05-25-2017 05:19 PM - edited 03-08-2019 10:44 AM
I am using this but it lets one computer use all the speed:
policy-map main-in
class http
police cir 1000000
conform-action transmit
exceed-action drop
violate-action drop
policy-map out
class http
shape average 1000000
police cir 1000000 conform-action transmit exceed-action drop violate-action drop
05-25-2017 08:21 PM
Hi
Have you tried to match an ACL into the class-map?
For example (outbound):
access-list 100 permit 192.168.1.0 0.0.0.255 any eq 80
access-list 100 permit 192.168.2.0 0.0.0.255 any eq 80
class-map HTTP
match access-group 100
or just
match protocol http
05-26-2017 12:09 AM
Hello,
what platform is this configured on ? Some platforms do not support egress policing.
Either way, in addition to Julio's post, here is what you could try:
access-list 101 permit tcp 192.168.1.1 any eq www
class-map match-all http
match protocol http
match access-group 101
policy-map main-in
class http
police cir 1000000 187500 conform-action transmit exceed-action drop
class class-default
05-26-2017 06:16 AM
Why are you shaping and policing in your "out" policy, especially at the same rate?
Yes, what you have would allow one or any combination of hosts to use the 1 Mbps you've limited HTTP to. Could you further explain what you're trying to accomplish?
05-26-2017 04:54 PM
Sorry for confusing everyone. I wrote the post in a hurry and didn't explain what I'm trying to do.
I already have the http class-map set up and it's capturing http traffic. The police is also working fine.
As I said, with the current method it lets a single PC use all the bandwidth. Is there any way to limit it so once PC can't use all the bandwidth but is able to use a certain amount?
05-26-2017 05:26 PM
Hi
Have you tried use 'host' on the ACL and then apply the ACL into a class-map using the same scheme?
access-list 100 permit tcp host 192.168.1.10 any eq 80
class-map PC-HTTP
match access-group 100
policy-map POLICY
class PC-HTTP
police cir 1000000 187500 conform-action transmit exceed-action drop
Then apply the policy-map under the interface for outbound way.
if you execute: sh policy-map interface <interface>, you will see the default-class where the rest of the traffic is passing with no restrictions.
05-26-2017 05:26 PM
Outbound is not a problem since I can shape it. The problem is the inbound traffic. I can't shape it so if one PC uses all the traffic other PCs have their packets dropped because of the police. And it's not a particular PC. It can be any PC.
05-26-2017 05:44 PM
Have you tried similar but modifying the ACL?
access-list 101 permit tcp any eq 80 host 192.168.1.10
class-map PC-HTTP
match access-group 101
policy-map POLICY-IN
class PC-HTTP
police cir 1000000 187500 conform-action transmit exceed-action drop
An then apply it for inbound direction? it should just be applied for the host 192.168.1.10, the rest of the traffic should be impacted.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: