Solved

How do I apply internet bandwidth restrictions on cisco router?

Posted on 2007-12-01
7
3,055 Views
Last Modified: 2010-04-21
Hello

I have a problem with configuration of my Cisco router 1812 (2x Wan 8X Lan 1x bri IOS 12.4)
I don't know where to start...

I use 2 vlans (1 and 2) and ADSL internet access trough pppoe on Wan port 0 (Fe0).
Vlan 1 is applyed to interfaces Fa2-5
Vlan 2 is applyed to interfaces Fa6-9
My internet connection allows 4096/512 kbits/s.

I Would like to devide this bandwidth betwen two vlans in this shape:

VLAN 1 gets 1024/128 kbits/s - this bandwidth must be guaranteed
VLAN 2 gets 3072/384 kbits/s  (the rest of available bandwidth)

Please give some pointers on shaping this trafic trough my router.
It doesnt matter if the shaping is in kbits or % (25% and 75%).
 
I would prefer applaying policies on vlan inerface (1 and 2) than to Lan Fe (2-9) interfaces,
because I will use wireless AP with trunk line in the future.
 
Please help me with this
Thank you
Marko

P.S.
Running config is listed in next post.
0
Comment
Question by:Miki18
  • 4
  • 3
7 Comments
 
LVL 2

Author Comment

by:Miki18
ID: 20387724
!This is the running config of the router: 192.168.10.1
!----------------------------------------------------------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CISCO 1812
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5 abc123
!
aaa new-model
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool 100  (DHCP ON VLAN2)
   network 192.168.100.0 255.255.255.0
   dns-server 193.189.160.13
   default-router 192.168.100.1
!
ip dhcp pool 10   (DHCP ON VLAN1)
   network 192.168.10.0 255.255.255.0
   dns-server 193.189.160.13
   default-router 192.168.10.1
!
no ip domain lookup
ip domain name XXXXXX.com
!
username user1 privilege 15 secret 5 abc123
!
interface FastEthernet0  (Connection to ADSL MODEM)
 description $ETH-WAN$
 no ip address
 ip mask-reply
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface FastEthernet1
 no ip address
 ip mask-reply
 shutdown
 duplex auto
 speed auto
!
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
 switchport access vlan 2
!
interface FastEthernet7
 switchport access vlan 2
!
interface FastEthernet8
 switchport access vlan 2
!
interface FastEthernet9
 switchport access vlan 2
!
interface Vlan1
 description LAN1
 ip address 192.168.10.1 255.255.255.0
 ip access-group 101 in
 ip mask-reply
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
interface Vlan2
 description LAN2
 ip address 192.168.100.1 255.255.255.0
 ip access-group 102 in
 ip mask-reply
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
interface Dialer0
 description "ADSL DIALER"
 ip address negotiated
 ip access-group 100 in
 ip mask-reply
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname user1
 ppp chap password 7 password1
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
access-list 1 permit 192.168.10.0 0.0.0.255   (NAT)
access-list 1 permit 192.168.100.0 0.0.0.255  (NAT)

access-list 100 deny   ip any any log (restrictions on WAN)

access-list 101 PERMIT   ip any any (permit all on vlan1)
access-list 102 PERMIT   ip any any (permit all on vlan2)

dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
line con 0
line aux 0
line vty 0 4
 transport input telnet ssh
line vty 5 15
 transport input telnet ssh
!


0
 
LVL 2

Accepted Solution

by:
BarnyRitchley earned 500 total points
ID: 20389606
you can apply rate limits based on access list and interface,

i would apply them to the ports, although i think you can apply to VLAN's:

 rate-limit input access-group 130 1000000 16000 24000 conform-action transmit exceed-action drop
 rate-limit output access-group 130 1000000 16000 24000 conform-action transmit exceed-action drop

Then your acl should define the traffic to limit.  The above command will limit to 1Mb with a little bursting ability.  Let me know if you need any more info.
0
 
LVL 2

Author Comment

by:Miki18
ID: 20392385
Hello BarnyRichley,
Thank you for your help.
I could limit the transfer rate. I used these lines on interface VLAN 1:
!
rate-limit output access-group 110 1000000 16000 24000 conform-action transmit exceed-action drop
rate-limit input access-group 110 128000 16000 24000 conform-action transmit exceed-action drop
!
access-list 110 permit ip any any

Speed limit on VLAN1 is now OK (1M / 128 kb/s), but if I try downloading on VLAN2 the bandwidth on VLAN1 falls under 1M / 128 kb/s.
Is there any way to also guarantee speed this speed (1M / 128 kb/s) on VLAN1?

0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 2

Expert Comment

by:BarnyRitchley
ID: 20392602
its probably because your bandwidth is contended on the WAN interface.  Maybe the best way, is to do the rate limiting on the WAN interface, rather than the VLAN's (i overlooked the part that you were connecting to an ADSL modem)

So, say you had a 10Mb line, and you want to guarantee 1Mb to VLAN1, i would guarantee 2Mb just to be sure (to allow for contention etc).

So your access list would be set up to rate limit VLAN2 to 8Mb and you would apply it to the WAN interface.

So:

access-list 130 deny 192.168.100.0 0.0.0.255 any
access-list 130 deny any 192.168.100.0 0.0.0.255
access-list 130 permit ip any any

then on the WAN interface:
rate-limit input access-group 130 8000000 16000 24000 conform-action transmit exceed-action drop
rate-limit output access-group 130 8000000 16000 24000 conform-action transmit exceed-action drop

Hope this helps.

Barny.
0
 
LVL 2

Author Comment

by:Miki18
ID: 20399734
I tried to apply your last suggestion on Wan port. There was no efect.
I tried to apply this on Dialer0 interface and/or Fastethernet 0 interface.
I don't know what I did wrong...

Temporary solution that I am using now is applyig restrictions on both Vlan1 and Vlan2.
Example Vlan1 1M incoming and 128 kb/s outgoing and Vlan2 3M / 384.
But there is a problem with our ADSL lines. The bandwidth is not alwas guaranteed.
So it tends to drop from 4M/512 to 3M or lower, but in that case I don't have 1M guaranteed speed on Vlan1.
Is there any way to provide fixed 1M speed even if wan speed drops?
Do you have any other suggestion.

Thank you

0
 
LVL 2

Assisted Solution

by:BarnyRitchley
BarnyRitchley earned 500 total points
ID: 20404491
Yes you could do it with a QoS Policy - but in my experience these dont work as well, anyways, it will look something like this:

class-map match-all VLAN-CLASS-OUT
  match access-group name VLAN-OUT

class-map match-all VLAN-CLASS-IN
  match access-group name VLAN-IN

policy-map qos-guarantee-vlan-out
  class VLAN-CLASS-OUT
   priority 128
  class class-default
   fair-queue

policy-map qos-guarantee-vlan-in
  class VLAN-CLASS-IN
   priority 1024
  class class-default
   fair-queue


then on the WAN interface:
bandwidth 512  <--[Remember this is *total* actual upstream B/W available]
service-policy output qos-guarantee-vlan-out

on the LAN interface:
bandwidth 4096  <--[Remember this is *total* actual upstream B/W available]
service-policy output qos-guarantee-vlan-in

then add the acls:
ip access-list extended VLAN-OUT
 permit ip a.a.a.a a.a.a.a any
ip access-list extended VLAN-IN
 permit ip any a.a.a.a a.a.a.a

The above will guarantee the bandwidth specified when there is traffic matching the ACL.  Note the priority command in the policy map is where you specify the bandwidth and it is in k (1000k = 1m approx.) and it will queue the rest of the traffic if the bandwidth that is specified in the bandwidth command is gobbled up.

Do bear in mind that it is very difficult to QoS ingress traffic with ADSL.  The above may work well but it will be dependant on the type of traffic consuming the bandwidth etc.  This config will work better if you get yourself an ADSL WIC and do the QoS on the ATM layer.

Hope this helps.

Barny
0
 
LVL 2

Author Closing Comment

by:Miki18
ID: 31415218
Thank you Barny.
Combination of first and last solution helped me with my problem.
Sorry for the delay with grading. I was out of the country and couldn't
test your suggestions.
I have one more question.
What would I have to do on a router for public E-point (free access for all) with 3 VLANs (two of them are on wireless one is connected to 4 PCs)
I would like for all clients (wireless or lan) to have same bandwidth (fair-queue) on input and output.
Internet connection is ADSL 4096 / 768.  What policies would I have to apply and on which interfaces?
Wan is Dialer0 on Fe0
LAN is VLAN1, VLAN2, VLAN3 on Fe 1,2,3

Thank you
Marko
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now