy-map is the minimum bandwidth (in kbps) to allocate to this flow.

This poses no upper limit on the traffic matching the acl.

I have included yet another link on how this might be achieved using the 'police' command.

http://www.cisco.com/en/US/tech/tk543/tk757/technologies_tech_note09186a0080103eae.shtml#howisunusedbandwidthallocated

regards,

Leo