Solved

Per vlan class map - Bandwidth Limit

Posted on 2012-03-13
9
1,631 Views
Last Modified: 2012-03-20
I have a router with 5 vlans  


VLAN1 internal traffic Internal
VLAN2 future use
VLAN3 guest
VLAN4 future use
VLAN5 future use


I am trying to limit bandwidth on the Guest network to 1meg.. Please take a look at the classmap and policy map, I am not able to get the desired results.  








hostname TEST
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
enable secret 5 $1$BLoi$4BRrze/1HnN084OvTDrJR1
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-618377751
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-618377751
 revocation-check none
 rsakeypair TP-self-signed-618377751
!
!
crypto pki certificate chain TP-self-signed-618377751
 certificate self-signed 01
  30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 36313833 37373735 31301E17 0D313230 33313231 33323630
  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3631 38333737
  37353130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  9E278128 BD99C12D E8743420 9E83357D B9D94341 28BF7928 1F5ED633 9028884D
  FB1AD31F CC6DEC85 8D87BB9A 042874AB 28768ED4 D4988D8C 8C6A9174 459D3538
  CBFD4409 A01EF397 2FCEFC61 F0436C9F E1273216 EBF7735D E700E8CB 36F6CDE3
  CAB9B46A 0DDEAFF0 86D8A7E7 273FA6DD 76D45AF7 0086E11C DC6AEDDC 74827001
  02030100 01A37230 70300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
  11041630 14821277 7A746573 742E6174 69686F6D 652E636F 6D301F06 03551D23
  04183016 80141032 13E668C7 7918DC93 BB932F4B AB9761B6 8B86301D 0603551D
  0E041604 14103213 E668C779 18DC93BB 932F4BAB 9761B68B 86300D06 092A8648
  86F70D01 01040500 03818100 21D65DB9 0567B116 9DEDFB90 ABC5D226 76103F79
  61829013 C69AC1D2 95170752 7D149CD3 B92449B5 3BE56345 1D9B5406 FF62D6F4
  58696D3D DA52E8AD 4A8DBF2B 3CC348CE 332BC3FD 294E32B0 9D6CE871 CE1B85C0
  E9BAA624 01EC233B 06FED1D1 49E94BEB 129E33D1 A4DB2B2E DE2358C5 62E9DA93
  97B56785 5CFAA0F1 480BD6E8
        quit
ip source-route
ip dhcp excluded-address 10.217.70.1 10.217.70.50
ip dhcp excluded-address 10.217.71.1 10.217.71.50
ip dhcp excluded-address 10.217.72.1 10.217.72.50
ip dhcp excluded-address 10.217.73.1 10.217.73.50
ip dhcp excluded-address 10.217.74.1 10.217.74.50
!
ip dhcp pool sdm-pool1
   import all
   network 10.217.70.0 255.255.255.0
   dns-server 208.67.222.222 8.8.8.8
   default-router 10.217.70.1
!
ip dhcp pool sdm-pool2
   import all
   network 10.217.71.0 255.255.255.0
   dns-server 208.67.222.222 8.8.8.8
   default-router 10.217.71.1
!
ip dhcp pool sdm-pool3
   import all
   network 10.217.72.0 255.255.255.0
   dns-server 208.67.222.222 8.8.8.8
   default-router 10.217.72.1
!
ip dhcp pool sdm-pool4
   import all
   network 10.217.73.0 255.255.255.0
   dns-server 208.67.222.222 8.8.8.8
   default-router 10.217.73.1
!
ip dhcp pool sdm-pool5
   import all
   network 10.217.74.0 255.255.255.0
   dns-server 208.67.222.222 8.8.8.8
   default-router 10.217.74.1
!
!
ip cef
!
!
!
!

!
!

!
!


!

!
!
!
class-map match-all LIMIT-GUEST
 match access-group 110
!
!
policy-map MAN-BANDWIDTH
 class LIMIT-GUEST
    police 10000 conform-action transmit  exceed-action drop  violate-action drop
!
!
!

!
interface FastEthernet0
 switchport access vlan 3
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3

!
interface FastEthernet4
 description WAN Interface(OUTSIDE)
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 service-policy input MAN-BANDWIDTH
!
interface Virtual-Template1 type tunnel
 no ip address
 tunnel mode ipsec ipv4
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip unnumbered Vlan1
 arp timeout 0
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 switchport mode trunk
!
interface Vlan1
 description Internal
 ip address 10.217.70.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan2
 ip address 10.217.71.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan3
 description Guest
 ip address 10.217.72.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan4
 ip address 10.217.73.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan5
 ip address 10.217.74.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 100 interface FastEthernet4 overload
!
ip access-list extended BlockGuest_ToProd
 remark BlockGuest_ToProd
 remark SDM_ACL Category=1
 deny   ip 10.217.72.0 0.0.0.255 10.0.0.0 0.255.255.255
 permit ip any any
!
access-list 100 remark NATinsideOut
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip 10.192.0.0 0.31.255.255 any
access-list 110 permit ip 10.217.72.0 0.0.0.255 any
0
Comment
Question by:JPDU4
  • 5
  • 2
9 Comments
 

Author Comment

by:JPDU4
Comment Utility
I have changed the service policy from  in to out, with no difference.


