IOS 2801 QoS and VPN

Unanswered Question
Nov 19th, 2008

Hey there,

Sorry. I've been reading and reading but I guess I'm doing an uncommon scenario.

I have a slow (256k) wan link. I need to push all WAN users aside when I dial in with my VPN client to do maint.

Can anyone give me some QoS options?

The other QoS needs I have are that I have a few vLAN's but I need to give one vlan all/most of the WAN bandwidth and push aside the other vlan traffic.

Have any tricks up your sleeve?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joseph W. Doherty Wed, 11/19/2008 - 10:12

CBWFQ would likely support your needs, outbound. Inbound is a problem unless you also control the other side of the link's outbound.

Although CBWFQ would support some flows to push aside others (again outbound), if you're using FIFO now, you might try WFQ first. If default WFQ doesn't perform as you require, you might try increasing the IP Precedence of the more important traffic (which will bias per flow bandwidth allocation).

The reason I even suggest WFQ, CBWFQ is very powerful, so much so, it's easy to obtain "unintended results".

kelleydeon Wed, 11/19/2008 - 10:53

OK. I'm going on a CBWFQ reading mission.

So I can turn use CBWFQ to take bandwidth from a range of IP's when another range of IP's need it?

Thanks for the quick reply BTW!

Joseph W. Doherty Wed, 11/19/2008 - 12:59

Yes.

e.g.

ip access-list extended importantIPaddrs

permit ip ...

.

.

ip access-list extended notimportantIPaddrs

permit ip ...

.

.

class-map match-axx importantIPaddrs

match access-group name importantIPaddrs

class-map match-axx notimportantIPaddrs

match access-group name notimportantIPaddrs

service-policy cbwfq

class importantIPaddrs

bandwidth remaining 99 percent

class notimportantIPaddrs

bandwidth remaining 1 percent

interface . . .

service-policy output cbwfq

kelleydeon Thu, 11/20/2008 - 01:33

Whoa! That's some good stuff, Joseph. I better ask some questions before I plop that into my config. Lets say the important range is 192.168.51.0 and all the rest aren't.

Please pardon my syntax

Can I enter:

ip access-list extended importantVLAN

permit ip 192.168.51.0 0.0.0.255 any

ip access-list extended notimportantVLAN

permit ip 192.168.0.0 0.0.255.255 any

class-map match-access-list importantVLAN

match access-group name importantVLAN

class-map match-access-list notimportantVLAN

match access-group name notimportantVLAN

service-policy cbwfq

class importantVLAN

bandwidth remaining 99 percent

class notimportantVLAN

bandwidth remaining 1 percent

interface Fa0/1 (my WAN interface)

service-policy output cbwfq

When the important people aren't using the link will the notsoimportantVLAN get 100?

Once I turn this on, will if effect my voice traffic coming from my FXS ports to my Fa0/1?

Thanks, Joe!

Joseph W. Doherty Thu, 11/20/2008 - 04:15

"When the important people aren't using the link will the notsoimportantVLAN get 100?"

Yes. What happen when both VLANs compete for bandwidth, they will get it in the ratio of 99:1. However, any bandwidth not needed by one is available to the other.

"Once I turn this on, will if effect my voice traffic coming from my FXS ports to my Fa0/1?"

Never worked with an FXS, so don't know without some research. If its traffic will transit your WAN link as VoIP, then we would likely want to define a LLQ (priority) class for it as part of the policy. If the traffic transits your WAN link as analog voice, channel separation should protect it.

kelleydeon Thu, 11/20/2008 - 04:29

I think I better post my config because I didn't configure the voice. I want to make sure that 99% doesn't steal voice'sbandwidth needs.

interface Loopback0

ip address

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/1

description Starboard VSAT $FW_OUTSIDE$

ip address 10.20.46.20 255.255.255.0

ip nat outside

ip virtual-reassembly

no ip mroute-cache

speed 100

full-duplex

!

interface FastEthernet0/3/0

!

interface FastEthernet0/3/1

!

interface FastEthernet0/3/2

!

interface FastEthernet0/3/3

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

interface Vlan1

description $FW_INSIDE$

ip address 192.168.49.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

router eigrp 1

network 192.168.0.0

network 192.168.49.0

auto-summary

!

ip local pool SDM_POOL_1 192.168.254.160 192.168.254.170

ip default-gateway 10.20.46.1

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.20.46.1

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat pool MADNATPOOL 10.20.46.20 10.20.46.20 netmask 255.255.255.0

ip nat inside source list 1 pool MADNATPOOL overload

!

access-list 1 permit 192.168.0.0 0.0.255.255

!

