put a throttle on lan traffic

Answered Question
Aug 10th, 2008
User Badges:

Cisco 2651XM router


I'm looking for a sample config or help which would enable me to restrict the speed of traffic of a particular PC on the lan connected to my router.

My lan comprises several PC's on 172.16.1.xx, which connects to f0/0, and internet access for the whole lan is via a wic-adsl card in the router. I did a bit of reading on google about this but found it confusing. I understand I have to set up an access list but as a beginner I'm not sure where to start. I use SDM too but that only seems to cater for traffic going out of the router (unless I'm mistaken). What I'd ideally like to do is be able to pick one machine on the lan (eg PC 172.16.1.15) and restrict the speed of all traffic to and from it to say 50Kb/sec. Is that possible? Thanks for any pointers.

Correct Answer by Joseph W. Doherty about 8 years 10 months ago

Yes, there's usually serveral methods to restrict bandwidth. First, though, if you "bad" PC is connected to the LAN, you'll likely not be able to easily restrict LAN-to-LAN bandwidth within the same subnet. However, for any traffic being routed to/from the "bad" PC, i.e. to/from other networks including the Internet, that's passing through your 2651XM router, you should be able to throttle it.


Second, you can control all traffic to/from the "bad" PC, treat to/from differently, or also treat different kinds of traffic to the "bad" PC differently. Third, you can drop traffic that's above the rate specified, delay it so it doesn't exceed your specification, or prioritize it relative to other traffic when there's traffic congestion.


Below is an example of using class-based weigthed fair queue to police the traffic to/from the host. (NB: syntax might be incorrect)


ip access-list extended TrafficToBeControlled

remark all IP traffic from "bad" PC

permit ip host 172.16.1.15 any

remark all IP traffic to "bad" PC

permit ip any host 172.16.1.15


class-map match-any TrafficToBeControlled

match access TrafficToBeControlled


policy-map CBWFQ


class TrafficToBeControlled

police 50000


interface fastEthernet 0/0

service-policy input CBWFQ

service-policy output CBWFQ


PS:

I'm showing usage of CBWFQ as it can be expanded into supporting further traffic management.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Joseph W. Doherty Sun, 08/10/2008 - 11:42
User Badges:
  • Super Bronze, 10000 points or more

Yes, there's usually serveral methods to restrict bandwidth. First, though, if you "bad" PC is connected to the LAN, you'll likely not be able to easily restrict LAN-to-LAN bandwidth within the same subnet. However, for any traffic being routed to/from the "bad" PC, i.e. to/from other networks including the Internet, that's passing through your 2651XM router, you should be able to throttle it.


Second, you can control all traffic to/from the "bad" PC, treat to/from differently, or also treat different kinds of traffic to the "bad" PC differently. Third, you can drop traffic that's above the rate specified, delay it so it doesn't exceed your specification, or prioritize it relative to other traffic when there's traffic congestion.


Below is an example of using class-based weigthed fair queue to police the traffic to/from the host. (NB: syntax might be incorrect)


ip access-list extended TrafficToBeControlled

remark all IP traffic from "bad" PC

permit ip host 172.16.1.15 any

remark all IP traffic to "bad" PC

permit ip any host 172.16.1.15


class-map match-any TrafficToBeControlled

match access TrafficToBeControlled


policy-map CBWFQ


class TrafficToBeControlled

police 50000


interface fastEthernet 0/0

service-policy input CBWFQ

service-policy output CBWFQ


PS:

I'm showing usage of CBWFQ as it can be expanded into supporting further traffic management.

tonyspcrepairs Sun, 08/10/2008 - 12:02
User Badges:

thanks for your response. I was going okay with your list of commands until I got to:

match access TrafficToBeContolled, I got an input error thus:

router#config t

Enter configuration commands, one per line. End with CNTL/Z.

router(config)#ip access-list extended TrafficToBeControlled

router(config-ext-nacl)#permit ip host 172.16.1.15 any

router(config-ext-nacl)#permit ip any host 172.16.1.15

router(config-ext-nacl)#class-map match-any TrafficToBeControlled

router(config-cmap)#match access TrafficToBeControlled

^

% Invalid input detected at '^' marker.

I get the above error. Do you know what the correct command should be?

Joseph W. Doherty Sun, 08/10/2008 - 17:25
User Badges:
  • Super Bronze, 10000 points or more

Try


"match access-group TrafficToBeControlled"


PS:


If you enter a ?, you can see the option for eiter the command or partial command.


e.g.

"match ?"


"match access?"

tonyspcrepairs Mon, 08/11/2008 - 14:51
User Badges:

ok thanks, I know about the ? for getting help with commands and I did try this before my last reply but I'm still stuck at this step.


router(config-cmap)#match access TrafficToBeControlled

^

% Invalid input detected at '^' marker.


router(config-cmap)#match access-group TrafficToBeControlled

^

% Invalid input detected at '^' marker.


router(config-cmap)#match ?

access-group Access group

any Any packets

class-map Class map

cos IEEE 802.1Q/ISL class of service/user priority values

destination-address Destination address

discard-class Discard behavior identifier

dscp Match DSCP in IP(v4) and IPv6 packets

flow Flow based QoS parameters

fr-de Match on Frame-relay DE bit

fr-dlci Match on fr-dlci

input-interface Select an input interface to match

ip IP specific values

mpls Multi Protocol Label Switching specific values

not Negate this match result

packet Layer 3 Packet length

precedence Match Precedence in IP(v4) and IPv6 packets

protocol Protocol

qos-group Qos-group

source-address Source address

vlan VLANs to match


(I don't know which sub menu I should select)


router(config-cmap)#match access ?

<1-2699> Access list index

name Named Access List


(again, the name doesn't work and I don't know if I should select a number)


router(config-cmap)#match access-group ?

<1-2699> Access list index

name Named Access List


tia if you have any further thoughts...

Joseph W. Doherty Mon, 08/11/2008 - 15:08
User Badges:
  • Super Bronze, 10000 points or more

Sorry this is such a problem, don't have a Cisco router at hand.


Try "match access-group name TrafficToBeControlled ".


Insure the access-list was defined and accepted by router before trying either variant of the match statement.

tonyspcrepairs Tue, 08/12/2008 - 14:05
User Badges:

thankyou for your response joseph. Yes, success. "match access-group name TrafficToBeControlled " worked and I was able to complete the rest of the commands given in your first post. Your commands worked in restricting the internet speed of one pc on the lan, while other pc's surfed at their normal speed. This is great, thanks.

To my surprise the figure of 50000 slowed the internet really severely on the 172.16.1.15 machine. I thought 50000 meant 50Kb, so I was expecting the machine to peak at 50kb/sec but the real speed of surfing on the PC was about 6Kb, same as a dialup, and a slow dialup at that. I'm confused about this but for the time being I can speed it up but using 100000 or higher and experimenting with different numbers in the commands. When I've got a minute I'll look up what CBWFQ means but for now I have a workable solution so thanks very much for your help.

Joseph W. Doherty Tue, 08/12/2008 - 16:48
User Badges:
  • Super Bronze, 10000 points or more

The reason for the policer's major impact, is because it mimics a link of 50 Kbps but one with a very shallow queue. You can adjust the speed until you obtain the performance you desire, or you would need to adjust the other police parameters. (What you might also try, if there's some variant of police peak vs. police average or CIR, the former will mimic a link with more queue depth.)

paaljakobsen Mon, 08/11/2008 - 05:14
User Badges:

hi,


and if you want everyone on the LAN say 172.16.1.0/24 to have 50kbps each. Is it just to modify the access list to "permit ip 172.16.1.0 0.0.0.255 any" ?

tonyspcrepairs Mon, 08/11/2008 - 14:56
User Badges:

thanks for this but my purpose is to isolate a particular PC on the lan to be throttled and leave the rest at full speed.

Actions

This Discussion