Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
787
Views
19
Helpful
9
Replies

Limit bandwidth for Internet connection

just1byte
Level 1
Level 1

‎07-31-2007 11:23 AM - edited ‎03-05-2019 05:36 PM

I am trying to limit/control our bandwidth connection to the Internet to 2Mbps. We are in the process of changing providers and are paying based on usage instead of a flat amount. We have a 3560 switch that has all of the users behind it and this is where we would like to implement some sort of bandwidth limitation. I am currently thinking of doing the following:

class-map match-any HTTPClass

match access-group 100

policy-map HTTPPolicy

class HTTPClass

police 2097000 8000 exceed-action drop

access-list 100 permit tcp any any eq www

int gig0/1

service-policy input HTTPPolicy

Does this look correct? Any other suggestions? We looked at CAR and rate-limit but this is not avaliable on a 3560

Labels:
0 Helpful
9 Replies 9

royalblues
Level 10
Level 10

‎07-31-2007 11:41 AM

If you internet connection is out gigabitethernet 0/1, i would suggest applying the policy on the outbound direction rather than inbound

int gig0/1

service-policy output HTTPPolicy

HTH, rate if it does

Narayan

0 Helpful

just1byte
Level 1
Level 1
In response to royalblues

‎07-31-2007 11:53 AM

I thought about that, but as most Internet connectivity falls into the "asynchronous" style (more download than upload activity) I figured it would be more effective on the inbound as the majority of the HTTP traffic would be inbound.

0 Helpful

royalblues
Level 10
Level 10
In response to just1byte

‎07-31-2007 11:57 AM

Apply in both the directions if that suits you.

Even though an Inbound policy drops the packet, it would have already used the bandwidth on the link

Narayan

just1byte
Level 1
Level 1
In response to royalblues

‎07-31-2007 12:27 PM

True I did not look at it that way. If a user is trying to download a large file from the Internet and we limit the capacity in the 3560 the file is still going to come through the connection causing us to be charged for it and then it would be dropped at the 3560 due to the policy-map. The only way this would be effective would be in the outbound direction. I do not believe that there is a way to limit inbound as all of the devices that we are able to put restrictions on are located after the providers device that is determining our utilization/costs. Isn't that nifty. Thanks again for your input

0 Helpful

andrew.butterworth
Level 7
Level 7
In response to just1byte

‎07-31-2007 12:59 PM

The 3560 does not support egress policing via service policies, if you try to attach a policy to the 'output' of an interface you will get an error message. You can however limit the bandwidth with the interface command:

srr-queue bandwidth limit <10 - 90>

This does affect all traffic though so you should apply ingress policers to your access ports to classify (and police?) your traffic prior to it being sent to the egress interface.

If you really need to apply strict QoS for different traffic types then you should use a router (or maybe a Catalyst 6500 but this is likely to be far too expensive?)

Andy

just1byte
Level 1
Level 1
In response to andrew.butterworth

‎07-31-2007 01:12 PM

You are correct! It does generate an error message when applied in the outbound. Well, inbound will not help because by the time it reaches our device then we will have already been charged for the access and outbound will not work because it is not allowed. Good thing this connection is just temporary. Sounds like the best solution is to just get a better connection with a flat rate and let the limitation of the connection do all the policing that it wants. This in conjunction with getting people to actually work instead of surfing the Internet for non work related activites. Thanks Again

0 Helpful

royalblues
Level 10
Level 10
In response to just1byte

‎07-31-2007 01:20 PM

Yes it totally slipped out of my mind that 3560 will not support egress policing

Thanks andy for reminding that

Narayan

0 Helpful

jwdoherty
Level 1
Level 1

‎08-01-2007 11:33 AM

If you shape or police outbound TCP ACKs, you can somewhat control inbound bandwidth utilization of TCP traffic.

The reason I note "somewhat" is you don't know exactly what's the size of the inbound packet and TCP senders will still burst as they open their send windows.

Effectively it won't meter traffic as exactly as a far side shaper or policer but it does work.

Do keep mind that you must shape or police ACKs to a much, much lower rate than the rate desired for the return traffic.

0 Helpful

royalblues
Level 10
Level 10
In response to jwdoherty

‎08-01-2007 11:40 AM

I agree and thats why you can do this better with products like riverbed, WAAS, Packeteer etc as these can intercept the TCP handshake and effectively do not allow anyone to use more than a certain bandwidth

Narayan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card