Per vlan class map - Bandwidth Limit
I have a router with 5 vlans
VLAN1 internal traffic Internal
VLAN2 future use
VLAN3 guest
VLAN4 future use
VLAN5 future use
I am trying to limit bandwidth on the Guest network to 1meg.. Please take a look at the classmap and policy map, I am not able to get the desired results.
hostname TEST
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
enable secret 5 $1$BLoi$4BRrze/1HnN084OvTD
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-618377751
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-618377751
!
!
crypto pki certificate chain TP-self-signed-618377751
certificate self-signed 01
30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 36313833 37373735 31301E17 0D313230 33313231 33323630
375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3631 38333737
37353130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
9E278128 BD99C12D E8743420 9E83357D B9D94341 28BF7928 1F5ED633 9028884D
FB1AD31F CC6DEC85 8D87BB9A 042874AB 28768ED4 D4988D8C 8C6A9174 459D3538
CBFD4409 A01EF397 2FCEFC61 F0436C9F E1273216 EBF7735D E700E8CB 36F6CDE3
CAB9B46A 0DDEAFF0 86D8A7E7 273FA6DD 76D45AF7 0086E11C DC6AEDDC 74827001
02030100 01A37230 70300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
11041630 14821277 7A746573 742E6174 69686F6D 652E636F 6D301F06 03551D23
04183016 80141032 13E668C7 7918DC93 BB932F4B AB9761B6 8B86301D 0603551D
0E041604 14103213 E668C779 18DC93BB 932F4BAB 9761B68B 86300D06 092A8648
86F70D01 01040500 03818100 21D65DB9 0567B116 9DEDFB90 ABC5D226 76103F79
61829013 C69AC1D2 95170752 7D149CD3 B92449B5 3BE56345 1D9B5406 FF62D6F4
58696D3D DA52E8AD 4A8DBF2B 3CC348CE 332BC3FD 294E32B0 9D6CE871 CE1B85C0
E9BAA624 01EC233B 06FED1D1 49E94BEB 129E33D1 A4DB2B2E DE2358C5 62E9DA93
97B56785 5CFAA0F1 480BD6E8
quit
ip source-route
ip dhcp excluded-address 10.217.70.1 10.217.70.50
ip dhcp excluded-address 10.217.71.1 10.217.71.50
ip dhcp excluded-address 10.217.72.1 10.217.72.50
ip dhcp excluded-address 10.217.73.1 10.217.73.50
ip dhcp excluded-address 10.217.74.1 10.217.74.50
!
ip dhcp pool sdm-pool1
import all
network 10.217.70.0 255.255.255.0
dns-server 208.67.222.222 8.8.8.8
default-router 10.217.70.1
!
ip dhcp pool sdm-pool2
import all
network 10.217.71.0 255.255.255.0
dns-server 208.67.222.222 8.8.8.8
default-router 10.217.71.1
!
ip dhcp pool sdm-pool3
import all
network 10.217.72.0 255.255.255.0
dns-server 208.67.222.222 8.8.8.8
default-router 10.217.72.1
!
ip dhcp pool sdm-pool4
import all
network 10.217.73.0 255.255.255.0
dns-server 208.67.222.222 8.8.8.8
default-router 10.217.73.1
!
ip dhcp pool sdm-pool5
import all
network 10.217.74.0 255.255.255.0
dns-server 208.67.222.222 8.8.8.8
default-router 10.217.74.1
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
class-map match-all LIMIT-GUEST
match access-group 110
!
!
policy-map MAN-BANDWIDTH
class LIMIT-GUEST
police 10000 conform-action transmit exceed-action drop violate-action drop
!
!
!
!
interface FastEthernet0
switchport access vlan 3
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description WAN Interface(OUTSIDE)
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
service-policy input MAN-BANDWIDTH
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
!
interface Vlan1
description Internal
ip address 10.217.70.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan2
ip address 10.217.71.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan3
description Guest
ip address 10.217.72.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan4
ip address 10.217.73.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan5
ip address 10.217.74.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 100 interface FastEthernet4 overload
!
ip access-list extended BlockGuest_ToProd
remark BlockGuest_ToProd
remark SDM_ACL Category=1
deny ip 10.217.72.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip any any
!
access-list 100 remark NATinsideOut
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip 10.192.0.0 0.31.255.255 any
access-list 110 permit ip 10.217.72.0 0.0.0.255 any
VLAN1 internal traffic Internal
VLAN2 future use
VLAN3 guest
VLAN4 future use
VLAN5 future use
I am trying to limit bandwidth on the Guest network to 1meg.. Please take a look at the classmap and policy map, I am not able to get the desired results.
hostname TEST
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
enable secret 5 $1$BLoi$4BRrze/1HnN084OvTD
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-618377751
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-618377751
!
!
crypto pki certificate chain TP-self-signed-618377751
certificate self-signed 01
30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 36313833 37373735 31301E17 0D313230 33313231 33323630
375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3631 38333737
37353130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
9E278128 BD99C12D E8743420 9E83357D B9D94341 28BF7928 1F5ED633 9028884D
FB1AD31F CC6DEC85 8D87BB9A 042874AB 28768ED4 D4988D8C 8C6A9174 459D3538
CBFD4409 A01EF397 2FCEFC61 F0436C9F E1273216 EBF7735D E700E8CB 36F6CDE3
CAB9B46A 0DDEAFF0 86D8A7E7 273FA6DD 76D45AF7 0086E11C DC6AEDDC 74827001
02030100 01A37230 70300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
11041630 14821277 7A746573 742E6174 69686F6D 652E636F 6D301F06 03551D23
04183016 80141032 13E668C7 7918DC93 BB932F4B AB9761B6 8B86301D 0603551D
0E041604 14103213 E668C779 18DC93BB 932F4BAB 9761B68B 86300D06 092A8648
86F70D01 01040500 03818100 21D65DB9 0567B116 9DEDFB90 ABC5D226 76103F79
61829013 C69AC1D2 95170752 7D149CD3 B92449B5 3BE56345 1D9B5406 FF62D6F4
58696D3D DA52E8AD 4A8DBF2B 3CC348CE 332BC3FD 294E32B0 9D6CE871 CE1B85C0
E9BAA624 01EC233B 06FED1D1 49E94BEB 129E33D1 A4DB2B2E DE2358C5 62E9DA93
97B56785 5CFAA0F1 480BD6E8
quit
ip source-route
ip dhcp excluded-address 10.217.70.1 10.217.70.50
ip dhcp excluded-address 10.217.71.1 10.217.71.50
ip dhcp excluded-address 10.217.72.1 10.217.72.50
ip dhcp excluded-address 10.217.73.1 10.217.73.50
ip dhcp excluded-address 10.217.74.1 10.217.74.50
!
ip dhcp pool sdm-pool1
import all
network 10.217.70.0 255.255.255.0
dns-server 208.67.222.222 8.8.8.8
default-router 10.217.70.1
!
ip dhcp pool sdm-pool2
import all
network 10.217.71.0 255.255.255.0
dns-server 208.67.222.222 8.8.8.8
default-router 10.217.71.1
!
ip dhcp pool sdm-pool3
import all
network 10.217.72.0 255.255.255.0
dns-server 208.67.222.222 8.8.8.8
default-router 10.217.72.1
!
ip dhcp pool sdm-pool4
import all
network 10.217.73.0 255.255.255.0
dns-server 208.67.222.222 8.8.8.8
default-router 10.217.73.1
!
ip dhcp pool sdm-pool5
import all
network 10.217.74.0 255.255.255.0
dns-server 208.67.222.222 8.8.8.8
default-router 10.217.74.1
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
class-map match-all LIMIT-GUEST
match access-group 110
!
!
policy-map MAN-BANDWIDTH
class LIMIT-GUEST
police 10000 conform-action transmit exceed-action drop violate-action drop
!
!
!
!
interface FastEthernet0
switchport access vlan 3
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description WAN Interface(OUTSIDE)
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
service-policy input MAN-BANDWIDTH
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
!
interface Vlan1
description Internal
ip address 10.217.70.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan2
ip address 10.217.71.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan3
description Guest
ip address 10.217.72.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan4
ip address 10.217.73.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan5
ip address 10.217.74.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 100 interface FastEthernet4 overload
!
ip access-list extended BlockGuest_ToProd
remark BlockGuest_ToProd
remark SDM_ACL Category=1
deny ip 10.217.72.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip any any
!
access-list 100 remark NATinsideOut
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip 10.192.0.0 0.31.255.255 any
access-list 110 permit ip 10.217.72.0 0.0.0.255 any
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Still not seeing it even hit the ACL.
I want to place it on fa4 because this device an an ISR, I want to be able to control the WAP users as well with out having to apply it to all of the interfaces... I just upgraded the code with out any improvement. Seems very weird that the ACL is not being matched. I have checked my workstation million times to enure it is on that network 10.217.72.0 which it is.
I want to place it on fa4 because this device an an ISR, I want to be able to control the WAP users as well with out having to apply it to all of the interfaces... I just upgraded the code with out any improvement. Seems very weird that the ACL is not being matched. I have checked my workstation million times to enure it is on that network 10.217.72.0 which it is.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for JPDU4's comment #37724649
for the following reason:
rate-limit on the vlan interface resolved the issue
Accepted answer: 0 points for JPDU4's comment #37724649
for the following reason:
rate-limit on the vlan interface resolved the issue
ASKER
Question
Ask A New Question
Per vlan class map - Bandwidth Limit
Asked by: JPDU4
I have a router with 5 vlans
VLAN1 internal traffic Internal
VLAN2 future use
VLAN3 guest
VLAN4 future use
VLAN5 future use
I am trying to limit bandwidth on the Guest network to 1meg.. Please take a look at the classmap and policy map, I am not able to get the desired results.
hostname TEST
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
enable secret 5 $1$BLoi$4BRrze/1HnN084OvTD
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-618377751
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-618377751
!
!
crypto pki certificate chain TP-self-signed-618377751
certificate self-signed 01
30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 36313833 37373735 31301E17 0D313230 33313231 33323630
375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3631 38333737
37353130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
9E278128 BD99C12D E8743420 9E83357D B9D94341 28BF7928 1F5ED633 9028884D
FB1AD31F CC6DEC85 8D87BB9A 042874AB 28768ED4 D4988D8C 8C6A9174 459D3538
CBFD4409 A01EF397 2FCEFC61 F0436C9F E1273216 EBF7735D E700E8CB 36F6CDE3
CAB9B46A 0DDEAFF0 86D8A7E7 273FA6DD 76D45AF7 0086E11C DC6AEDDC 74827001
02030100 01A37230 70300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
11041630 14821277 7A746573 742E6174 69686F6D 652E636F 6D301F06 03551D23
04183016 80141032 13E668C7 7918DC93 BB932F4B AB9761B6 8B86301D 0603551D
0E041604 14103213 E668C779 18DC93BB 932F4BAB 9761B68B 86300D06 092A8648
86F70D01 01040500 03818100 21D65DB9 0567B116 9DEDFB90 ABC5D226 76103F79
61829013 C69AC1D2 95170752 7D149CD3 B92449B5 3BE56345 1D9B5406 FF62D6F4
58696D3D DA52E8AD 4A8DBF2B 3CC348CE 332BC3FD 294E32B0 9D6CE871 CE1B85C0
E9BAA624 01EC233B 06FED1D1 49E94BEB 129E33D1 A4DB2B2E DE2358C5 62E9DA93
97B56785 5CFAA0F1 480BD6E8
quit
ip source-route
ip dhcp excluded-address 10.217.70.1 10.217.70.50
ip dhcp excluded-address 10.217.71.1 10.217.71.50
ip dhcp excluded-address 10.217.72.1 10.217.72.50
ip dhcp excluded-address 10.217.73.1 10.217.73.50
ip dhcp excluded-address 10.217.74.1 10.217.74.50
!
