Miki18
asked on
How do I apply internet bandwidth restrictions on cisco router?
Hello
I have a problem with configuration of my Cisco router 1812 (2x Wan 8X Lan 1x bri IOS 12.4)
I don't know where to start...
I use 2 vlans (1 and 2) and ADSL internet access trough pppoe on Wan port 0 (Fe0).
Vlan 1 is applyed to interfaces Fa2-5
Vlan 2 is applyed to interfaces Fa6-9
My internet connection allows 4096/512 kbits/s.
I Would like to devide this bandwidth betwen two vlans in this shape:
VLAN 1 gets 1024/128 kbits/s - this bandwidth must be guaranteed
VLAN 2 gets 3072/384 kbits/s (the rest of available bandwidth)
Please give some pointers on shaping this trafic trough my router.
It doesnt matter if the shaping is in kbits or % (25% and 75%).
I would prefer applaying policies on vlan inerface (1 and 2) than to Lan Fe (2-9) interfaces,
because I will use wireless AP with trunk line in the future.
Please help me with this
Thank you
Marko
P.S.
Running config is listed in next post.
I have a problem with configuration of my Cisco router 1812 (2x Wan 8X Lan 1x bri IOS 12.4)
I don't know where to start...
I use 2 vlans (1 and 2) and ADSL internet access trough pppoe on Wan port 0 (Fe0).
Vlan 1 is applyed to interfaces Fa2-5
Vlan 2 is applyed to interfaces Fa6-9
My internet connection allows 4096/512 kbits/s.
I Would like to devide this bandwidth betwen two vlans in this shape:
VLAN 1 gets 1024/128 kbits/s - this bandwidth must be guaranteed
VLAN 2 gets 3072/384 kbits/s (the rest of available bandwidth)
Please give some pointers on shaping this trafic trough my router.
It doesnt matter if the shaping is in kbits or % (25% and 75%).
I would prefer applaying policies on vlan inerface (1 and 2) than to Lan Fe (2-9) interfaces,
because I will use wireless AP with trunk line in the future.
Please help me with this
Thank you
Marko
P.S.
Running config is listed in next post.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello BarnyRichley,
Thank you for your help.
I could limit the transfer rate. I used these lines on interface VLAN 1:
!
rate-limit output access-group 110 1000000 16000 24000 conform-action transmit exceed-action drop
rate-limit input access-group 110 128000 16000 24000 conform-action transmit exceed-action drop
!
access-list 110 permit ip any any
Speed limit on VLAN1 is now OK (1M / 128 kb/s), but if I try downloading on VLAN2 the bandwidth on VLAN1 falls under 1M / 128 kb/s.
Is there any way to also guarantee speed this speed (1M / 128 kb/s) on VLAN1?
Thank you for your help.
I could limit the transfer rate. I used these lines on interface VLAN 1:
!
rate-limit output access-group 110 1000000 16000 24000 conform-action transmit exceed-action drop
rate-limit input access-group 110 128000 16000 24000 conform-action transmit exceed-action drop
!
access-list 110 permit ip any any
Speed limit on VLAN1 is now OK (1M / 128 kb/s), but if I try downloading on VLAN2 the bandwidth on VLAN1 falls under 1M / 128 kb/s.
Is there any way to also guarantee speed this speed (1M / 128 kb/s) on VLAN1?
its probably because your bandwidth is contended on the WAN interface. Maybe the best way, is to do the rate limiting on the WAN interface, rather than the VLAN's (i overlooked the part that you were connecting to an ADSL modem)
So, say you had a 10Mb line, and you want to guarantee 1Mb to VLAN1, i would guarantee 2Mb just to be sure (to allow for contention etc).
So your access list would be set up to rate limit VLAN2 to 8Mb and you would apply it to the WAN interface.
So:
access-list 130 deny 192.168.100.0 0.0.0.255 any
access-list 130 deny any 192.168.100.0 0.0.0.255
access-list 130 permit ip any any
then on the WAN interface:
rate-limit input access-group 130 8000000 16000 24000 conform-action transmit exceed-action drop
rate-limit output access-group 130 8000000 16000 24000 conform-action transmit exceed-action drop
Hope this helps.
Barny.
So, say you had a 10Mb line, and you want to guarantee 1Mb to VLAN1, i would guarantee 2Mb just to be sure (to allow for contention etc).
So your access list would be set up to rate limit VLAN2 to 8Mb and you would apply it to the WAN interface.
