2600 policy-map

Unanswered Question
Nov 5th, 2008

We are a school district with limited bandwidth. For now, each school has a T1 and 99% utilization. I'm trying to implement a service policy to give priority to email, file shares, active directory, testing sites, etc. I planned on giving it 50% of the bandwidth.

Heres what Ive come up with so far:

access-list 198 permit ip any

access-list 198 permit ip any

access-list 198 permit ip any

class-map match-any Priority_Traffic

match access-group 198

policy-map Priority_Traffic

class Priority_Traffic

bandwidth percent 50

int serial 0/0.1

service-policy input Priority_Traffic

I figured I'm missing something bc the serial will not show the policy when I do a show run. Also, am I correct to put this on the serial as input since most of the traffic is downloaded? For the ACL, Im trying to say anything from these outside IP's have 50% reserved for clients inside the lan.

By the way this is a 2621xm w 12.23.

Let me know if I'm unclear or if you need more info. Thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tcordier Wed, 11/05/2008 - 07:09

To verify the policy-map is applied and working, use

show policy-map interface xxx

Are your schools connected to Internet and using a VPN to communicate with each other, or do you have a private (MPLS) network from a provider?

In general, limiting traffic inbound on your serial will not decrease line utilization because the traffic has already passed the line. You should apply the policy outbound in order to reserce the bandwidth for the specific applications. This will of course not limit download volumes unless the downloads come from other schools (hence my question above). You can only limit the number of bandwidth allocated to download requests, and try to limit the download volume in this way. Finally, I suggest you create class-maps with the specific applications (not IP addresses), as this will give you better control of what you exactly are prioritizing. You could add an entry in your ACL:

access-list 198 permit tcp x.x.x.x x.x.x.x any eq smtp (or pop3)

Alternatively you can use NBAR (Protocol Discovery). An example:

class-map SMTP

match protocol smtp

This requires the use of NBAR which is enabled on your input (LAN) interface where the traffic is coming from with:

ip nbar protocol-discovery

HTH, Thomas

rhopkins_rcps Wed, 11/05/2008 - 09:58

Thanks Thomas, when I do the sh policy... nothing regarding the policy is listed under the sub int. The schools are connected by frame relay, no vpn. Nice suggestion on NBAR.

If you can, educate me here. I've noticed there's more downstream utilization ie from youtube.com to internal clients. But you're saying instead of applying the policy to serial input I should apply to fasteth output? If I do this I need to rearrange my acls ie permit ip any pop3? I guess I was thinking wrong, I thought I had to police return traffic on the serial input.

Thanks again.

lffrwatson Wed, 11/05/2008 - 10:17

you can also use NBAR and filter on a url such as youtube.com So if your match condtion is true you can police this down to whatever bandwidth you want. Give them 10kbps hehe and see what they say. I think in your case I would do more policing then using the bandwidth command. By using the bandwidth command you are restricting them to a certain percentage of BW, but if nothing else is on the line you can allow it to burst. Policing allows you to mark traffic as discard eligble or you can drop the traffic if you want to.

Also I have dealt with school boards many of times and I know budget for IT gear is always tight but have they ever considered WAN optimization products? If they are hitting lots of testing sites and school related sites you can get WAN opt products and greatly reduce your BW utilization.

rhopkins_rcps Wed, 11/05/2008 - 10:10

Thomas, should I apply this policy on the local school router or the central office router that connects this school? If so, I see what you mean by applying to the outbound int. Thanks.

lffrwatson Wed, 11/05/2008 - 07:10

If each site has 99% utilization I seriously doubt traffic shapping will help you any. I believe cisco recommends anything above 60-65% utlization, then additional bandwidth needs to be purchased.

rhopkins_rcps Wed, 11/05/2008 - 10:00

We are actually in the process of upgrading our bandwidth, but I was hoping this would hold us over till it happens. Which as it looks, a year or 2.

tcordier Thu, 11/06/2008 - 00:27

Roger, I still try to understand why the show command does not show the applied policy map as it should ... did you enable "ip cef" on the router? As to the other question, I meant to apply the policy outbound on the serial interface. Since you can not limit return traffic as you do not control the last hop before your router, you need to limit outbound requests (such as download requests - to the extent that this is possible), or prioritize critical applications on your outbound link. I would have two additional questions: is your Frame network a hub-and-spoke topology, and where is the Internet breakout? At each location, or only your main location?

- Thomas

rhopkins_rcps Thu, 11/06/2008 - 05:29

Yes, it is a hub and spoke, the internet is at our central office where all the schools connect into. I also tried applying the policy on our frame relay switch here at the co, c3845 12.4 advipserv, and the command would not take. It mentioned CBWFQ not supported on sub int. Also I did a sh ip cef and it seems enabled. Thanks for the help.

Joseph W. Doherty Wed, 11/05/2008 - 10:12

Generally, trying to manage congestion inbound is ineffective. What you want to do is manage the congestion outbound, on the device sending to you.

I believe the policy-map you defined isn't legal for an inbound policy. I recall some of the older IOSs only logged errors to the console and/or syslog for some policy configuration errors. If you're using Telnet, this might explain why it appears to accept the command but doesn't complain.

If you do control the far side, first insure both sides are using fair-queue. If this is true, and you're still unhappy with performance, I would next suggest identification of bandwidth hogs with determination whether they can be deprioritized. If they can, then an outbound policy as follows might help.

e.g. (NB: syntax may be incorrect, especially for older IOSs)

(assume FTP is bandwidth hog)

class-map match-any BandwidthHog

match protocol FTP

policy-map YourPolicy

class BandwidthHog

bandwidth remaining percent 1

class class-default


interface serial #

service-policy output YourPolicy


This Discussion