ip dhcp pool sdm-pool1
import all
network 10.217.70.0 255.255.255.0
dns-server 208.67.222.222 8.8.8.8
default-router 10.217.70.1
!
ip dhcp pool sdm-pool2
import all
network 10.217.71.0 255.255.255.0
dns-server 208.67.222.222 8.8.8.8
default-router 10.217.71.1
!
ip dhcp pool sdm-pool3
import all
network 10.217.72.0 255.255.255.0
dns-server 208.67.222.222 8.8.8.8
default-router 10.217.72.1
!
ip dhcp pool sdm-pool4
import all
network 10.217.73.0 255.255.255.0
dns-server 208.67.222.222 8.8.8.8
default-router 10.217.73.1
!
ip dhcp pool sdm-pool5
import all
network 10.217.74.0 255.255.255.0
dns-server 208.67.222.222 8.8.8.8
default-router 10.217.74.1
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
class-map match-all LIMIT-GUEST
match access-group 110
!
!
policy-map MAN-BANDWIDTH
class LIMIT-GUEST
police 10000 conform-action transmit exceed-action drop violate-action drop
!
!
!
!
interface FastEthernet0
switchport access vlan 3
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description WAN Interface(OUTSIDE)
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
service-policy input MAN-BANDWIDTH
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
!
interface Vlan1
description Internal
ip address 10.217.70.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan2
ip address 10.217.71.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan3
description Guest
ip address 10.217.72.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan4
ip address 10.217.73.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan5
ip address 10.217.74.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 100 interface FastEthernet4 overload
!
ip access-list extended BlockGuest_ToProd
remark BlockGuest_ToProd
remark SDM_ACL Category=1
deny ip 10.217.72.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip any any
!
access-list 100 remark NATinsideOut
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip 10.192.0.0 0.31.255.255 any
access-list 110 permit ip 10.217.72.0 0.0.0.255 any
2012-03-13 at 09:57:39ID27629929
Tags
Cisco
,
router
,
qos
,
classmap
,
policy man
Topics
Networking Protocols
,
Network Routers
,
Miscellaneous Networking
Participating Experts
1
Points
500
Comments
4
Delete QuestionRequest Attention
Close Request Pending
JPDU4 requested that this question be closed by accepting JPDU4's comment #37724649 (0 points) as the solution for the following reason:
rate-limit on the vlan interface resolved the issue
To cancel this request and generate a request for Moderator review, state your reason for objecting in the standard comment box and click the 'Object' button. This question will be closed on 3/19/2012 if there are no objections.
Answers
Your Comment
by: JPDU4Posted on 2012-03-13 at 10:00:51ID: 37715068
I have changed the service policy from in to out, with no difference.
The only time I am able to match the policy map is if I change access-list 110 to ip any any, unfortunately then it would match the internal vlan as well - which I don't want to limit.
Accept Multiple SolutionsAccept as Solution
Expert Comment
by: kevinhsiehPosted on 2012-03-14 at 02:57:58ID: 37718751
From what I can tell, you currently are limiting only the amount of traffic that the guests can send out, but you are not limiting the traffic that can be downloaded from your WAN connection.
Add to your access list so you can catch traffic in both directions. You can then apply in both directions. Are you unable to apply to VLAN 4? That would make more sense to me than on your WAN interface.
access-list 110 permit ip any 10.217.72.0 0.0.0.255
Accept Multiple SolutionsAccept as Solution
Your Comment
by: JPDU4Posted on 2012-03-14 at 14:49:16ID: 37722071
Still not seeing it even hit the ACL.