The only time I am able to match the policy map is if I change access-list 110 to ip any any, unfortunately then it would match the internal vlan as well - which I don't want to limit.
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 500 total points
Comment Utility
From what I can tell, you currently are limiting only the amount of traffic that the guests can send out, but you are not limiting the traffic that can be downloaded from your WAN connection.

Add to your access list so you can catch traffic in both directions. You can then apply in both directions. Are you unable to apply to VLAN 4? That would make more sense to me than on your WAN interface.
access-list 110 permit ip any 10.217.72.0 0.0.0.255
0
 

Author Comment

by:JPDU4
Comment Utility
Still not seeing it even hit the ACL.


I want to place it on fa4 because this device an an ISR, I want to be able to control the WAP users as well with out having to apply it to all of the interfaces... I just upgraded the code with out any improvement. Seems very weird that the ACL is not being matched. I have checked my workstation million times to enure it is on that network  10.217.72.0  which it is.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Accepted Solution

by:
JPDU4 earned 0 total points
Comment Utility
Performing a rate-limit on the vlan works.  

 rate-limit input 1048000 131072 131072 conform-action transmit exceed-action drop
 rate-limit output 1048000 131072 131072 conform-action transmit exceed-action drop
0
 

Author Comment

by:JPDU4
Comment Utility
I've requested that this question be closed as follows:

Accepted answer: 0 points for JPDU4's comment #37724649

for the following reason:

rate-limit on the vlan interface resolved the issue
0
 

Author Comment

by:JPDU4
Comment Utility
Question

    Ask A New Question

Per vlan class map - Bandwidth Limit
Asked by: JPDU4

I have a router with 5 vlans  


VLAN1 internal traffic Internal
VLAN2 future use
VLAN3 guest
VLAN4 future use
VLAN5 future use


I am trying to limit bandwidth on the Guest network to 1meg.. Please take a look at the classmap and policy map, I am not able to get the desired results.  








hostname TEST
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
enable secret 5 $1$BLoi$4BRrze/1HnN084OvTDrJR1
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-618377751
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-618377751
 revocation-check none
 rsakeypair TP-self-signed-618377751
!
!
crypto pki certificate chain TP-self-signed-618377751
 certificate self-signed 01
  30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 36313833 37373735 31301E17 0D313230 33313231 33323630
  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3631 38333737
  37353130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  9E278128 BD99C12D E8743420 9E83357D B9D94341 28BF7928 1F5ED633 9028884D
  FB1AD31F CC6DEC85 8D87BB9A 042874AB 28768ED4 D4988D8C 8C6A9174 459D3538
  CBFD4409 A01EF397 2FCEFC61 F0436C9F E1273216 EBF7735D E700E8CB 36F6CDE3
  CAB9B46A 0DDEAFF0 86D8A7E7 273FA6DD 76D45AF7 0086E11C DC6AEDDC 74827001
  02030100 01A37230 70300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
  11041630 14821277 7A746573 742E6174 69686F6D 652E636F 6D301F06 03551D23
  04183016 80141032 13E668C7 7918DC93 BB932F4B AB9761B6 8B86301D 0603551D
  0E041604 14103213 E668C779 18DC93BB 932F4BAB 9761B68B 86300D06 092A8648
  86F70D01 01040500 03818100 21D65DB9 0567B116 9DEDFB90 ABC5D226 76103F79
  61829013 C69AC1D2 95170752 7D149CD3 B92449B5 3BE56345 1D9B5406 FF62D6F4
  58696D3D DA52E8AD 4A8DBF2B 3CC348CE 332BC3FD 294E32B0 9D6CE871 CE1B85C0
  E9BAA624 01EC233B 06FED1D1 49E94BEB 129E33D1 A4DB2B2E DE2358C5 62E9DA93
  97B56785 5CFAA0F1 480BD6E8
        quit
ip source-route
ip dhcp excluded-address 10.217.70.1 10.217.70.50
ip dhcp excluded-address 10.217.71.1 10.217.71.50
ip dhcp excluded-address 10.217.72.1 10.217.72.50
ip dhcp excluded-address 10.217.73.1 10.217.73.50
ip dhcp excluded-address 10.217.74.1 10.217.74.50
!
ip dhcp pool sdm-pool1
   import all
   network 10.217.70.0 255.255.255.0
   dns-server 208.67.222.222 8.8.8.8
   default-router 10.217.70.1
!
ip dhcp pool sdm-pool2
   import all
   network 10.217.71.0 255.255.255.0
   dns-server 208.67.222.222 8.8.8.8
   default-router 10.217.71.1
!
ip dhcp pool sdm-pool3
   import all
   network 10.217.72.0 255.255.255.0
   dns-server 208.67.222.222 8.8.8.8
   default-router 10.217.72.1
!
ip dhcp pool sdm-pool4
   import all
   network 10.217.73.0 255.255.255.0
   dns-server 208.67.222.222 8.8.8.8
   default-router 10.217.73.1
!
ip dhcp pool sdm-pool5
   import all
   network 10.217.74.0 255.255.255.0
   dns-server 208.67.222.222 8.8.8.8
   default-router 10.217.74.1
!
!
ip cef
!
!
!
!