!

control-plane

!

!

voice-port 0/2/0

echo-cancel coverage 32

no comfort-noise

cptone GB

timeouts interdigit 3

music-threshold -70

!

voice-port 0/2/1

echo-cancel coverage 32

no comfort-noise

cptone GB

timeouts interdigit 3

music-threshold -70

!

ccm-manager mgcp

!

mgcp

mgcp call-agent 10.129.48.11 service-type mgcp version 0.1

mgcp dtmf-relay voip codec all mode nse

mgcp codec g729r8 packetization-period 60

mgcp playout adaptive 100 50 200

mgcp playout fax 500

no mgcp timer receive-rtcp

mgcp timer net-cont-test 1000

mgcp timer nse-response t38 1000

mgcp sdp simple

no mgcp fax t38 ecm

mgcp fax t38 nsf 000000

!

mgcp profile default

!

!

dial-peer cor custom

!

!

dial-peer voice 1 pots

service mgcpapp

port 0/2/0

!

dial-peer voice 2 pots

service mgcpapp

port 0/2/1

!

gateway

timer receive-rtp 1200

!

call-manager-fallback

max-conferences 4 gain -6

ip source-address 10.20.46.20 port 2000

max-ephones 24

max-dn 24

kelleydeon Thu, 11/20/2008 - 04:33

One more thing.

If there was some other QoS stuff in place, is it possible that it could take the overall bandwidth or just the remaining bandwidth that the voice entries might have set aside for themselves?

Back to the books.... thanks for hanging in there with me, Joseph.

Joseph W. Doherty Thu, 11/20/2008 - 05:05

If voice is placed into a LLQ (priority) class, it can get its defined bandwidth regardless of other traffic. It also goes first. It, however, will be limited to just its defined amount of bandwidth if there's congestion. This differs from other classes that can obtain more bandwidth then they are defined for assuming other classes are not using their allocations.

For other traffic, you need to juggle how you allocate bandwidth. I haven't mentioned it, by there's a default-class for traffic you've haven't matched. Also, CBWFQ, by default, reserves 25% for other undefined traffic including an implicit default-class (class can also be defined explicitly). The default-class and default other bandwidth reservation are related but not the same. Also, like other classes, bandwidth not being used is available to other traffic.

For example how this all interplays, your importantVLAN or nonimportantVLAN traffic can use 100% of the link if there's no other traffic, but if the router needed to send a routing packet (e.g. OSPF LSA) or you needed to telnet to the router, assuming neither matches an explicit class, both could, by default, in combination use up to 25% of your link's bandwidth assuming your defined classes traffic want 100%. (Actually, what bandwidth the implicit class-default could obtain is likely more than 25% unless all the other 75% was being used by LLQ classes.)

PS:

As you're perhaps starting to realize, this can be very powerful stuff, but like fire, you can easily burn yourself. I often suggest starting with fair-queue. If some traffic needs just a little more priority than other traffic, then set IP Precedence values since fair-queue on Cisco is often weighted fair-queue. If there's real-time traffic, add a LLQ class for it. Beyond this, you should really understand what you want to accomplish and what may happen.

e.g. CBWFQ simple policy

class-map match-axx real-time

.

.

policy-map generalCBWFQ

class realtime

bandwidth priority percent 33

The above has an implicit class-default, but if you want to explicitly define it, add:

class class-default

fair-queue

[edit]

PPS:

Just realized, your using ethernet but have 256 K downsteam. You'll likely need to shape.

e.g.

service-policy shape256K

!less about 10% to account for Ethernet L2 overhead

shape average 225000

service-policy generalCBWFQ

interface FastEthernet0/1

service-policy output shape256K

kelleydeon Sat, 11/22/2008 - 03:12

Joseph, you really are good.

The more I read about CBWFQ the more I see your name pop up. Thanks for helping all of us.

It's starting to look like QoS inbound is a tough task. I guess it would be hard to police inbound traffic by vlan or ip range because incomming traffic changes ip address depending on where you're downloading from.. eh?

Hmmm.... It seems pretty common to do QoS by what "type" of traffic, but giving inbound bandwidth on my outside WAN interface looks like it's not going to happen.

It sounds like I can do inbound stuff on my L3 3560 switch but it seems like it will be too late because my router's WAN int will be choking on the internet inbound traffic and slowing everyone down anyway.

Before I pull the plug on this plan. Is there any hope?

Joseph W. Doherty Sat, 11/22/2008 - 04:32

For inbound, although there are many Internet addresses, you can still identify the VLANs by internal source addresses. In other words, for outbound you match to source address, for inbound you match to destination addresses.

Yes, you've got it. When you try to manage traffic downstream of the bottleneck with a policer, the bottleneck can still be congested with traffic. If the inbound traffic is TCP, it should slow if it sees drops caused by the policer, so a downstream policier can have some impact regulating inbound upstream traffic. Problem is, TCP bursts first, sees the drops, then slows. In my experience, you need to police much slower than you really want to keep the bursts from choking the link which tends to drop the average inbound rate of that traffic. (It can be a useful technique, though, to target bulk background data transfers.) Some traffic, like UDP applications, may not slow their rate at all when they see policer drops, but those drops will often adversely impact the application.

Your're also correct, 3560 can do inbound stuff, but it can do some port based outbound stuff too, including, I believe, bandwidth idleing of a port. For the inbound stuff, you often can control both direction by doing inbound (or outbound) on both "sides" of the switch, i.e. inbound on both LAN facing and WAN facing ports.

Your best hope on something like a 3560 would be to configure the output port bandwidth usage to match the upstream available bandwidth and then separate traffic into one of the four queues. You would detmine the bandwidth allowance for each of the four queues. (No fancy CBWFQ for output supported on that platform.)

For inbound, if you find there's one type of TCP traffic that tends to use most of the bandwidth of the inbound link, you can police that down to a low value of the link's bandwidth, perhaps under 10% or more. (TCP should still manage to forward the traffic.)

Beyond that, you could obtain a small WAN router for between the 3560 and the WAN. This would allow you to implement better QoS outbound, but it wouldn't really help much with inbound, although another technique is to shape outbound TCP ACKs, but that's very trickly to get to work well too.

Lastly, there are 3rd party traffic appliances (e.g. Packeteer) that can really help in this situation since they often muck around with not only per flow shaping but can sometimes adjust certain TCP packet fields like what a receiving TCP host's receive window size is.

PS:

Yes, guess I do pop up alot on CBWFQ (or QoS in general). Perhaps a subspecially of mine is obtaining optimal performance with computer systems or the most "bang for the buck". Cisco's QoS features, such as CBWFQ, are often very useful, or even critical, in getting the best performance and/or to accomplish your business performance goals at minimal cost.

kelleydeon Sat, 11/22/2008 - 05:12

I'm learning. You're making it pretty easy to understand. The Cisco Docs leave me more confused evertime I go back and look at them.

You said:

For inbound, although there are many Internet addresses, you can still identify the VLANs by internal source addresses. In other words, for outbound you match to source address, for inbound you match to destination addresses.

Can you please let me know what this would look like in a config?

So let me get this straight - I CAN control bandwidth from the internet by using the source IP of my user's pc? Can I make it so the source is a range of IP's?

You're giving me hope again, Joe.

Joseph W. Doherty Sat, 11/22/2008 - 05:43

"So let me get this straight - I CAN control bandwidth from the internet by using the source IP of my user's pc? Can I make it so the source is a range of IP's? "

Yes, yes; but it's not very precise and often only effective with TCP.

"Can you please let me know what this would look like in a config? "

Assuming vlan1 critical was 192.168.1.0/24, you might configure ACL like this: (assuming my syntax is correct)

ip access-list extended criticalVLANs

remark match VLANs source subnet addresses

ip permit ip 192.168.1.0 0.0.0.255 any

remark match VLANs destination subnet addresses

ip permit ip any 192.168.1.0 0.0.0.255

The above ACL should match traffic to/from the VLAN(s) of interest. Since it matches traffic to/from, it could be used for either inbound or outbound purposes.

kelleydeon Sat, 11/22/2008 - 06:11

Ok I'll try to attach it to my router's WAN int Fa0/1

My vlan that is most important is 192.168.51.0

My vlan that I want to push aside is 192.168.54.0

Quick question - I actually have a 192.168.53.0 vlan that issemi important... I want to be able to push them if 192.168.51.0 wants internet. But I want to have either of those two vlans to be able to push 192.168.54.0... whew!

That said - Here's what I'm going to plug into my router config.

ip access-list extended ownerdata

remark match ownerdata source subnet addresses

ip permit ip 192.168.51.0 0.0.0.255 any

remark match ownderdata destination subnet addresses

ip permit ip any 192.168.51.0 0.0.0.255

ip access-list extended crewdata

remark match crewdata source subnet addresses

ip permit ip 192.168.54.0 0.0.0.255 any

remark match crewdata destination subnet addresses

ip permit ip any 192.168.54.0 0.0.0.255

class-map match-access-list ownerdata

match access-group name ownerdata

class-map match-access-list crewdata

match access-group name crewdata

service-policy cbwfq

Class ownerdata

bandwidth remaining 99 percent

Class crewdata

bandwidth remaining 1 percent

interface fa0/1

service-policy input cbwfq

Did I forget anything? :)

If that's correct. Can you help me slap that third vlan "officerdata" into this? They are more important than crew but less important than owners of the yacht.

Can't wait to hear what you have to say!

kelleydeon Sat, 11/22/2008 - 06:17

Crap!

Here's a rookie question.

If I don't include all my other vlans in this stuff... they're not going to be denied/filtered from getting on the internet are they? I just remember reading that there's an implicit deny any at the end of ACL's

kelleydeon Sat, 11/22/2008 - 06:50

Hi Joe,

I started plugging it into my router.

I think I'm a little confused with the syntax for:

class-map match-access-list ownerdata

match access-group name ownerdata

That router didn't like that.

It ended up looking like:

class-map match-all match-ownderdata

When it says match ownerdata, is it mapped to my ownerdata ACL properly?

Joseph W. Doherty Sat, 11/22/2008 - 09:59

class-map syntax is:

class-map (match-all or match-any) classname

Match-all requires all match statements within the class to be true (an "and" condition), match-any is true if any match statement is true (an "or" condition) within the class match statements.

Classname, the last parameter, is the name of the class, it's used within the policy.

What might be confusing is you can use the same name for different objects, but the example that follows might be clearer.

ip access-list extended anACLname

permit . . .

.

.

class-map match-axx aClassname

match access-group name anACLname

policy-map aPolicyname

class aClassname

bandwidth . . .

Joseph W. Doherty Sat, 11/22/2008 - 09:53

Yes, there's an implicit deny all at the end of ACLs, but we're using an ACL to match interesting traffic for our QoS policy, not as a security ACL on the interface itself.

I.e., other VLANs will just not get special QoS treatment.

Joseph W. Doherty Sat, 11/22/2008 - 10:09

CBWFQ policies can be used for both in and out, at least on routers, but not all features are allowed based on usage. Since we're using "bandwidth" statements, we're restricted to outbound policies (and if you're working with a 3560/3750 you can't use an outbound CBWFQ policy at all (I believe).

We can do something similar, at least with up to 4 queues on a 3650, but the syntax is a lot different and I don't do QoS on those type of L3 switches very often. You might want to start a new post for help on how to do something similar on a L3 switch.

If we using a device that allows the full CBWFQ policy, you can define another class. We can't do exactly what you desire where A pushes B pushes C aside although we can set ratios such that A can obtain more bandwidth than B which can obtain more bandwith than C.

Something like:

service-policy x

class A

bandwidth remaining 25

class B

bandwidth remaining 5

class C

bandwidth remaing 1

(Actually there's another queuing method supported on Cisco routers called priority queuing, which would allow up to 4 classes, each with total priority over lower classes, but very easy to starve lower classes of all bandwidth.)

