Link to home
Start Free TrialLog in
Avatar of Mr_Blob
Mr_Blob

asked on

Cisco 891 Share Internet Configuration

Hi:
I have a new 15Mbps internet connection which I need to split in the following way:

1. Up to 5Mbps going to my upstairs neighbor
2. At least 10Mbps, and any additional unused bandwidth, for me

We have the IP range  200.100.110.2-.126; I'll be using .2-.62 and my neighbor will be using .66-.126. The ISP gateway is 200.100.110.1 (these aren't the real numbers).

I have a Cisco 891 to connect to the ISP's modem's ethernet port. My neighbor and I each already have firewalls running for our networks, so all we really need is access which is traffic shaped/policed for those two.

My question is, what's the best way to approach this? Does anyone have a similar configuration they'd be willing to share? I have read a fair amount about this, but I have never done this kind of setup before.

Thanks
Avatar of Garry Glendown
Garry Glendown
Flag of Germany image

As usually the incoming bandwidth is the relevant, I'd just put a traffic policing on the neighbor's lan port ... something like: (assuming e.g. you put the neighbar on VLAN 5 with the physical port configure as "switchport access vlan 5")
policy-map shape5m
 class class-default
    police cir 5000000
     conform-action transmit
     exceed-action drop
     violate-action drop

interface vlan 5
[ .. ]
 service-policy input shape5m
 service-policy output shape5m

Open in new window

Please note that does not mean your neighbar can't cause more than the 5M data transfer on the physical link coming from the provider ... as the data has already been transfered, you're just dropping packets, but that will reduce the tcp tansmit window size, which will lead to less bandwidth usage ...
Avatar of Mr_Blob
Mr_Blob

ASKER

Here's what I have so far:

[...]
ip dhcp pool voippool
 network 10.10.10.0 255.255.255.0
 default-router 10.10.10.1
 domain-name mydomain.com
 dns-server 8.8.8.8 8.8.4.4
 lease 0 2
!
ip domain name mydomain.com
ip cef
no ipv6 cef
[...]
class-map match-all voip_qos
 match access-group name voip_qos
!
policy-map 5Mbps
 class class-default
  police 5000000
policy-map outside_qos
 class voip_qos
  police 13500000
!
interface FastEthernet0
 description *** VoIP Phones ***
 no ip address
!
interface FastEthernet1
 description *** My Public IPs***
 switchport access vlan 2
 no ip address
!
interface FastEthernet2
 description *** Connected to the ISP ***
 switchport access vlan 2
 no ip address
 service-policy input outside_qos
 service-policy output outside_qos
!
interface FastEthernet3
 description *** Neighbor's Public IPs ***
 switchport access vlan 2
 no ip address
 service-policy input 5Mbps
 service-policy output 5Mbps
[...]
interface Vlan1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan2
 ip address 200.100.110.3 255.255.255.128 secondary
 ip address 200.100.110.2 255.255.255.128
 ip nat outside
 ip virtual-reassembly in
[...]
ip nat pool voippool 200.100.110.3 200.100.110.3 netmask 255.255.255.128
ip nat inside source list 23 pool voippool overload
ip route 0.0.0.0 0.0.0.0 200.100.110.1
!
ip access-list extended voip_qos
 deny   ip host 200.100.110.3 any
 deny   ip any host 200.100.110.3
 permit ip any any
!
access-list 23 permit 10.10.10.0 0.0.0.255
[...]

It looks like it should work, but the policing doesn't seem to be kicking in. If I run a test on speedtest.net from fa3, I still get the full speed.

Thanks for your input!
You're not telling the router what to do when it's policing the traffic ... see my earlier comment ... depending on the IOS, you may also have to use this syntax instead ...

    police 5 mbps 1024 kbyte conform-action transmit exceed-action drop
Avatar of Mr_Blob

ASKER

Thanks; I had actually already tried it with the conform-action & exceed-action, but they didn't work. I just tried your syntax above; it didn't accept the 1024 kbyte, translated 5 mbps into 5000000 in the running config, and still, I can use the whole 15Mbps through the fa3 port.
I'm sure I'm just missing something simple; I just hope it's not that the 891's hardware won't support this configuration.
Do "show policy-map interface", you should get an overview of what policing has been triggered and done ...
e.g:
 GigabitEthernet0/0/0.41

  Service-policy input: shape2m

    Class-map: class-default (match-any)
      59687397 packets, 11345125793 bytes
      5 minute offered rate 3000 bps, drop rate 0000 bps
      Match: any
      police:
          cir 2000000 bps, bc 62500 bytes, be 62500 bytes
        conformed 59555157 packets, 11151391584 bytes; actions:
          transmit
        exceeded 91665 packets, 132908768 bytes; actions:
          drop
        violated 40575 packets, 60825441 bytes; actions:
          drop
        conformed 3000 bps, exceed 0000 bps, violate 0000 bps

Open in new window

Avatar of Mr_Blob

ASKER

It's showing 0 packets and 0 bytes for input & output.
ASKER CERTIFIED SOLUTION
Avatar of Garry Glendown
Garry Glendown
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial