class-map match-all voix

match protocol h323

class-map match-all http

match access-group 102

!

policy-map priority

class http

police 512000 conform-action transmit exceed-action drop

class voix

priority 256

class class-default

fair-queue

!

int f0

ip add (the wan ip)

ip nbar protocol-discovery

service-policy output priority

!

access-list 102 permit tcp any any eq www

access-list 102 permit tcp any any eq 443

!

it's working on the upload but the download is taking all my bandwitdth.

Thx

If you're using nat, you'll need to police the traffic back in based on your public address.

Upload is outbound and download is inbound, so try the following and let me know how it works :)

Try taking fair-queue out of the class-default, and apply the same policy inbound on the public interface.

HTH,

John

when i removed fair-queue of class-default it let s me put my service-policy input but it does not limit my downloads to the specified rate in policing.

and yes i m using nat

interface FastEthernet0

ip address x.x.x.x x.x.x.x

ip nbar protocol-discovery

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

service-policy input priority

Try putting it in both directions:

int fa0

service-policy input priority

service-policy output priority

You want to shape you traffic going out though. Shape whenever you can.

Try this:

class-map match-all http

match access-group 102

policy-map INBOUND

class http

police 512000 conform-action transmit exceed-action drop

class voix

priority 256

policy-map OUTBOUND

class http

shape average 512000

class voix

priority 256

int fa0

service-policy input INBOUND

service-policy output OUTBOUND

HTH,

John

thanks for ur time John but it didn t work, still my downloads starvs all my bandwidth and i cannot use LLQ with input policies.. i tried removing class voix from my policy-map to put service-policy input inbound and it didn t work neither.

Another thing you could try is to specifically put your public address in the access-list that's matching the web traffic back in like:

access-list 103 permit tcp any host eq 80

access-list 103 permit tcp any host eq 443

Create a new class-map that matches on this access-list and apply it to the inbound policy map.

It's difficult to control inbound traffic when you're natting.

HTH,

John

i tried everything u said guys but it seems like i can not really control the inboud of the bandwidth even with decreasing the defined bandwidth.

Thank you again

The only time policing inbound TCP isn't effective is when TCP never needs to get out of slow start. Otherwise, it does work, but again, there's a delay before the sender will back-off and that's often after it already congested your link with a burst.

In practice you often really need to turn down the inbound rate to keep it peaking above your desired rate. What did you actually try? (NB: without adjusting Tc, I've found 1/10 desired rate a starting point. e.g. for 512 try setting 51.)

Again, keep in mind, it's very, very difficult to precisely control inbound traffic on the receiving end on a Cisco router.

Also, another technique is shaping outbound ACKs, but this too tends to be inexact on Cisco routers.

PS:

There are some non-Cisco devices that can better control inbound TCP rates. These too, though, would have trouble with flows that don't need to ramp up out of slow start.