Solved

Cisco Traffic Shaping, 'both' directions

Posted on 2013-01-16
7
1,394 Views
Last Modified: 2013-01-17
So we are getting a fiber run to our office soon (10/10). We are going to have a few additional clients share this with us. We want to be able to keep them from eating all the speed.

Ive been reading for hours on rate-limit, traffic shaping, and traffic policing. Being that shaping can only happen in an outbound direction of an interface, would the following example work?

Fiber handoff as ethernet---> (WAN-SIDE)Cisco Router (2611xm at the moment for testing) (LAN-SIDE)---> Switch --> Clients.
On the (WAN-SIDE) configure my shaping using access maps to match the client's IP(range) to shape their outbound (to the internet) speed, while on the (LAN-SIDE) interface, use different access maps to limit the traffic outbound from that interface into the switch to limit their download speed? Thus the router is effectively queuing in both directions? No NAT, all public, routeable IP addresses. No other firewalling or policies will be done here other than QoS.

Not that it matters but all connections will be on 100 mbit copper ethernet ports.
0
Comment
Question by:kgtwebadmin
7 Comments
 
LVL 20

Accepted Solution

by:
agonza07 earned 250 total points
ID: 38785837
I've got this code on my layer 3 switch and it handles bandwidth limiting both ways. Maybe you can modify it for your router and try it out.  It limits bandwidth to 1.5Mbps.

If you apply to your LAN interface on the router, just modify the ACL for your interesting traffic on the allowed list, and what you don't want policed would inherently not be by the implicit deny.

class-map match-all GUEST                                                      
  match access-group 12                                                        
!                                                                              
!                                                                              
policy-map GUEST_RATE_LIMIT                                                    
  class GUEST                                                                  
   police cir 1000000 bc 16000 pir 1500000 be 16000 conform-action transmit exceed-action transmit violate-action drop                                          
!
interface Vlan252                                                              
 description Guest VLAN                                                
 ip address 10.10.252.1 255.255.255.0                                                                                                    
 service-policy input GUEST_RATE_LIMIT                                          
 service-policy output GUEST_RATE_LIMIT                                        
!                                      
access-list 12 permit any
0
 

Author Comment

by:kgtwebadmin
ID: 38786768
Does this do it nicely or will I get horrid packet loss? I tried rate-limit on the interface, and when I was just firing off large packet pings to simulate traffic, it started throwing packets out rather than just delay them.

I read about policing but did not simulate it yet in my test network.
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 38787216
TRY this: You can change markings as you want
example:

class-map match-any CUSTOMER_EF
  match access-group name CUSTOMER_EF
class-map match-any CUSTOMER_AF3
  match access-group name CUSTOMER_AF3
class-map match-any CUSTOMER_AF2
  match access-group name CUSTOMER_AF2
class-map match-any EF_WAN
  match ip precedence 5
class-map match-any AF3_WAN
  match ip precedence 4
class-map match-any AF2_WAN
  match ip precedence 3
!
policy-map PREMIUM
  class EF_WAN
    priority
  class AF3_WAN
   bandwidth remaining percent <<put your desired BW% allocation ex:66>>
   queue-limit 272
   queue-limit precedence 4 150
  class AF2_WAN
   bandwidth remaining percent 21
   queue-limit 150
  class class-default
   bandwidth remaining percent 13
   queue-limit 150

!
policy-map LAN_IN
  class CUSTOMER_EF
!Suppose you want 5mb of traffic to be priortiez the put the BW in bps i.e. 500000
   police cir 5000000 bc 6000000
   conform-action set-prec-transmit 5
   conform-action set-cos-transmit 6
   exceed-action drop
  class CUSTOMER_AF3
   set cos 4
   set precedence 4
  class CUSTOMER_AF2
   set cos 3
   set precedence 3
  class class-default
   set cos 2
   set precedence 2
!
policy-map WAN_IN
  class CUSTOMER_EF
   police cir 5000000 bc 6000000
   conform-action set-prec-transmit 5
   conform-action set-cos-transmit 6
class CUSTOMER_AF3
   set cos 4
   set precedence 4
  class CUSTOMER_AF2
   set cos 3
   set precedence 3
  class class-default
   set cos 2
   set precedence 2
!

policy-map WAN
  class class-default
    shape average <<PUT you desired BW allocation in bps. ex for 30mb put 30000000>>
    service-policy PREMIUM
!
policy-map LAN
  class class-default
    shape average 30000000
    service-policy PREMIUM

Int WAN

service-policy input WAN_IN
service-policy output WAN


Int LAN

service-policy input LAN_IN
service-policy output LAN


!

ip access-list extended CUSTOMER_AF2
permit ip any any precedence flash
ip access-list extended CUSTOMER_AF3
permit ip any any precedence flash-override
permit ip any any precedence internet
permit ip any any precedence network
ip access-list extended CUSTOMER_EF
permit ip any any precedence critical
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 20

Expert Comment

by:agonza07
ID: 38787235
The violate action drop command will drop packets when babndwidth is exceeded. But Ethernet is designed to handle that drop and retransmit. So you'll see the drops when running pings, but I've had no complaints from normal web usage.
0
 
LVL 10

Expert Comment

by:mat1458
ID: 38788712
A 2611 is surely not a rocket when it comes to traffic shaping/queuing for LAN type interfaces. It does that in software so be aware that you push it to the limits. What device will you use in real life to perform the task?
0
 

Author Comment

by:kgtwebadmin
ID: 38789070
Looking at either an 1841 or 3750 catalyst. 10/10 fiber, with the ability to turn it up maybe to 20-30mbps in the near future.
0
 

Author Closing Comment

by:kgtwebadmin
ID: 38789079
Worked for me, I was able to dl a file and still ping with no loss.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now