?
Solved

Cannot get QoS Class Map policing to work

Posted on 2008-11-04
5
Medium Priority
?
1,435 Views
Last Modified: 2010-05-18
I'm trying to get policing to work on my router to limit total bandwidth (both upload and download speeds). Physical configuration is as follows:

Cable Modem > fa0/0 on Cisco 2811 > fa0/1 on Cisco 2811 > Cisco 2950 switch > Client

The line itself is a (best effort) 15/2mbit connection. When doing "bandwidth tests" through either dslreports or speedtest.net I'm still hitting the max as if there were no policers in place.

Below is my current working config. Trying to limit total download speeds to 7.5mbit with a 1mbit burst/buffer, and upload to 1mbit with a 512kB burst/buffer.

Thanks for the help!

LIProuter#sh run
Building configuration...
 
Current configuration : 2916 bytes
!
version 12.3
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname LIProuter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Hbco$5QbX4V.bn4Olgapxc.zjt0
!
username cisco privilege 15 secret 5 $1$WOLq$n6FbjWozgW5dtTW0Ftg2g.
no network-clock-participate aim 0
no network-clock-participate aim 1
no aaa new-model
ip subnet-zero
!
!
ip cef
!
ip dhcp pool LIP
   network 12.2.0.0 255.255.255.0
   default-router 12.2.0.1
   dns-server 12.2.0.1
!
ip dhcp pool SERVER1
   host 12.2.0.1 255.255.255.0
   client-identifier 0100.3048.8f7a.bf
   default-router 12.2.0.2
   dns-server XXXX 4.2.2.2
!
!
ip domain name yourdomain.com
ip name-server XXXXX
ip name-server XXXXX
no ftp-server write-enable
!
!
!
class-map match-all ipclass2
 match access-group 101
class-map match-all ipclass1
 match access-group 101
!
!
policy-map outbound
 class ipclass2
   police 1000000 62500 conform-action transmit  exceed-action drop
policy-map inbound
 class ipclass1
   police 7500000 125000 conform-action transmit  exceed-action drop
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
 ip address XXXXX 255.255.255.240
 ip nat outside
 service-policy input outbound
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 12.2.0.2 255.255.255.0
 ip nat inside
 service-policy input inbound
 duplex auto
 speed auto
 fair-queue
!
interface Serial0/0/0
 no ip address
 shutdown
!
interface Serial0/1/0
 no ip address
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 XXXXX
ip dns server
ip http server
ip http authentication local
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 101 interface FastEthernet0/0 overload
!
!
access-list 101 permit ip 12.2.0.0 0.0.0.255 any
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco".
 
Please change these publicly known initial credentials using SDM or the IOS CLI.
 
Here are the Cisco IOS commands.
 
username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco
 
Replace <myuser> and <mypassword> with the username and password you want to use
.
 
For more information about SDM please follow the instructions in the QUICK START
 
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 20000 1000
!
end
 
LIProuter#

Open in new window

0
Comment
Question by:thorpez
  • 3
  • 2
5 Comments
 
LVL 15

Accepted Solution

by:
bkepford earned 750 total points
ID: 22881413
Your setup looks fine except your outbound won't match right you may want to simplify it if you are trying to rate limit everything. Or maybe just http traffic.
access-list 102 permit tcp any any eq 80
access-list 1 permit any
Either way also remember if you are NATing it will check the rate limit before it does the NAT so your destination IP coming back in has got to be your public.
Here is a link to order of Operations when it comes to NAT (good thing to bookmark)
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml 
0
 

Author Comment

by:thorpez
ID: 22888259
Can you give a more specific example of what exactly you mean? I do want to limit all traffic that goes across the interface not just web.

Looks like I boofed my class mapping in my first config? Went ahead and re-did that. Even when I have rate limiting settings at half a megabit the download test flies to 14.5 or so.

Thanks again.
LIProuter#sh run
Building configuration...
 
Current configuration : 2938 bytes
!
version 12.3
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname LIProuter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Hbco$5QbX4V.bn4Olgapxc.zjt0
!
username cisco privilege 15 secret 5 $1$WOLq$n6FbjWozgW5dtTW0Ftg2g.
no network-clock-participate aim 0
no network-clock-participate aim 1
no aaa new-model
ip subnet-zero
!
!
ip cef
!
ip dhcp pool LIP
   network 12.2.0.0 255.255.255.0
   default-router 12.2.0.1
   dns-server 12.2.0.1 4.2.2.2
!
ip dhcp pool SERVER1
   host 12.2.0.1 255.255.255.0
   client-identifier 0100.3048.8f7a.bf
   default-router 12.2.0.2
   dns-server xxxxx 4.2.2.2
!
!
ip domain name yourdomain.com
ip name-server xxxxxx
ip name-server xxxxxxxx
no ftp-server write-enable
!
!
!
class-map match-all ipclass2
 match access-group 101
class-map match-all ipclass1
 match access-group 101
!
!
policy-map outbound
 class ipclass2
  police cir 850000 bc 12500
    conform-action transmit
    exceed-action drop
policy-map inbound
 class ipclass1
  police cir 850000 bc 12500
    conform-action transmit
    exceed-action drop
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
 ip address xxxxxxxx 255.255.255.240
 ip nat outside
 
LIProuter#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
LIProuter(config)#
LIProuter(config)#end
LIProuter#sh run
Building configuration...
 
Current configuration : 2938 bytes
!
version 12.3
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname LIProuter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Hbco$5QbX4V.bn4Olgapxc.zjt0
!
username cisco privilege 15 secret 5 $1$WOLq$n6FbjWozgW5dtTW0Ftg2g.
no network-clock-participate aim 0
no network-clock-participate aim 1
no aaa new-model
ip subnet-zero
 --More--
*Nov  5 18:30:29.428: %SYS-5-CONFIG_I: Configured from console by cisco on conso
!
!
ip cef
!
ip dhcp pool LIP
   network 12.2.0.0 255.255.255.0
   default-router 12.2.0.1
   dns-server 12.2.0.1 4.2.2.2
!
ip dhcp pool SERVER1
   host 12.2.0.1 255.255.255.0
   client-identifier 0100.3048.8f7a.bf
   default-router 12.2.0.2
   dns-server xxxx5 4.2.2.2
!
!
ip domain name yourdomain.com
ip name-server xxxxx
ip name-server xxxxxxx
no ftp-server write-enable
!
!
!
class-map match-all ipclass2
 match access-group 101
class-map match-all ipclass1
 match access-group 101
!
!
policy-map outbound
 class ipclass2
  police cir 850000 bc 12500
    conform-action transmit
    exceed-action drop
policy-map inbound
 class ipclass1
  police cir 850000 bc 12500
    conform-action transmit
    exceed-action drop
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
 ip address xxxxxxxx 255.255.255.240
 ip nat outside
 service-policy input outbound
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 12.2.0.2 255.255.255.0
 ip nat inside
 service-policy input inbound
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 shutdown
!
interface Serial0/1/0
 no ip address
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 xxxxxxx
ip dns server
ip http server
ip http authentication local
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 101 interface FastEthernet0/0 overload
!
!
access-list 101 permit ip 12.2.0.0 0.0.0.255 any
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco".
 
Please change these publicly known initial credentials using SDM or the IOS CLI.
 
Here are the Cisco IOS commands.
 
username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco
 
Replace <myuser> and <mypassword> with the username and password you want to use
.
 
For more information about SDM please follow the instructions in the QUICK START
 
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 20000 1000
!
end
 
LIProuter#

Open in new window

0
 

Author Comment

by:thorpez
ID: 22888300
Made some sort of mistake pasting that config in, here is the correct one.


LIProuter# sh run
Building configuration...
 
Current configuration : 2938 bytes
!
version 12.3
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname LIProuter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Hbco$5QbX4V.bn4Olgapxc.zjt0
!
username cisco privilege 15 secret 5 $1$WOLq$n6FbjWozgW5dtTW0Ftg2g.
no network-clock-participate aim 0
no network-clock-participate aim 1
no aaa new-model
ip subnet-zero
!
!
ip cef
!
ip dhcp pool LIP
   network 12.2.0.0 255.255.255.0
   default-router 12.2.0.1
   dns-server 12.2.0.1 4.2.2.2
!
ip dhcp pool SERVER1
   host 12.2.0.1 255.255.255.0
   client-identifier 0100.3048.8f7a.bf
   default-router 12.2.0.2
   dns-server xxxxxx 4.2.2.2
!
!
ip domain name yourdomain.com
ip name-server xxxx
ip name-server xxxxx
no ftp-server write-enable
!
!
!
class-map match-all ipclass2
 match access-group 101
class-map match-all ipclass1
 match access-group 101
!
!
policy-map outbound
 class ipclass2
  police cir 850000 bc 12500
    conform-action transmit
    exceed-action drop
policy-map inbound
 class ipclass1
  police cir 850000 bc 12500
    conform-action transmit
    exceed-action drop
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
 ip address xxxxx 255.255.255.240
 ip nat outside
 service-policy input outbound
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 12.2.0.2 255.255.255.0
 ip nat inside
 service-policy input inbound
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 shutdown
!
interface Serial0/1/0
 no ip address
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 6xxxxx
ip dns server
ip http server
ip http authentication local
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 101 interface FastEthernet0/0 overload
!
!
access-list 101 permit ip 12.2.0.0 0.0.0.255 any
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco".
 
Please change these publicly known initial credentials using SDM or the IOS CLI.
 
Here are the Cisco IOS commands.
 
username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco
 
Replace <myuser> and <mypassword> with the username and password you want to use
.
 
For more information about SDM please follow the instructions in the QUICK START
 
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 20000 1000
!
end
 
LIProuter#

Open in new window

0
 

Author Comment

by:thorpez
ID: 22890421
Got a hold of a Cisco engineer and here is the solution we came up with. One point made was that the access list for NAT and QoS cannot be shared.

Hopefully this helps someone else.


LIProuter#sh run
Building configuration...
 
Current configuration : 3069 bytes
!
version 12.3
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname LIProuter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Hbco$5QbX4V.bn4Olgapxc.zjt0
!
username cisco privilege 15 secret 5 $1$WOLq$n6FbjWozgW5dtTW0Ftg2g.
no network-clock-participate aim 0
no network-clock-participate aim 1
no aaa new-model
ip subnet-zero
!
!
ip cef
!
ip dhcp pool LIP
   network 12.2.0.0 255.255.255.0
   default-router 12.2.0.1
   dns-server 12.2.0.1 4.2.2.2
!
ip dhcp pool SERVER1
   host 12.2.0.1 255.255.255.0
   client-identifier 0100.3048.8f7a.bf
   default-router 12.2.0.2
   dns-server ISP IP 4.2.2.2
!
!
ip domain name yourdomain.com
ip name-server XXX
ip name-server XXx
no ftp-server write-enable
!
!
!
class-map match-all ipclass2
 match access-group 102
class-map match-all ipclass1
 match access-group 101
!
!
policy-map outbound
 class ipclass2
  police cir 1000000 bc 62500
    conform-action transmit
    exceed-action drop
policy-map inbound
 class ipclass1
  police cir 10000000 bc 125000
    conform-action transmit
    exceed-action drop
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
 ip address XXXX 255.255.255.240
 ip nat outside
 service-policy input inbound
 service-policy output outbound
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 12.2.0.2 255.255.255.0
 ip nat inside
 service-policy input inbound
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 shutdown
!
interface Serial0/1/0
 no ip address
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 XXXX
ip dns server
ip http server
ip http authentication local
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 103 interface FastEthernet0/0 overload
!
!
access-list 101 permit ip any host XXXXXXX
access-list 102 permit ip host XXXX any
access-list 103 permit ip 12.2.0.0 0.0.0.255 any
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco".
 
Please change these publicly known initial credentials using SDM or the IOS CLI.
 
Here are the Cisco IOS commands.
 
username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco
 
Replace <myuser> and <mypassword> with the username and password you want to use
.
 
For more information about SDM please follow the instructions in the QUICK START
 
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 20000 1000
!
end
 
LIProuter#

Open in new window

0
 
LVL 15

Expert Comment

by:bkepford
ID: 22890447
Did you test and are you getting the speed that you wanted to be at?
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

750 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question