Guaranteed Bandwidth

Answered Question
Aug 15th, 2010

Hi2All

Within our main Organization we got two divisions with separate LAN & WAN

Both these division are on the same floor. Internet Service Provider provided one Ethernet cable with 10MB and a public range /29

How do I gurante 5MB of bandwidth to each division.

ISP suggested to hook the ISP Ethernet cable to a Layer2Switch and then connect one cable each to division routers/switch.

Any suggestion and help in guranting bandwidth

Best Wishes

Anthony

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 6 years 3 months ago

Hello Anthony,

dep1-ip and dep2-ip have to be something like 5.5.5.4 and 5.5.5.3 (going on with our fiction for public ip addresses)

you can check traffic classes with

show policy-map interface fas0/0

(there is also an SNMP MIB for modular QoS)

there is a section for each traffic class that provides counters and rates

if fas0/0 is running at 100 Mbps full and the contracted rate is 10 Mbps you need the shaper.

you can check this simply by using show interface fas0/0

in the ACLs you don't need to deny traffic within each IP subnet as this traffic does not hit the router subinterfaces (host will simply ARP for destination and destination answers to it)

rather you should deny traffic between subnets ( so that it is not natted) as this traffic is sent to the router.

second ACL will be like

access-list 123 deny ip   192.168.101.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 123 permit ip 192.168.101.0 0.0.0.255 any

access-list 112 deny ip 192.168.100.0 0.0.0.255 192.168.101.0 0.0.0.255

access-list 112 permit ip 192.168.100.0 0.0.0.255 any

Hope to help

Giuseppe

Correct Answer by Giuseppe Larosa about 6 years 3 months ago

Hello Anthony,

>> I am lost at the stage of applying the qos. which interface I should be applying. What other commands I need to get proper qos configured.

you need to apply QOS on the WAN facing interface on the router, depending on its speed you apply directly the scheduler out_sched if  access link speed = contracted rate.

if contracted rate <  access link speed then you  need to apply a shaper to contracted rate that invokes as  a child policy the scheduler.

Another aspect to be considered is that if the link is used for public Internet access, then you need to perform NAT and my suggestion is to use two different NAT pools (each made of a single IP address taken from the /29 that ISP has assigned to your company), so that you can trace what traffic has been originated in department1 and what traffic is originated in department2 also after NAT operation.

By doing so all traffic with source = dep1 public ip address has been originated in department 1 and can be classified as a same traffic class from the point of view of WAN interface on router. The same happens for traffic with source dep2 address.

I hope my first post is more clear now

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Giuseppe Larosa Sun, 08/15/2010 - 05:46

Hello Anthony,

if you have separate NAT pools for the two departments you can use CBWFQ on router facing the WAN link using two traffic classes defined on the basis of the source address (after NAT operation)

ip nat pool dep1 dep1-ip netmask 255.255.255.248

ip nat pool dep2 dep2-ip netmask 255.255.255.248

access-list 111 permit ip  host dep1-ip any

access-list 122 permit ip host dep2-ip any

class-map dep1

match access-group 111

class-map dep2

match access-group 122

policy out_scheduler

class dep1

bandwidth percent 45

class dep2

bandwidth percent 45

class class-default

bandwidth percent 1

you need to NAT differently traffic coming from each department

for example:

10.10.10.0/24 dep1

10.20.20.0/24 dep2

access-list 112 deny ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.255.255.255

access-list 112 permit ip 10.10.10.0 0.0.0.255 any

access-list 123 deny ip 10.20.20.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 123 permit ip 10.20.20.0 0.0.0.255 any

! nat is needed only when going to the internet, 10/8 is the intranet in the example

ip nat inside source list 112 pool dep1 overload

ip nat inside source list 123 pool dep2 overload

where dep1-address and dep2-address are taken from the public /29 given by provider.

if the outgoing interface is an ethernet running at 10 Mbps full you can apply the scheduler directly to the interface

but if your interface is running 100 Mbps on the local link you need a shaper

policy-map shape-all

class class-default

shape average 10000000

service out_scheduler

interface fas0/0

service-policy out shape-all or service-policy out out_scheduler

with CBWFQ you provide resources to the two classes and you have elasticity to use unused resources

Hope to help

Giuseppe

anthony.dyne Sun, 08/15/2010 - 08:53

Hi Giuseppe

Thanks for replying the post. The Internet Service Provider Ethernet Cable would terminate on a Cisco 2960 Layer 2 switch, from the same switch one cables goes to Dept1 and another Cable goes to Dept2.  Can we gurantee 5MB for Dept1 and 5MB for Dept2.

I would also like to consider if Dept1 usuage is 3MB and Dept2 are at peak i.e 5MB then Dept2 can use the available 2MB i.e total 7MB

When need of Dept1 is 5MB then both dept goes back to 5MB gurantee bandwidth

I hope I am clear in my requirement

Best Wishes

Anthony

Giuseppe Larosa Sun, 08/15/2010 - 10:04

Hello Anthony,

with the C2960 on the path to the WAN link I'm afraid you can only shape out of each interface going to the C2960 with no elasticity as each router should know how much traffic is left available by the other one.

However, C2960 QOS allows to shape out all traffic at a specified percentage of port speed and may be a starting point.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_52_se/configuration/guide/swqos.html#wp1253412

This example shows how to limit the bandwidth on a port to 80 percent:

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# srr-queue bandwidth limit 80


otherwise, device(s) before C2960 can shape to a given rate but with no elasticity if 
the other department is not using all its BW quota.

You would need to use a single port on device before the C2960 to make something similar
to what I had suggested in my first post in this thread.