So:
access-list 130 deny 192.168.100.0 0.0.0.255 any
access-list 130 deny any 192.168.100.0 0.0.0.255
access-list 130 permit ip any any
then on the WAN interface:
rate-limit input access-group 130 8000000 16000 24000 conform-action transmit exceed-action drop
rate-limit output access-group 130 8000000 16000 24000 conform-action transmit exceed-action drop
Hope this helps.
Barny.
ASKER
I tried to apply your last suggestion on Wan port. There was no efect.
I tried to apply this on Dialer0 interface and/or Fastethernet 0 interface.
I don't know what I did wrong...
Temporary solution that I am using now is applyig restrictions on both Vlan1 and Vlan2.
Example Vlan1 1M incoming and 128 kb/s outgoing and Vlan2 3M / 384.
But there is a problem with our ADSL lines. The bandwidth is not alwas guaranteed.
So it tends to drop from 4M/512 to 3M or lower, but in that case I don't have 1M guaranteed speed on Vlan1.
Is there any way to provide fixed 1M speed even if wan speed drops?
Do you have any other suggestion.
Thank you
I tried to apply this on Dialer0 interface and/or Fastethernet 0 interface.
I don't know what I did wrong...
Temporary solution that I am using now is applyig restrictions on both Vlan1 and Vlan2.
Example Vlan1 1M incoming and 128 kb/s outgoing and Vlan2 3M / 384.
But there is a problem with our ADSL lines. The bandwidth is not alwas guaranteed.
So it tends to drop from 4M/512 to 3M or lower, but in that case I don't have 1M guaranteed speed on Vlan1.
Is there any way to provide fixed 1M speed even if wan speed drops?
Do you have any other suggestion.
Thank you
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you Barny.
Combination of first and last solution helped me with my problem.
Sorry for the delay with grading. I was out of the country and couldn't
test your suggestions.
I have one more question.
What would I have to do on a router for public E-point (free access for all) with 3 VLANs (two of them are on wireless one is connected to 4 PCs)
I would like for all clients (wireless or lan) to have same bandwidth (fair-queue) on input and output.
Internet connection is ADSL 4096 / 768. What policies would I have to apply and on which interfaces?
Wan is Dialer0 on Fe0
LAN is VLAN1, VLAN2, VLAN3 on Fe 1,2,3
Thank you
Marko
Combination of first and last solution helped me with my problem.
Sorry for the delay with grading. I was out of the country and couldn't
test your suggestions.
I have one more question.
What would I have to do on a router for public E-point (free access for all) with 3 VLANs (two of them are on wireless one is connected to 4 PCs)
I would like for all clients (wireless or lan) to have same bandwidth (fair-queue) on input and output.
Internet connection is ADSL 4096 / 768. What policies would I have to apply and on which interfaces?
Wan is Dialer0 on Fe0
LAN is VLAN1, VLAN2, VLAN3 on Fe 1,2,3
Thank you
Marko
ASKER
!-------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CISCO 1812
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5 abc123
!
aaa new-model
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool 100 (DHCP ON VLAN2)
network 192.168.100.0 255.255.255.0
dns-server 193.189.160.13
default-router 192.168.100.1
!
ip dhcp pool 10 (DHCP ON VLAN1)
network 192.168.10.0 255.255.255.0
dns-server 193.189.160.13
default-router 192.168.10.1
!
no ip domain lookup
ip domain name XXXXXX.com
!
username user1 privilege 15 secret 5 abc123
!
interface FastEthernet0 (Connection to ADSL MODEM)
description $ETH-WAN$
no ip address
ip mask-reply
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet1
no ip address
ip mask-reply
shutdown
duplex auto
speed auto
!
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
switchport access vlan 2
!
interface FastEthernet7
switchport access vlan 2
!
interface FastEthernet8
switchport access vlan 2
!
interface FastEthernet9
switchport access vlan 2
!
interface Vlan1
description LAN1
ip address 192.168.10.1 255.255.255.0
ip access-group 101 in
ip mask-reply
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Vlan2
description LAN2
ip address 192.168.100.1 255.255.255.0
ip access-group 102 in
ip mask-reply
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Dialer0
description "ADSL DIALER"
ip address negotiated
ip access-group 100 in
ip mask-reply
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname user1
ppp chap password 7 password1
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
access-list 1 permit 192.168.10.0 0.0.0.255 (NAT)
access-list 1 permit 192.168.100.0 0.0.0.255 (NAT)
access-list 100 deny ip any any log (restrictions on WAN)
access-list 101 PERMIT ip any any (permit all on vlan1)
access-list 102 PERMIT ip any any (permit all on vlan2)
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
line con 0
line aux 0
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!