Hi.  I've been trying to get policing to work in my environment, but to no avail.  For the sake of context, I'll decribe my network.  I have 1 50MB Synchronous WAN connection that is shared among the various VLANs of my facility.  I have 5 VLANs: CORP, VLAN10, VLAN20, VLAN30, and VLAN40.  VLANs 10 through 40 represent classrooms, for which the WAN bandwidth should be limited to no more than 30Mbps total (i.e. 30Mbps to be shared between those 4 VLANs).  The CORP VLAN must have a dedicated 20Mbps that will not be affected by fluctuations in the bandwidth of the other 4 VLANs. I have ACLs which prevent access from VLANs 10 through 40 into the CORP VLAN.  I want to allow inter-VLAN communication between VLANs 10 through 40. All of these configs are done on a single 2841 router with 2 gigabit ports (g0/0 and g0/1).  There are subinterfaces configured on g0/1 for each of the VLANs.  g0/0 is the WAN port. The goal I want to achieve is that there be a total of 30Mbps of WAN bandwidth to be shared among the 4 classroom VLANs (i.e. they should compete for is based on demand) and 20Mbps of dedicated WAN bandwidth for the CORP VLAN.  I do not want to limit bandwidth between VLANs 10 through 40, but they must not be able to communicate with the CORP VLAN. The router is currently in operation in my production environment, and there is working WAN connectivity for all VLANs, but the policing elements of the config do not seem to be doing anything. I will post my current running config (omitting public IP address, of course, for security).  I hope that the members of this forum can assist. Thanks! Here's the config: AcademyRouterCore(config)#do show run Building configuration... Current configuration : 4003 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname AcademyRouterCore ! boot-start-marker boot-end-marker ! logging buffered 51200 warnings ! no aaa new-model ! resource policy ! ip subnet-zero ! ! ip cef ! ! no ip domain lookup ! ! voice-card 0 no dspfarm ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! class-map match-all CORP match input-interface GigabitEthernet0/1 class-map match-all VLAN40 match input-interface GigabitEthernet0/1 class-map match-all VLAN10 match input-interface GigabitEthernet0/1 class-map match-all VLAN30 match input-interface GigabitEthernet0/1 class-map match-all VLAN20 match input-interface GigabitEthernet0/1 ! ! policy-map VLAN40 class VLAN40   police cir 30000000     conform-action transmit     exceed-action set-qos-transmit 5     violate-action drop policy-map VLAN10 class VLAN10   police cir 30000000     conform-action transmit     exceed-action set-qos-transmit 5     violate-action drop policy-map VLAN30 class VLAN30   police cir 30000000     conform-action transmit     exceed-action set-qos-transmit 5     violate-action drop policy-map VLAN20 class VLAN20   police cir 30000000     conform-action transmit     exceed-action set-qos-transmit 5     violate-action drop policy-map VLAN1 class CORP   police cir 20000000     conform-action transmit     exceed-action set-qos-transmit 1     violate-action drop ! ! ! ! ! ! interface GigabitEthernet0/0 description WAN ip address *.*.*.* *.*.*.* ip nat outside ip nat enable ip virtual-reassembly duplex full speed 100 ! interface GigabitEthernet0/1 description InternalGateway no ip address duplex full speed 1000 ! interface GigabitEthernet0/1.1 encapsulation dot1Q 1 native ip address 192.168.0.254 255.255.255.0 ip nat inside ip virtual-reassembly no snmp trap link-status service-policy output VLAN1 ! interface GigabitEthernet0/1.10 encapsulation dot1Q 10 ip address 192.168.1.254 255.255.255.0 ip access-group 101 in ip nat inside ip nat enable ip virtual-reassembly no snmp trap link-status service-policy output VLAN10 ! interface GigabitEthernet0/1.20 encapsulation dot1Q 20 ip address 192.168.2.254 255.255.255.0 ip access-group 102 in ip nat inside ip nat enable ip virtual-reassembly no snmp trap link-status service-policy output VLAN20 ! interface GigabitEthernet0/1.30 encapsulation dot1Q 30 ip address 192.168.3.254 255.255.255.0 ip access-group 103 in ip nat inside ip nat enable ip virtual-reassembly no snmp trap link-status service-policy output VLAN30 ! interface GigabitEthernet0/1.40 encapsulation dot1Q 40 ip address 192.168.4.254 255.255.255.0 ip access-group 104 in ip nat inside ip nat enable ip virtual-reassembly no snmp trap link-status service-policy output VLAN40 ! ip default-gateway *.*.*.* ip classless ip route profile ip route 0.0.0.0 0.0.0.0 *.*.*.* ip route *.*.*.* 255.0.0.0 *.*.*.* ip route *.*.*.* 255.0.0.0 *.*.*.* ! ! no ip http server no ip http secure-server ip nat inside source list 100 interface GigabitEthernet0/0 overload ! access-list 100 remark NAT Permit all access-list 100 permit ip 192.168.0.0 0.0.255.255 any access-list 101 remark Deny Classroom1 to CORPORATE access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 101 permit ip any any access-list 102 remark Deny Classroom2 to CORPORATE access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 102 permit ip any any access-list 103 remark Deny Classroom3 to CORPORATE access-list 103 deny   ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 103 permit ip any any access-list 104 remark Deny Classroom4 to CORPORATE access-list 104 deny   ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 104 permit ip any any ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 no login transport input none ! scheduler allocate 20000 1000 ! end ... View more

Hello.  My company is comprised of 15 employees, with a network that spans several classrooms, which can represent a total of 100 computers which would be accessing the internet at once.  Up until now, we have not had to manage the bandwidth, as our office network has been on a T1 line, and our classrooms have each had their own DSL lines.  However, my company is now moving to consolidate our telecoms by condensing all of the connectivity in our facility into a single 25Mbps fiber line.  As such, I need to establish a method for controlling how much bandwidth each physical segment of the network consumes.  We already use VLANs (8 of them) to manage the connectivity for the various segments across our switches.  I know that I want to do policing rather than rate-limiting (less memory consumption), but I wanted to gather ideas on which model of router I should purchase to accomplish this  Would an 800 series router be enough for this (and if so, which one in particular) or should I go with an 1800-1900 series? ... View more