Hope to help

Giuseppe

anthony.dyne Sun, 08/15/2010 - 10:32

Hello Giuseppe

Thanks again for replying.  I am still newbie,  If I understood you correctly on your first reply.

ISP***************My_Router******************Sw_2960

I configure one port on router with public ip of ISP and another port as trunk to the switch

I configure one port for Dept1 as one vlan and another port for Dept2 as another VLAN

Is it possible to do static NAT on Router i.e public to private and let the connection with dept1 be private IP

I got 2800 series router ; this is sample config

Interface fastethernet 0/0

ip address 75.200.168.112 255.255.255.248

# ISP provided public IP

Interface fastEthernet 0/1.11

encapsulation dot1q 11

ip address 192.168.100.10 255.255.255.0

interface FastEthernet 0/1.12

encapsulation dot1q 12

ip address 192.168.101.10 255.255.255.0

I would have default route pointing to ISP router.

On Switch 2960

interface fastethernet 0/24

switchport trunk encapsulation dot1q

switchport mode trunk

switchport trunk allowed vlan 11,12

interface fastethernet 0/1

switchport mode access

switchport access vlan 11

interface fasethernet 0/2

switchport mode access

swithport access vlan 12

Correct me if I am on wrong path, I would appreciate if you can help with config

Thanks

Anthony

Giuseppe Larosa Sun, 08/15/2010 - 13:04

Hello Anthony,

these forums are really public, anyone can read posts so  please change your public address or mask it partially for your own safety (unless it is false in this case ignore this advice)

The new setup is  the path to go the router will know how to handle traffic coming from both departments.

Your understanding is correct I had in mind a setup like this.

Hope to help

Giuseppe

anthony.dyne Sun, 08/15/2010 - 15:06

Hi2All,

Thanks Giuseppe on replying the post. The public ip is fake. I thank you for your advice.

I am lost at the stage of applying the qos. which interface I should be applying. What other commands I need to get proper qos configured.

Can you please help in completing the configuration.  Having Private IP from Router to switch is exceptable config.

Best Wishes

Anthony

Correct Answer
Giuseppe Larosa Mon, 08/16/2010 - 13:53

Hello Anthony,

>> I am lost at the stage of applying the qos. which interface I should be applying. What other commands I need to get proper qos configured.

you need to apply QOS on the WAN facing interface on the router, depending on its speed you apply directly the scheduler out_sched if  access link speed = contracted rate.

if contracted rate <  access link speed then you  need to apply a shaper to contracted rate that invokes as  a child policy the scheduler.

Another aspect to be considered is that if the link is used for public Internet access, then you need to perform NAT and my suggestion is to use two different NAT pools (each made of a single IP address taken from the /29 that ISP has assigned to your company), so that you can trace what traffic has been originated in department1 and what traffic is originated in department2 also after NAT operation.

By doing so all traffic with source = dep1 public ip address has been originated in department 1 and can be classified as a same traffic class from the point of view of WAN interface on router. The same happens for traffic with source dep2 address.

I hope my first post is more clear now

Hope to help

Giuseppe

anthony.dyne Tue, 08/17/2010 - 01:34

Hi2All,

Giuseppe can you check if the configuration is ok, i combined the config

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

Interface fastethernet 0/0
ip address 5.5.5.5 255.255.255.248

service-policy out shape-all or service-policy out out_scheduler
# ISP provided public IP

Interface fastEthernet 0/1.11
encapsulation dot1q 11
ip address 192.168.100.10 255.255.255.0
# Dept1

interface FastEthernet 0/1.12
encapsulation dot1q 12
ip address 192.168.101.10 255.255.255.0
#Dept2

ip nat pool dep1 dep1-ip netmask 255.255.255.248
ip nat pool dep2 dep2-ip netmask 255.255.255.248

access-list 111 permit ip  host dep1-ip any
access-list 122 permit ip host dep2-ip any

class-map dep1
match access-group 111

class-map dep2
match access-group 122

policy out_scheduler
class dep1
bandwidth percent 45
class dep2
bandwidth percent 45
class class-default
bandwidth percent 1

access-list 112 deny ip 192.168.100.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 112 permit ip 192.168.100.0 0.0.0.255 any

access-list 123 deny ip 192.168.101.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 123 permit ip 192.168.100.0 0.0.0.255 any

ip nat inside source list 112 pool dep1 overload
ip nat inside source list 123 pool dep2 overload

policy-map shape-all
class class-default
shape average 10000000
service out_scheduler


How do I check which department is using how much bandwidth?

Can the admin get alert on full usage of bandwidth for Dept

Best Wishes

Anthony

Correct Answer
Giuseppe Larosa Tue, 08/17/2010 - 03:19

Hello Anthony,

dep1-ip and dep2-ip have to be something like 5.5.5.4 and 5.5.5.3 (going on with our fiction for public ip addresses)

you can check traffic classes with

show policy-map interface fas0/0

(there is also an SNMP MIB for modular QoS)

there is a section for each traffic class that provides counters and rates

if fas0/0 is running at 100 Mbps full and the contracted rate is 10 Mbps you need the shaper.

you can check this simply by using show interface fas0/0

in the ACLs you don't need to deny traffic within each IP subnet as this traffic does not hit the router subinterfaces (host will simply ARP for destination and destination answers to it)

rather you should deny traffic between subnets ( so that it is not natted) as this traffic is sent to the router.

second ACL will be like

access-list 123 deny ip   192.168.101.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 123 permit ip 192.168.101.0 0.0.0.255 any

access-list 112 deny ip 192.168.100.0 0.0.0.255 192.168.101.0 0.0.0.255

access-list 112 permit ip 192.168.100.0 0.0.0.255 any

Hope to help

Giuseppe

Actions

This Discussion