MIXIT01
asked on
Bandwidth Limiting on Catalyst 3550
I'm currently using a Catalyst 3550 as my primary switch and router sitting behind a PIX 515E firewall. Here's a quick network diagram.
http://209.11.40.97/NetworkDiagram.jpg
I'm looking to limit the inbound and outbound bandwidth utilization of all Internet traffic to 1Mbps. I realize the PIX really can't do this, so I was thinking of using class-maps and policy-maps on the 3550 on the interface connecting to the PIX in order to achieve this.
The problem that I'm running into, is that the IOS is not allowing me to assign both an input AND and output service-policy to a single interface. At first I was trying to use a single policy-map for both the input and output service-policies, so I tried configuring two separate policy-maps and that still did not work. The first service-policy I assign will show up under the config for the interface, when I try to assign a second service-policy, the IOS accepts the command, returning no errors, but it does not show up on a "show run".
Any input or suggestions as to what I'm doing wrong, or how I could accomplish limiting the bi-directional bandwidth differently are greatly appreciated. Please see the current running-config and show-version of the 3550 below.
Switch#show running-config
Building configuration...
Current configuration : 5251 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Switch
!
aaa new-model
aaa authentication login default local
aaa authorization exec default local
enable secret 5 **********************
enable password 7 **********************
!
username User1 privilege 15 password 7 **********************
username User2 privilege 3 password 7 **********************
ip subnet-zero
ip routing
!
!
class-map match-all ClassOut
match access-group 102
class-map match-all ClassIn
match access-group 101
!
!
policy-map InternetIn
class ClassIn
police 1000000 65536 exceed-action drop
policy-map InternetOut
class ClassOut
police 1000000 65536 exceed-action drop
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
interface FastEthernet0/1
no switchport
no ip address
!
interface FastEthernet0/2
description Link to PIX515
switchport mode dynamic desirable
no ip address
service-policy input InternetIn
!
interface FastEthernet0/3
switchport mode dynamic desirable
no ip address
!
interface FastEthernet0/4
switchport mode dynamic desirable
no ip address
!
!
!
!
interface FastEthernet0/48
switchport mode dynamic desirable
no ip address
!
interface GigabitEthernet0/1
switchport mode dynamic desirable
no ip address
!
interface GigabitEthernet0/2
switchport mode dynamic desirable
no ip address
!
interface Vlan1
description Internal VLAN
ip address 192.168.1.1 255.255.255.0
!
ip default-gateway 192.168.1.2
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.2
no ip http server
!
!
access-list 101 permit tcp any any
access-list 102 permit tcp any any
!
line con 0
line vty 0 4
password 7 **********************
line vty 5 15
password 7 **********************
!
end
Switch#show version
Cisco Internetwork Operating System Software
IOS (tm) C3550 Software (C3550-I9Q3L2-M), Version 12.1(19)EA1c, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Tue 03-Feb-04 04:47 by yenanh
Image text-base: 0x00003000, data-base: 0x0069B5C0
ROM: Bootstrap program is C3550 boot loader
MIXIT_Switch uptime is 2 days, 21 hours, 38 minutes
System returned to ROM by power-on
System image file is "flash:c3550-i9q3l2-mz.121
cisco WS-C3550-48 (PowerPC) processor (revision L0) with 65526K/8192K bytes of memory.
Processor board ID CAT0812X0WX
Last reset from warm-reset
Running Layer2/3 Switching Image
Ethernet-controller 1 has 12 Fast Ethernet/IEEE 802.3 interfaces
Ethernet-controller 2 has 12 Fast Ethernet/IEEE 802.3 interfaces
Ethernet-controller 3 has 12 Fast Ethernet/IEEE 802.3 interfaces
Ethernet-controller 4 has 12 Fast Ethernet/IEEE 802.3 interfaces
Ethernet-controller 5 has 1 Gigabit Ethernet/IEEE 802.3 interface
Ethernet-controller 6 has 1 Gigabit Ethernet/IEEE 802.3 interface
48 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)
The password-recovery mechanism is enabled.
384K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:0F:8F:E9:63:80
Motherboard assembly number: 73-5701-09
Power supply part number: 34-0967-02
Motherboard serial number: CAT08120A28
Power supply serial number: LIT080602QF
Model revision number: L0
Motherboard revision number: A0
Model number: WS-C3550-48-SMI
System serial number: CAT0812X0WX
Configuration register is 0x10F
http://209.11.40.97/NetworkDiagram.jpg
I'm looking to limit the inbound and outbound bandwidth utilization of all Internet traffic to 1Mbps. I realize the PIX really can't do this, so I was thinking of using class-maps and policy-maps on the 3550 on the interface connecting to the PIX in order to achieve this.
The problem that I'm running into, is that the IOS is not allowing me to assign both an input AND and output service-policy to a single interface. At first I was trying to use a single policy-map for both the input and output service-policies, so I tried configuring two separate policy-maps and that still did not work. The first service-policy I assign will show up under the config for the interface, when I try to assign a second service-policy, the IOS accepts the command, returning no errors, but it does not show up on a "show run".
Any input or suggestions as to what I'm doing wrong, or how I could accomplish limiting the bi-directional bandwidth differently are greatly appreciated. Please see the current running-config and show-version of the 3550 below.
Switch#show running-config
Building configuration...
Current configuration : 5251 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Switch
!
aaa new-model
aaa authentication login default local
aaa authorization exec default local
enable secret 5 **********************
enable password 7 **********************
!
username User1 privilege 15 password 7 **********************
username User2 privilege 3 password 7 **********************
ip subnet-zero
ip routing
!
!
class-map match-all ClassOut
match access-group 102
class-map match-all ClassIn
match access-group 101
!
!
policy-map InternetIn
class ClassIn
police 1000000 65536 exceed-action drop
policy-map InternetOut
class ClassOut
police 1000000 65536 exceed-action drop
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
interface FastEthernet0/1
no switchport
no ip address
!
interface FastEthernet0/2
description Link to PIX515
switchport mode dynamic desirable
no ip address
service-policy input InternetIn
!
interface FastEthernet0/3
switchport mode dynamic desirable
no ip address
!
interface FastEthernet0/4
switchport mode dynamic desirable
no ip address
!
!
!
!
interface FastEthernet0/48
switchport mode dynamic desirable
no ip address
!
interface GigabitEthernet0/1
switchport mode dynamic desirable
no ip address
!
interface GigabitEthernet0/2
switchport mode dynamic desirable
no ip address
!
interface Vlan1
description Internal VLAN
ip address 192.168.1.1 255.255.255.0
!
ip default-gateway 192.168.1.2
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.2
no ip http server
!
!
access-list 101 permit tcp any any
access-list 102 permit tcp any any
!
line con 0
line vty 0 4
password 7 **********************
line vty 5 15
password 7 **********************
!
end
Switch#show version
Cisco Internetwork Operating System Software
IOS (tm) C3550 Software (C3550-I9Q3L2-M), Version 12.1(19)EA1c, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Tue 03-Feb-04 04:47 by yenanh
Image text-base: 0x00003000, data-base: 0x0069B5C0
ROM: Bootstrap program is C3550 boot loader
MIXIT_Switch uptime is 2 days, 21 hours, 38 minutes
System returned to ROM by power-on
System image file is "flash:c3550-i9q3l2-mz.121
cisco WS-C3550-48 (PowerPC) processor (revision L0) with 65526K/8192K bytes of memory.
Processor board ID CAT0812X0WX
Last reset from warm-reset
Running Layer2/3 Switching Image
Ethernet-controller 1 has 12 Fast Ethernet/IEEE 802.3 interfaces
Ethernet-controller 2 has 12 Fast Ethernet/IEEE 802.3 interfaces
Ethernet-controller 3 has 12 Fast Ethernet/IEEE 802.3 interfaces
Ethernet-controller 4 has 12 Fast Ethernet/IEEE 802.3 interfaces
Ethernet-controller 5 has 1 Gigabit Ethernet/IEEE 802.3 interface
Ethernet-controller 6 has 1 Gigabit Ethernet/IEEE 802.3 interface
48 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)
The password-recovery mechanism is enabled.
384K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:0F:8F:E9:63:80
Motherboard assembly number: 73-5701-09
Power supply part number: 34-0967-02
Motherboard serial number: CAT08120A28
Power supply serial number: LIT080602QF
Model revision number: L0
Motherboard revision number: A0
Model number: WS-C3550-48-SMI
System serial number: CAT0812X0WX
Configuration register is 0x10F
Oops! I meant the inside interface of the PIX and the 3550 interface connecting to the PIX.
-Don
-Don
My philosopy on this is to use the most appropriate tool for the job.
Switches were designed for one purpose - to pass packets as fast as they can. That's why you bought the switches. L3 routing services on top of the switching engine makes a very fast (though limited) router. - You have the best tool for this.
The PIX was designed as a firewall for one purpose - to block packets that you don't want. You have the best tool for this.
Now, trying to police user actions and to control user behavior using tools that were not designed for that mission is like putting a square peg in a round hole. Get a big enough hammer and it will work, but it won't be pretty. The hole won't be square any more and the peg won't be round. You'll get something unrecognizable.
There are appliances, devices, and servers that are specifically designed to control user behavior which includes bandwidth limiting. Most any Proxy server (Microsoft ISA and others), or other appliance like iPrism or software like WebSense will do a much better job of what you really want to accomplish.
If 90% of the traffic is download, not upload, then concentrate on only limiting output instead of input on the interface connected to the PIX.
Switches were designed for one purpose - to pass packets as fast as they can. That's why you bought the switches. L3 routing services on top of the switching engine makes a very fast (though limited) router. - You have the best tool for this.
The PIX was designed as a firewall for one purpose - to block packets that you don't want. You have the best tool for this.
Now, trying to police user actions and to control user behavior using tools that were not designed for that mission is like putting a square peg in a round hole. Get a big enough hammer and it will work, but it won't be pretty. The hole won't be square any more and the peg won't be round. You'll get something unrecognizable.
There are appliances, devices, and servers that are specifically designed to control user behavior which includes bandwidth limiting. Most any Proxy server (Microsoft ISA and others), or other appliance like iPrism or software like WebSense will do a much better job of what you really want to accomplish.
If 90% of the traffic is download, not upload, then concentrate on only limiting output instead of input on the interface connected to the PIX.
ASKER
lrmoore: I understand what you're saying, and I couldn't agree with you more.
Unfortunately, I have to come up with a solution with the materials I have on hand right now (no budget for MS ISA, etc). On top of that, the traffic is going to be about equal for upload and download, which is why I really need to limit both. The situation that I'm in is that this equipment is currently in a Co-Lo, and they provide an ethernet link for the internet services. This is connected to the outside port on the PIX. The Co-Lo company will not provide anything less than a 10mbit connection, but only charge for the bandwidth that is used. The primary service on this link is email, so a huge pipe is not required, so understandably, they don't want to pay for 10mbit of throughput when 1mbit will suffice.
donjohnston: Is there a way to limit the bandwidth on a PIX interface? I did some research and I don't believe that there is? If you know of a way I would be interested in hearing it.
Thanks
Unfortunately, I have to come up with a solution with the materials I have on hand right now (no budget for MS ISA, etc). On top of that, the traffic is going to be about equal for upload and download, which is why I really need to limit both. The situation that I'm in is that this equipment is currently in a Co-Lo, and they provide an ethernet link for the internet services. This is connected to the outside port on the PIX. The Co-Lo company will not provide anything less than a 10mbit connection, but only charge for the bandwidth that is used. The primary service on this link is email, so a huge pipe is not required, so understandably, they don't want to pay for 10mbit of throughput when 1mbit will suffice.
donjohnston: Is there a way to limit the bandwidth on a PIX interface? I did some research and I don't believe that there is? If you know of a way I would be interested in hearing it.
Thanks
Cisco's documentation is pretty clear that you are *supposed* to be able to assign an input and an output policy to any physical interface. I can't find anything to indicate that overlapping class definitions should be a problem, and I can't see anything else wrong with your config.
Have you tried opening a case with the Cisco TAC?
Have you tried opening a case with the Cisco TAC?
ASKER
Unfortunately no, I haven't opened a TAC case. My company opted not to spring the extra $ for the support package, so I don't have access to TAC.
Here's the Cisco documentation:
Error Message QM-4-CLASS_NOT_SUPPORTED: Classification is not supported in class map [chars].
Explanation This message means that an unsupported match class-map configuration command was configured in a policy map and attached to an egress interface or that more than one match command was configured. This is a hardware limitation. [chars] is the class-map name.
Recommended Action Reconfigure the class map or the policy map. Use only the match ip dscp dscp-list class-map configuration command in a policy map that is attached to an egress interface. Only one match per class map is supported.
I've rounded up a 3550with EMI software that I can tinker with... stay tuned....
Error Message QM-4-CLASS_NOT_SUPPORTED: Classification is not supported in class map [chars].
Explanation This message means that an unsupported match class-map configuration command was configured in a policy map and attached to an egress interface or that more than one match command was configured. This is a hardware limitation. [chars] is the class-map name.
Recommended Action Reconfigure the class map or the policy map. Use only the match ip dscp dscp-list class-map configuration command in a policy map that is attached to an egress interface. Only one match per class map is supported.
I've rounded up a 3550with EMI software that I can tinker with... stay tuned....
ASKER
Thanks lrmoore,
I've been doing a bunch of research on my own as well and had found that because I was using the ACL on the egress interface, it was causing the output service-policy to fail since ACL matches are not supported on egress interfaces.
Here is the most recent config with both input and output service-policies applied to the interface. Unfortunately, though, when I do a bandwidth test from the application server (both sending and receiving a file via FTP over the Internet) the bandwidth is not being limited. I'm not sure what I'm still doing wrong, so any further assistance would be appreciated.
The config is the same except for the parts listed below:
class-map match-any ClassOut
match any
class-map match-any ClassIn
match any
!
!
policy-map InternetIn
class ClassIn
police 1000000 65536 exceed-action drop
policy-map InternetOut
class ClassOut
police 1000000 65536 exceed-action drop
!
!
interface FastEthernet0/2
description Link to PIX515
switchport mode dynamic desirable
no ip address
service-policy input InternetIn
service-policy output InternetOut
The match any statements in the class-maps should specify that all traffic is affected. You can also notice that the interface now has both input and output service policies applied. Unfortunately, it does not seem to be working.
Here are the results of the FTP test from my PC here to the application server.
Upload
Transferred 1 file totaling 15,000,000 bytes in 37.81 (395.90 KBps)
Download
Transferred 1 file totaling 15,000,000 bytes in 20.34 (722.24 KBps)
As you can see, it is definitely not being limited to 1Mbps. I had also changed the police statement to the minimum allowed values (8000 = 8Kbps) and the FTP test yielded the same results. So it seems for some reason either the class-maps are not hitting properly or it's not being applied correctly to the interface.
Any ideas?
I've been doing a bunch of research on my own as well and had found that because I was using the ACL on the egress interface, it was causing the output service-policy to fail since ACL matches are not supported on egress interfaces.
Here is the most recent config with both input and output service-policies applied to the interface. Unfortunately, though, when I do a bandwidth test from the application server (both sending and receiving a file via FTP over the Internet) the bandwidth is not being limited. I'm not sure what I'm still doing wrong, so any further assistance would be appreciated.
The config is the same except for the parts listed below:
class-map match-any ClassOut
match any
class-map match-any ClassIn
match any
!
!
policy-map InternetIn
class ClassIn
police 1000000 65536 exceed-action drop
policy-map InternetOut
class ClassOut
police 1000000 65536 exceed-action drop
!
!
interface FastEthernet0/2
description Link to PIX515
switchport mode dynamic desirable
no ip address
service-policy input InternetIn
service-policy output InternetOut
The match any statements in the class-maps should specify that all traffic is affected. You can also notice that the interface now has both input and output service policies applied. Unfortunately, it does not seem to be working.
Here are the results of the FTP test from my PC here to the application server.
Upload
Transferred 1 file totaling 15,000,000 bytes in 37.81 (395.90 KBps)
Download
Transferred 1 file totaling 15,000,000 bytes in 20.34 (722.24 KBps)
As you can see, it is definitely not being limited to 1Mbps. I had also changed the police statement to the minimum allowed values (8000 = 8Kbps) and the FTP test yielded the same results. So it seems for some reason either the class-maps are not hitting properly or it's not being applied correctly to the interface.
Any ideas?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
We need a bigger hammer....
Try a poor man's control -- use interface storm-control unicast set at 1% bandwidth of 100Mb ?
Try a poor man's control -- use interface storm-control unicast set at 1% bandwidth of 100Mb ?
Any updates for us? I have not had much luck with my 3550, either.
I haven't had a chance to try the storm-control yet. Was doing some research on it first. Not really sure that it will do what I'm looking for it to do.
I plan on trying it out this weekend if I can't get to it this week. I'll keep you updated.
Thanks!
I plan on trying it out this weekend if I can't get to it this week. I'll keep you updated.
Thanks!
Do you need more information?
Have you resolved this problem?
Can you close this question?
Thanks!
Have you resolved this problem?
Can you close this question?
Thanks!
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:
RECOMMENDATION: Split points between lrmoore & Javic
Any objections should be posted here in the next 4 days. After that time, the question will be closed.
donjohnston
EE Cleanup Volunteer
I will leave the following recommendation for this question in the Cleanup topic area:
RECOMMENDATION: Split points between lrmoore & Javic
Any objections should be posted here in the next 4 days. After that time, the question will be closed.
donjohnston
EE Cleanup Volunteer
-Don