I want to place it on fa4 because this device an an ISR, I want to be able to control the WAP users as well with out having to apply it to all of the interfaces... I just upgraded the code with out any improvement. Seems very weird that the ACL is not being matched. I have checked my workstation million times to enure it is on that network 10.217.72.0 which it is.
Accept Multiple SolutionsAccept as Solution
Your Comment
by: JPDU4Posted on 2012-03-15 at 08:19:49ID: 37724649
Performing a rate-limit on the vlan works.
rate-limit input 1048000 131072 131072 conform-action transmit exceed-action drop
rate-limit output 1048000 131072 131072 conform-action transmit exceed-action drop
Ask A New Question
Per vlan class map - Bandwidth Limit
Asked by: JPDU4
I have a router with 5 vlans
VLAN1 internal traffic Internal
VLAN2 future use
VLAN3 guest
VLAN4 future use
VLAN5 future use
I am trying to limit bandwidth on the Guest network to 1meg.. Please take a look at the classmap and policy map, I am not able to get the desired results.
hostname TEST
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
enable secret 5 $1$BLoi$4BRrze/1HnN084OvTD
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-618377751
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-618377751
!
!
crypto pki certificate chain TP-self-signed-618377751
certificate self-signed 01
30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 36313833 37373735 31301E17 0D313230 33313231 33323630
375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3631 38333737
37353130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
9E278128 BD99C12D E8743420 9E83357D B9D94341 28BF7928 1F5ED633 9028884D
FB1AD31F CC6DEC85 8D87BB9A 042874AB 28768ED4 D4988D8C 8C6A9174 459D3538
CBFD4409 A01EF397 2FCEFC61 F0436C9F E1273216 EBF7735D E700E8CB 36F6CDE3
CAB9B46A 0DDEAFF0 86D8A7E7 273FA6DD 76D45AF7 0086E11C DC6AEDDC 74827001
02030100 01A37230 70300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
11041630 14821277 7A746573 742E6174 69686F6D 652E636F 6D301F06 03551D23
04183016 80141032 13E668C7 7918DC93 BB932F4B AB9761B6 8B86301D 0603551D
0E041604 14103213 E668C779 18DC93BB 932F4BAB 9761B68B 86300D06 092A8648
86F70D01 01040500 03818100 21D65DB9 0567B116 9DEDFB90 ABC5D226 76103F79
61829013 C69AC1D2 95170752 7D149CD3 B92449B5 3BE56345 1D9B5406 FF62D6F4
58696D3D DA52E8AD 4A8DBF2B 3CC348CE 332BC3FD 294E32B0 9D6CE871 CE1B85C0
E9BAA624 01EC233B 06FED1D1 49E94BEB 129E33D1 A4DB2B2E DE2358C5 62E9DA93
97B56785 5CFAA0F1 480BD6E8
quit
ip source-route
ip dhcp excluded-address 10.217.70.1 10.217.70.50
ip dhcp excluded-address 10.217.71.1 10.217.71.50
ip dhcp excluded-address 10.217.72.1 10.217.72.50
ip dhcp excluded-address 10.217.73.1 10.217.73.50
ip dhcp excluded-address 10.217.74.1 10.217.74.50
!
ip dhcp pool sdm-pool1
import all
network 10.217.70.0 255.255.255.0
dns-server 208.67.222.222 8.8.8.8
default-router 10.217.70.1
!
ip dhcp pool sdm-pool2
import all
network 10.217.71.0 255.255.255.0
dns-server 208.67.222.222 8.8.8.8
default-router 10.217.71.1
!
ip dhcp pool sdm-pool3
import all
network 10.217.72.0 255.255.255.0
dns-server 208.67.222.222 8.8.8.8
default-router 10.217.72.1
!
ip dhcp pool sdm-pool4
import all
network 10.217.73.0 255.255.255.0
dns-server 208.67.222.222 8.8.8.8
default-router 10.217.73.1
!
ip dhcp pool sdm-pool5
import all
network 10.217.74.0 255.255.255.0
dns-server 208.67.222.222 8.8.8.8
default-router 10.217.74.1
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
class-map match-all LIMIT-GUEST
match access-group 110
!