!
!

!
!


!

!
!
!
class-map match-all LIMIT-GUEST
 match access-group 110
!
!
policy-map MAN-BANDWIDTH
 class LIMIT-GUEST
    police 10000 conform-action transmit  exceed-action drop  violate-action drop
!
!
!

!
interface FastEthernet0
 switchport access vlan 3
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3

!
interface FastEthernet4
 description WAN Interface(OUTSIDE)
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 service-policy input MAN-BANDWIDTH
!
interface Virtual-Template1 type tunnel
 no ip address
 tunnel mode ipsec ipv4
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip unnumbered Vlan1
 arp timeout 0
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 switchport mode trunk
!
interface Vlan1
 description Internal
 ip address 10.217.70.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan2
 ip address 10.217.71.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan3
 description Guest
 ip address 10.217.72.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan4
 ip address 10.217.73.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan5
 ip address 10.217.74.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 100 interface FastEthernet4 overload
!
ip access-list extended BlockGuest_ToProd
 remark BlockGuest_ToProd
 remark SDM_ACL Category=1
 deny   ip 10.217.72.0 0.0.0.255 10.0.0.0 0.255.255.255
 permit ip any any
!
access-list 100 remark NATinsideOut
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip 10.192.0.0 0.31.255.255 any
access-list 110 permit ip 10.217.72.0 0.0.0.255 any

    2012-03-13 at 09:57:39ID27629929
Tags
    Cisco
    ,
    router
    ,
    qos
    ,
    classmap
    ,
    policy man
Topics
    Networking Protocols
    ,
    Network Routers
    ,
    Miscellaneous Networking
Participating Experts
    1
Points
    500
Comments
    4

Delete QuestionRequest Attention

Close Request Pending

JPDU4 requested that this question be closed by accepting JPDU4's comment #37724649 (0 points) as the solution for the following reason:

rate-limit on the vlan interface resolved the issue

To cancel this request and generate a request for Moderator review, state your reason for objecting in the standard comment box and click the 'Object' button. This question will be closed on 3/19/2012 if there are no objections.
Answers
 

Your Comment

by: JPDU4Posted on 2012-03-13 at 10:00:51ID: 37715068

I have changed the service policy from  in to out, with no difference.


The only time I am able to match the policy map is if I change access-list 110 to ip any any, unfortunately then it would match the internal vlan as well - which I don't want to limit.

Accept Multiple SolutionsAccept as Solution
 

Expert Comment

by: kevinhsiehPosted on 2012-03-14 at 02:57:58ID: 37718751

From what I can tell, you currently are limiting only the amount of traffic that the guests can send out, but you are not limiting the traffic that can be downloaded from your WAN connection.

Add to your access list so you can catch traffic in both directions. You can then apply in both directions. Are you unable to apply to VLAN 4? That would make more sense to me than on your WAN interface.
access-list 110 permit ip any 10.217.72.0 0.0.0.255

Accept Multiple SolutionsAccept as Solution
 

Your Comment

by: JPDU4Posted on 2012-03-14 at 14:49:16ID: 37722071

Still not seeing it even hit the ACL.


I want to place it on fa4 because this device an an ISR, I want to be able to control the WAP users as well with out having to apply it to all of the interfaces... I just upgraded the code with out any improvement. Seems very weird that the ACL is not being matched. I have checked my workstation million times to enure it is on that network  10.217.72.0  which it is.

Accept Multiple SolutionsAccept as Solution
 

Your Comment

by: JPDU4Posted on 2012-03-15 at 08:19:49ID: 37724649

Performing a rate-limit on the vlan works.  

 rate-limit input 1048000 131072 131072 conform-action transmit exceed-action drop
 rate-limit output 1048000 131072 131072 conform-action transmit exceed-action drop
0
 
LVL 42

Expert Comment

by:kevinhsieh
Comment Utility
Wasn't it my suggestion to apply to the VLAN interface? #37718751
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

Suggested Solutions

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now