[edit]

It's important whether you're going to use a 3560 or 28xx.

kelleydeon Sat, 11/22/2008 - 10:48

Thanks for comming back, Joe!

I got it into the router. Here's what it looks like.

ip access-list extended ownerdata

remark match ownerdata source subnet addresses

permit ip 192.168.51.0 0.0.0.255 any

remark match ownderdata destination subnet addresses

permit ip any 192.168.51.0 0.0.0.255

ip access-list extended crewdata

remark match crewdata source subnet addresses

permit ip 192.168.54.0 0.0.0.255 any

remark match crewdata destination subnet addresses

permit ip any 192.168.54.0 0.0.0.255

Class-map match-all crewdata

match access-group name crewdata

Class-map match-all crewdata

match access-group mane ownerdata

!

!

policy-map QoS

class ownerdata

bandwidth remaining percent 99

class crewdata

bandwidth remaining percent 1

Int Fa0/1

service policy output QoS

I don't know how to test.. So i put a PC on each vlan and started doing download races. I didn't see the diff between the two. 99 vs. 1 percent should be pretty obvious I bet.

Do you know a standard test and a few handy IOS commands to verify it's all working?

Joseph W. Doherty Sat, 11/22/2008 - 11:01

Policy will only be active if there's congestion. One issue, don't recall if I touched upon it, your policy is on a Ethernet interface, but you note a WAN interface of 256 Kbps. (Ethernet connection to something like cable or DSL?) So, you'll also need to "shape" your outbound rate to match your WAN bandwidth (i.e. slow down the Ethernet interface).

Add/modify:

policy-map QoS_shape

class-map class-default

!might need to shape a bit slower to account for L2 overhead

!I forget whether shaper uses bps or Kbps, example assume bps

shape average 200000

service-policy QoS

int fa0/1

service-policy output QoS_shape

To see the difference, you'll would need to load the QoS policy; could be done with a traffic generator. If interface loaded with "crewdata", its pings should slow but "ownerdata" pings should not. (BTW: your one class-map needs to be renamed to "ownerdata".)

"show policy-map interface out" will show what the policy "sees". Change interface's load-interval to 30 to get stats closer to real-time.

kelleydeon Sat, 11/22/2008 - 11:42

Hi Joe,

I somehow slipped another post in before your last reply.

I'd rather use the 2801 to attack the problem at the internet facing interface.

You mentioned that I could use another style of QoS that would starve the "class C". That's ok if they starve because class A wouldn't be onboard and using the net very often.

Do you have any clever commands or testing methods I could use to verify that I've set it up and things are active?

Joseph W. Doherty Sat, 11/22/2008 - 12:00

The other method wouldn't have class A just starve class C, it would also starve class B. Also, class B would also starve class C.

Quickway to test, is with a traffic generator. I often use a little freebie, pcattcp, and tell it to generate UDP packets at a certain rate. If you ran it from you class C VLAN, and targeted anything outside on the WAN, it would easily fill the link with class C traffic.

kelleydeon Sat, 11/22/2008 - 13:19

I'm interested in the other style of QoS, too.

This one doesn't seem to be working at all. I woudn't be surprised if I haven't completely turned it on.

I made an ACL called ownerdata

then a then clas-map pointed at the ACL

then I made the service-policies

put in outbound on my WAN int.

Is it possible that nothing is happening because it's set to "output?" or do you think it's possible that the three processes just aren't seeing each other because I've named things wrong?

I think I did a

Show service-policy QoS

It showed me the 2 policies with the percent and some stats but it was all zeros. It didn't look like QoS had ever sprung to action.

service-policy

kelleydeon Sun, 11/23/2008 - 00:07

Cool!

I did that command and I see my policy listed under Fa0/1!

It shows my two bandwitdh remaining groups, one at 99 and one a 1. But they are both all zeros.

That's traffic generator is cool but I don't think I have time to learn how to use it...

This is my last day to get things working.

I wonder if I moved this policy-map to my router's internal interface and set the policy to input... Maybe if I put ownerdata at 100% and crewdata at 0 it would push it aside?

I know I'm attacking it at the wrong place but I'm ready to try anything.