!
policy-map MAN-BANDWIDTH
class LIMIT-GUEST
police 10000 conform-action transmit exceed-action drop violate-action drop
!
!
!
!
interface FastEthernet0
switchport access vlan 3
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description WAN Interface(OUTSIDE)
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
service-policy input MAN-BANDWIDTH
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
!
interface Vlan1
description Internal
ip address 10.217.70.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan2
ip address 10.217.71.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan3
description Guest
ip address 10.217.72.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan4
ip address 10.217.73.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan5
ip address 10.217.74.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 100 interface FastEthernet4 overload
!
ip access-list extended BlockGuest_ToProd
remark BlockGuest_ToProd
remark SDM_ACL Category=1
deny ip 10.217.72.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip any any
!
access-list 100 remark NATinsideOut
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip 10.192.0.0 0.31.255.255 any
access-list 110 permit ip 10.217.72.0 0.0.0.255 any
2012-03-13 at 09:57:39ID27629929
Tags
Cisco
,
router
,
qos
,
classmap
,
policy man
Topics
Networking Protocols
,
Network Routers
,
Miscellaneous Networking
Participating Experts
1
Points
500
Comments
4
Delete QuestionRequest Attention
Close Request Pending
JPDU4 requested that this question be closed by accepting JPDU4's comment #37724649 (0 points) as the solution for the following reason:
rate-limit on the vlan interface resolved the issue
To cancel this request and generate a request for Moderator review, state your reason for objecting in the standard comment box and click the 'Object' button. This question will be closed on 3/19/2012 if there are no objections.
Answers
Your Comment
by: JPDU4Posted on 2012-03-13 at 10:00:51ID: 37715068
I have changed the service policy from in to out, with no difference.
The only time I am able to match the policy map is if I change access-list 110 to ip any any, unfortunately then it would match the internal vlan as well - which I don't want to limit.
Accept Multiple SolutionsAccept as Solution
Expert Comment
by: kevinhsiehPosted on 2012-03-14 at 02:57:58ID: 37718751
From what I can tell, you currently are limiting only the amount of traffic that the guests can send out, but you are not limiting the traffic that can be downloaded from your WAN connection.
Add to your access list so you can catch traffic in both directions. You can then apply in both directions. Are you unable to apply to VLAN 4? That would make more sense to me than on your WAN interface.
access-list 110 permit ip any 10.217.72.0 0.0.0.255
Accept Multiple SolutionsAccept as Solution
Your Comment
by: JPDU4Posted on 2012-03-14 at 14:49:16ID: 37722071
Still not seeing it even hit the ACL.
I want to place it on fa4 because this device an an ISR, I want to be able to control the WAP users as well with out having to apply it to all of the interfaces... I just upgraded the code with out any improvement. Seems very weird that the ACL is not being matched. I have checked my workstation million times to enure it is on that network 10.217.72.0 which it is.
Accept Multiple SolutionsAccept as Solution
Your Comment
by: JPDU4Posted on 2012-03-15 at 08:19:49ID: 37724649
Performing a rate-limit on the vlan works.
rate-limit input 1048000 131072 131072 conform-action transmit exceed-action drop
rate-limit output 1048000 131072 131072 conform-action transmit exceed-action drop
Wasn't it my suggestion to apply to the VLAN interface? #37718751
ASKER
The only time I am able to match the policy map is if I change access-list 110 to ip any any, unfortunately then it would match the internal vlan as well - which I don't want to limit.