Mr_Blob
asked on
Cisco 891 Share Internet Configuration
Hi:
I have a new 15Mbps internet connection which I need to split in the following way:
1. Up to 5Mbps going to my upstairs neighbor
2. At least 10Mbps, and any additional unused bandwidth, for me
We have the IP range 200.100.110.2-.126; I'll be using .2-.62 and my neighbor will be using .66-.126. The ISP gateway is 200.100.110.1 (these aren't the real numbers).
I have a Cisco 891 to connect to the ISP's modem's ethernet port. My neighbor and I each already have firewalls running for our networks, so all we really need is access which is traffic shaped/policed for those two.
My question is, what's the best way to approach this? Does anyone have a similar configuration they'd be willing to share? I have read a fair amount about this, but I have never done this kind of setup before.
Thanks
I have a new 15Mbps internet connection which I need to split in the following way:
1. Up to 5Mbps going to my upstairs neighbor
2. At least 10Mbps, and any additional unused bandwidth, for me
We have the IP range 200.100.110.2-.126; I'll be using .2-.62 and my neighbor will be using .66-.126. The ISP gateway is 200.100.110.1 (these aren't the real numbers).
I have a Cisco 891 to connect to the ISP's modem's ethernet port. My neighbor and I each already have firewalls running for our networks, so all we really need is access which is traffic shaped/policed for those two.
My question is, what's the best way to approach this? Does anyone have a similar configuration they'd be willing to share? I have read a fair amount about this, but I have never done this kind of setup before.
Thanks
ASKER
Here's what I have so far:
[...]
ip dhcp pool voippool
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
domain-name mydomain.com
dns-server 8.8.8.8 8.8.4.4
lease 0 2
!
ip domain name mydomain.com
ip cef
no ipv6 cef
[...]
class-map match-all voip_qos
match access-group name voip_qos
!
policy-map 5Mbps
class class-default
police 5000000
policy-map outside_qos
class voip_qos
police 13500000
!
interface FastEthernet0
description *** VoIP Phones ***
no ip address
!
interface FastEthernet1
description *** My Public IPs***
switchport access vlan 2
no ip address
!
interface FastEthernet2
description *** Connected to the ISP ***
switchport access vlan 2
no ip address
service-policy input outside_qos
service-policy output outside_qos
!
interface FastEthernet3
description *** Neighbor's Public IPs ***
switchport access vlan 2
no ip address
service-policy input 5Mbps
service-policy output 5Mbps
[...]
interface Vlan1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
ip address 200.100.110.3 255.255.255.128 secondary
ip address 200.100.110.2 255.255.255.128
ip nat outside
ip virtual-reassembly in
[...]
ip nat pool voippool 200.100.110.3 200.100.110.3 netmask 255.255.255.128
ip nat inside source list 23 pool voippool overload
ip route 0.0.0.0 0.0.0.0 200.100.110.1
!
ip access-list extended voip_qos
deny ip host 200.100.110.3 any
deny ip any host 200.100.110.3
permit ip any any
!
access-list 23 permit 10.10.10.0 0.0.0.255
[...]
It looks like it should work, but the policing doesn't seem to be kicking in. If I run a test on speedtest.net from fa3, I still get the full speed.
Thanks for your input!
[...]
ip dhcp pool voippool
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
domain-name mydomain.com
dns-server 8.8.8.8 8.8.4.4
lease 0 2
!
ip domain name mydomain.com
ip cef
no ipv6 cef
[...]
class-map match-all voip_qos
match access-group name voip_qos
!
policy-map 5Mbps
class class-default
police 5000000
policy-map outside_qos
class voip_qos
police 13500000
!
interface FastEthernet0
description *** VoIP Phones ***
no ip address
!
interface FastEthernet1
description *** My Public IPs***
switchport access vlan 2
no ip address
!
interface FastEthernet2
description *** Connected to the ISP ***
switchport access vlan 2
no ip address
service-policy input outside_qos
service-policy output outside_qos
!
interface FastEthernet3
description *** Neighbor's Public IPs ***
switchport access vlan 2
no ip address
service-policy input 5Mbps
service-policy output 5Mbps
[...]
interface Vlan1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
ip address 200.100.110.3 255.255.255.128 secondary
ip address 200.100.110.2 255.255.255.128
ip nat outside
ip virtual-reassembly in
[...]
ip nat pool voippool 200.100.110.3 200.100.110.3 netmask 255.255.255.128
ip nat inside source list 23 pool voippool overload
ip route 0.0.0.0 0.0.0.0 200.100.110.1
!
ip access-list extended voip_qos
deny ip host 200.100.110.3 any
deny ip any host 200.100.110.3
permit ip any any
!
access-list 23 permit 10.10.10.0 0.0.0.255
[...]
It looks like it should work, but the policing doesn't seem to be kicking in. If I run a test on speedtest.net from fa3, I still get the full speed.
Thanks for your input!
You're not telling the router what to do when it's policing the traffic ... see my earlier comment ... depending on the IOS, you may also have to use this syntax instead ...
police 5 mbps 1024 kbyte conform-action transmit exceed-action drop
police 5 mbps 1024 kbyte conform-action transmit exceed-action drop
ASKER
Thanks; I had actually already tried it with the conform-action & exceed-action, but they didn't work. I just tried your syntax above; it didn't accept the 1024 kbyte, translated 5 mbps into 5000000 in the running config, and still, I can use the whole 15Mbps through the fa3 port.
I'm sure I'm just missing something simple; I just hope it's not that the 891's hardware won't support this configuration.
I'm sure I'm just missing something simple; I just hope it's not that the 891's hardware won't support this configuration.
Do "show policy-map interface", you should get an overview of what policing has been triggered and done ...
e.g:
e.g:
GigabitEthernet0/0/0.41
Service-policy input: shape2m
Class-map: class-default (match-any)
59687397 packets, 11345125793 bytes
5 minute offered rate 3000 bps, drop rate 0000 bps
Match: any
police:
cir 2000000 bps, bc 62500 bytes, be 62500 bytes
conformed 59555157 packets, 11151391584 bytes; actions:
transmit
exceeded 91665 packets, 132908768 bytes; actions:
drop
violated 40575 packets, 60825441 bytes; actions:
drop
conformed 3000 bps, exceed 0000 bps, violate 0000 bps
ASKER
It's showing 0 packets and 0 bytes for input & output.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Open in new window
Please note that does not mean your neighbar can't cause more than the 5M data transfer on the physical link coming from the provider ... as the data has already been transfered, you're just dropping packets, but that will reduce the tcp tansmit window size, which will lead to less bandwidth usage ...