I

kelleydeon Sun, 11/23/2008 - 02:00

I have now moved it to the inside int of my 2801 router but it didn't change anything.

I also thought I would try to change it to an input policy but it won't even let me do that.

It gives me the "CBWFQ is only allowed outbound" error.

Joseph W. Doherty Sun, 11/23/2008 - 03:27

It might help if you post what you're seeing from the show policy command.

Outbound on the WAN facing interface is where you want the policy.

If you also do a show access-list, we confirm the ACLs are matching traffic.

kelleydeon Sun, 11/23/2008 - 04:47

Here's what my sh access-list comes up with

Standard IP access list 1

10 permit 192.168.0.0 wildcard bits 0.0.255.255 (13449 matches)

Extended IP access list crewdata

10 permit ip 192.168.54.0 0.0.0.255 any

20 permit ip any 192.168.54.0 0.0.0.255 (217995 matches)

Extended IP access list crewdata

10 permit ip 192.168.54.0 0.0.0.255 any

20 permit ip any 192.168.54.0 0.0.0.255

I worry that my fist ACL is letting everything past.

Is there supposed to be matches on both ACL's?

Joseph W. Doherty Sun, 11/23/2008 - 05:26

There should be matches on both ACLs if there traffic from both subnets. However, you have "crewdata" listed twice, one showing matches and the other doesn't? Also, the matches that do show appear to be inbound?

Please post your whole config.

kelleydeon Sun, 11/23/2008 - 05:41

class-map match-all crewdata

match access-group name crewdata

class-map match-all ownerdata

match access-group name ownerdata

!

!

policy-map QoS

class ownerdata

bandwidth remaining percent 99

class crewdata

bandwidth remaining percent 1

!

!

!

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile madsummer_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile madsummer-ike-profile-1

!

!

!

!

!

interface Loopback0

ip address 255.255.255.255

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/1

description Starboard Stratos VSAT$FW_OUTSIDE$

ip address 10.20.46.20 255.255.255.0

ip nat outside

ip virtual-reassembly

no ip mroute-cache

speed 100

full-duplex

service-policy output QoS

!

interface FastEthernet0/3/0

!

interface FastEthernet0/3/1

!

interface FastEthernet0/3/2

!

interface FastEthernet0/3/3

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile madsummer_Profile1

!

interface Vlan1

description $FW_INSIDE$

ip address 192.168.49.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat pool madsummer_INTERNET 10.20.46.20 10.20.46.20 netmask 255.255.255.0

ip nat inside source list 1 pool madsummer_INTERNET overload

!

ip access-list extended crewdata

remark match crewdata source sebnet address

permit ip 192.168.54.0 0.0.0.255 any

remark match crewdata destination subnet address

permit ip any 192.168.54.0 0.0.0.255

ip access-list extended ownerdata

permit ip 192.168.51.0 0.0.0.255 any

remark match ownerdata source subnet address

remark match ownerdata destination subnet address

permit ip any 192.168.51.0 0.0.0.255

!

access-list 1 permit 192.168.0.0 0.0.255.255

The LAN's that are heading for the internet are:

192.168.54.0 (crewdata)

192.168.51.0 (ownerdata)

Joseph W. Doherty Sun, 11/23/2008 - 06:07

You didn't apply the nested policy which includes the shaper. Without it, policy will only be effective when the Ethernet interface is congested (at either 10 or 100 Mbps) when we want it to manage 256 Kbps. See my prior post on what to do.

Second, didn't realise NAT was involved. This might impact policy, I don't recall order of operations. ACLs might not be seeing internal addresses, but instead see NAT addresses. This might account for lack of matches on outbound interface.

Not 100% what you do when NAT is active. I'm pretty sure we can mark outbound packets before they're NAT'ed, and then treat traffic on markings, but there might be a better method.

I'm pressed for time at the moment, won't be able to look again at this until tonight.

In the mean time, you might try just:

policy-map tmp

class class-default

shape average 225000

interface FastEthernet0/1

service-policy outbound tmp

kelleydeon Sun, 11/23/2008 - 06:14

Hey! Thanks for lookin on a Sunday.

I'll give it a try and let you know what happens.

Have a nice day, Joe.

Actions

This Discussion