Logically they are on a different vlan on the main switch. Physically they have a separate port.

Yes, 2 and 5 meg is part of 10 meg bandwidth. The other 3 meg will be used by home users during day time.

What kind of router do you suggest? We use fiber cables.

I don't have any control on the ingress queue. However, I can ask my ISP if they could do anything.

Appreciate your response.

OJ

This is gig fiber? If so, any ISR that can use a HWIC-1GE-SFP and provide 10 Mbps forwarding. Any in table 3 in http://cisco.com/en/US/prod/collateral/routers/ps5854/product_data_sheet0900aecd8016be8d.html should do, including the 1841. (NB: Not 100% positive about IOS features on the 1841/1861, but believe they should be like the 2800/3800.)

However, looking a bit more over the 3560 (3750) IOS configuration guide, Time-Based ACLs are supported. This, with various class-map policing, might also satisify your requirement, although I'm not real keen on using rate limiters, and again, you might not obtain exactly the benefit hoped for, for inbound Internet traffic.

Yes this is a gig fiber. I have a spare Cisco 2811 (does it have resources to support 600 users?). What you are saying is, use a HWIC-1GE-SFP on the router and use it in front of the 3750 Switch.

I have 13 VLANs configured on 3750 and it acts as a DHCP server as well. Should I configure VLANs on 2811 and use it as DHCP. My understanding is that keep the network wide open until it data reaches 2811 and then police/shape it there based on VLAN/IP addresses. Is that right?

Also, the 3750 I have now doesn't support service-policy output command. So the only option for me is to use rate limiters. You are absolutely right that rate limiters is not a very good option.

I am attaching a diagram with rate-limit config. Please take a look and let me know if I am going the right path.

"I have a spare Cisco 2811 (does it have resources to support 600 users?)."

It's not so much a question of uses but of supported bandwidth. If your Internet connection is 10 Mbps, the 2811 should be able to support that amount of bandwidth.

"What you are saying is, use a HWIC-1GE-SFP on the router and use it in front of the 3750 Switch. "

Correct.

"Should I configure VLANs on 2811 and use it as DHCP."

No good reason comes to my mind.

"My understanding is that keep the network wide open until it data reaches 2811 and then police/shape it there based on VLAN/IP addresses. Is that right? "

Yes, since you only need to control Internet bandwidth utilization. As for carrying VLANs to the 2811, you could, but I would just pass the data to/from the 3750 across a single transit subnet link. You can match traffic per subnet (I assume the VLANs have different subnets).

PS:

BTW, because of your LAN topology, you might also want to consider using QoS on the cross switch links.

Thanks for your response.

Do you have an example of a similar config that would go on to 2811?

I am not sure, if I understood "BTW, because .......switch links". Could you please explain a bit.

Much appreciated

OJ

"Do you have an example of a similar config that would go on to 2811? "

To do exactly what? (I.e. ingress or egress, shape or police, time based or not, etc.) With what IOS?

"I am not sure, if I understood "BTW, because .......switch links". Could you please explain a bit. "

The disadvantage of your ring topology, hosts that need to communicate with other hosts on different switches need to share the connecting switch link bandwidth. If each VLAN's traffic stays per switch, then this shouldn't be much of an issue.

Ingress, egress and timed based. c2800nm-advipservicesk9-mz.124-15.T1.bin

No hosts talk to other hosts in different vlan. The only traffic that goes out or comes in is the internet.

Thanks

OJ

Wow...I can't thank you enough but THANK YOU. You are awesome.

One more question. While I have been sleeping on this issue, another idea came to my mind. Since my access switches are on different port on the main 3750, why don't I run routing between all the switches and use rate-limiter. Having said that, I tried doing that but my WS-C2960-48TC-L with c2960-lanbase-mz.122-25.SEE2.bin doesn't allow me to put an interface in routed mode.

Switch1config)#int fa 0/1

Switch1config-if)#no sw

Switch1config-if)#no switchport ?

access Set access mode characteristics of the interface

backup Set backup for the interface

block Disable forwarding of unknown uni/multi cast addresses

host Set port host

mode Set trunking mode of the interface

nonegotiate Device will not engage in negotiation protocol on this interface

port-security Security related command

priority Set appliance 802.1p priority

protected Configure an interface to be a protected port

trunk Set trunking characteristics of the interface

voice Voice appliance attributes

Not even the interface, the switch also doesn't allow me to configure IP routing on it.

Switch1(config)#ip rou?

% Unrecognized command

Do you think that upgrading the IOS would resolve this issue?

Once again, I really appreciate your efforts in helping me.

Thanks

OJ

re: routing on 2960

"Do you think that upgrading the IOS would resolve this issue? "

No, because routing not supported on 2960 series (as it is on your 3750).

PS:

BTW, forgot to mention, on your 2811, if you have maintenance, you might want to upgrade the IOS from c2800nm-advipservicesk9-mz.124-15.T1.bin an ED version to a MD version (T8, T9 or T10).