Solved

Traffic Shaping on a 7206VxR or 3640

Posted on 2001-06-15
9
750 Views
Last Modified: 2012-05-04
Any Help is Appreciated:

I am currently using a Cisco 7206VxR and a Cisco 3640 router.  I am wanting to know how to use the Traffic Shaping capabilities to limit bandwidth coming in/out of certain ip addresses and subnets behind this router.  Everything uses real ip addresses, and I want to ensure that certain clients that run servers on the network stay within their allotted bandwidth.  I currently monitor everything with MRTG to keep an eye on things, but that doesn't stop someone from sucking the pipe dry if they choose to, it only lets me know it happened, and doesn't actually limit or stop this activity.  Now, I would guess from what I have read, that this uses access lists or something similar.  Can anyone help me out or provide me with good documentation.  I have already searched Cisco's website and Experts Exchange for a good answer and I have yet to find one.  Thanks in advance.

-Robert
0
Comment
Question by:KS_Robert
  • 4
  • 4
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 6198168
You might want to look at CAR instead of traffic shaping:

http://www.cisco.com/warp/public/732/Tech/car/

If you want to use Traffic Shaping:
Ethernet 0 is configured to limit specific traffic to/from the network that you want to constrain to 1 Mbps

access-list 101 permit ip any <constrained network>
access-list 101 permit ip <constrained network> any

interface Ethernet0
 traffic-shape group 101 1000000 125000 125000

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/qos_c/qcpart4/qcgts.htm#14630
0
 
LVL 2

Author Comment

by:KS_Robert
ID: 6198595
Okay,

I am getting the hang of it now.  Answer me another follow up here and we'll be done.

What is the syntax for the following?  I have a 3640 router and the internet backbone is on a serial sub interface, for instance, serial0/0.1, and the ethernet is on ethernet0/0, which is plugged into a cisco switch where the client is plugged into as well.  Now, let's say their ip range is 192.168.0.32/28 or a 255.255.255.240 subnet.  I want to limit them to 256k and not have any burst or anything.  But also, i'd like to know how to allow for a burst if possible.  And if you can, explain each part of the commands so I can hopefully do this on my own.  Thanks for the quick response.

-Robert
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 6198623
On the Interface, determine the traffic shape rate. No burst, to excess burst capability at all, and identify the access-list that will determine what traffic is limited:

Ethernet 0/0
 traffic-shape group 101 256000
!

! Now set up the traffic to permit traffic from anyone to the 192.168.0.32 network and all traffic from that network to anyone else. Any packets matching this will be reduced to 256k
!
access-list 101 permit ip any 192.168.0.32 255.255.255.240
access-list 101 permit ip 192.168.0.32 255.255.255.240 any


I assume that you have this already in your config:
!
ip subnet zero
!
That should do it!

0
 
LVL 2

Author Comment

by:KS_Robert
ID: 6200785
Thanks for the help.  One more quick question:

When using the access-list command and then putting a number after it to make it unique, such as 101, can you have several lines with 101 to have a very complex rule?  Also, is it a good idea to start at 100 or 101 and what increments can you use?  What are your tips on this?

Thanks,
Robert
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 79

Accepted Solution

by:
lrmoore earned 300 total points
ID: 6200833
Access list numbering is based on whether or not it is a standard list or an extended list, and the protocol. Examples:

standard IP 1-99
extended IP 100-199
AppleTalk - 600-699
Standard IPX 800-899
Extended IPX 900-999
Novell SAP 1000-1099

http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secur_c/scprt3/scacls.htm

Yes, you can get quite creative with the extended access lists. Some other references:
http://www.sans.org/infosecFAQ/firewall/blocking_cisco.htm
http://www.pasadena.net/cisco/secure.html
http://www.nwc.com/907/907ws1.html



0
 
LVL 2

Author Comment

by:KS_Robert
ID: 6200846
Thanks so much for clearing this up and making it easy to understand.  Much Appreciated.
-Robert
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 6200851
Glad to help!
0
 
LVL 2

Author Comment

by:KS_Robert
ID: 6375695
lrmoore,

I know it has been 2 months since this question was closed, but I hadn't had a chance to actually try this out yet.  I am having some issues:

When I try and use access lists, I am able to issue all the correct commands:

access-list 101 permit ip any 192.168.0.32 255.255.255.240
access-list 101 permit ip 192.168.0.32 255.255.255.240 any

and it takes them without any problem, but once I end config mode and write memory, and do a show config, my lines show up like this:

access-list 101 permit ip any 0.0.0.0 255.255.255.240
access-list 101 permit ip 0.0.0.0 255.255.255.240 any

I have tried lots of different ip ranges and all of them do this, it just converts them to zeros or atleast that's what is showing up.  Do you have any thoughts on this?  

Thanks,
Robert
0
 

Expert Comment

by:svettolev
ID: 6941424
You are using wildcard bits, not IP and Mask.
Sample:
194.145.63.192 0.0.0.7 - this means adresses from 194.145.63.192 to 194.145.63.199



format is: first IP, reverced netmasc.
0.0.0.7 is equal to netmask: 255.255.255.248.

0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now