05-26-2017 03:19 AM
Hello CISCO friends.
I have trouble with Traffic Shaping in Cisco router.
I want to setup download and upload limits only for one host in one vlan network.
For example I want to setup 10 MB/s download and 10 MB/s upload speed for this one host.
I tried and can do that for one vlan network but for one host of vlan network I can't do it.
Can you help me with this task I will be happy to see your answers.
Solved! Go to Solution.
05-26-2017 03:50 AM
Hi
match the policy against an access-list with jus the host ip matched for the parameters you want
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_mqc/configuration/xe-3s/qos-mqc-xe-3s-book/qos-apply.html
In the following example, we create traffic classes and define their match criteria. For the first traffic class (class1), we use access control list (ACL) 101 as match criteria; for the second traffic class (class2), ACL 102. We check the packets against the contents of these ACLs to determine if they belong to the class.
class-map class1 match access-group 101 exit class-map class2 match access-group 102 end
In the following example, we define a traffic policy (policy1) containing the QoS features that we will apply to two classes: class1 and class2. The match criteria for these classes were previously defined in Creating a Traffic Class).
For class1, the policy includes a bandwidth allocation request and a maximum packet count limit for the queue reserved for that class. For class2, the policy specifies only a bandwidth allocation request.
policy-map policy1 class class1 bandwidth 3000 queue-limit 30 exit class class2 bandwidth 2000 end
05-26-2017 03:50 AM
Hi
match the policy against an access-list with jus the host ip matched for the parameters you want
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_mqc/configuration/xe-3s/qos-mqc-xe-3s-book/qos-apply.html
In the following example, we create traffic classes and define their match criteria. For the first traffic class (class1), we use access control list (ACL) 101 as match criteria; for the second traffic class (class2), ACL 102. We check the packets against the contents of these ACLs to determine if they belong to the class.
class-map class1 match access-group 101 exit class-map class2 match access-group 102 end
In the following example, we define a traffic policy (policy1) containing the QoS features that we will apply to two classes: class1 and class2. The match criteria for these classes were previously defined in Creating a Traffic Class).
For class1, the policy includes a bandwidth allocation request and a maximum packet count limit for the queue reserved for that class. For class2, the policy specifies only a bandwidth allocation request.
policy-map policy1 class class1 bandwidth 3000 queue-limit 30 exit class class2 bandwidth 2000 end
05-26-2017 08:59 AM
Thank you, I appreciate your help.
Please show me how I should to write the access list and all syntax from start to end.
I am junior with these things.
For example I am with this topology:
http://imgur.com/a/9gqUk
My router configuration is:
R1#show run
Building configuration...
Current configuration : 1451 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
!
!
!
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.20.1
!
ip dhcp pool vlan10
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 8.8.8.8
ip dhcp pool vlan20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 8.8.8.8
!
!
!
ip cef
no ipv6 cef
!
!
!
!
license udi pid CISCO2911/K9 sn FTX15249490
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
class-map match-all class1
match access-group 101
class-map match-all class2
match access-group 102
!
policy-map poicy1
class class1
bandwidth 3000
queue-limit 30
class class2
bandwidth 2000
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
ip flow-export version 9
!
!
access-list 101 permit ip host 192.168.10.2 any
access-list 102 permit ip any host 192.168.10.2
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
To configure limitation for host 192.168.10.2 I use these commands:
R1(config)#access-list 101 permit ip host 192.168.10.2 any
R1(config)#access-list 102 permit ip any host 192.168.10.2
R1(config)#class-map class1
R1(config-cmap)#match access-group 101
R1(config)#class-map class2
R1(config-cmap)#match access-group 102
R1(config)#policy-map poicy1
R1(config-pmap)#class class1
R1(config-pmap-c)#bandwidth 3000
R1(config-pmap-c)#queue-limit 30
R1(config-pmap-c)#exit
R1(config-pmap)#class class2
R1(config-pmap-c)#bandwidth 2000
05-29-2017 02:19 AM
bandwidth would need to be set to 10000 not 3000 that's 3mb
are you doing this on a LAB as you wont really be able to test qos on virtual routers , might be able to get iperf to work across it bit its difficult to generate traffic on gns3
the policy map needs to be applied to the wan interface too , whether your doing inbound or outbound qos
05-29-2017 04:23 AM
Okay but the access lists are correct?
In GNS3 in the end virtual machine host I am with 80 kb/s download and upload trough GNS3 virtual router that connect to the physical network, to ISP and I can't simulate traffic, real traffic like 20 MB/S. You are right.
I will implement traffic shaping in real environment with real cisco hardware but I prepare myself to do it with your help thanks again.
I think that I find my mistake, Wan interface is the key, I applied the policy to inside interface, to interface of vlan network where is sub interface, for example int f0/0.10 and all hosts on vlan network 10 are with traffic shaping.
You tell me now I should to apply it to Wan outside interface where the router connects to other router or isp and traffic shaping will work well only for host in the access list that I defined. Do I think correctly?
Is this reason to I have troubles with this task?
I am without good experience yet and I do easy mistakes.
Thanks again. I will try it and I will give you feedback.
I think everything will be fine with policy.
But one more question I should apply it to wan interface too?
I should apply the policy to vlan sub interface too?
Thank you.
05-29-2017 04:25 AM
correct your qos should be applied to the wan going outbound and if you want you can use an inbound policy going into your lan interface
interface GigabitEthernet0/0/0.1
description
encapsulation dot1Q 1 native
ip address xxxxxxxxxxxxxxxxxxxxx
service-policy input qos-lan-in
interface GigabitEthernet0/0/1
description
bandwidth 10000
service-policy output wan-shape-10mbps
service-policy type performance-monitor input LIVEACTION-POLICY-UNIFIED
service-policy type performance-monitor output LIVEACTION-POLICY-UNIFIED
end
06-04-2017 08:21 PM
Hello Mark Melone can you help me ?
I am here and I can't continue up.
I can restrict upload speed but I can't restrict download speed?
What I do?
For upload speed I doo these steps:
ip access-list extended upload
permit ip host 192.168.20.20 any
class-map upload
macth access-group name upload
policy-map upload
class upload
police 8000 1000
interface f0/0.20
service-policy input upload
And this works for upload.
But for download I cant find solution?
Whit this in gns 3 simulation I successfully limite upload speed from 200 kbps to 4 kbps.
I think I am close to success.
Now I see limitations in download and upload.
In attachment you can see my topology in GNS3.
Without restrictions download and upload speeds are:
Download 585.15kbps or 73.14 KB/sec
Upload 184.38kbps or 23.05 KB/sec
With Restrictions download and upload speeds are:
Download 44.17kbps or 5.52 KB/sec
Upload 36.83kbps or 4.6 KB/sec
Restrictions work only for host 192.168.20.20, if I change my IP to 192.168.20.19 then the restrictions don't work.
Ieeeeeeeeeeee.
My configuration is:
R1(config-ext-nacl)#do show run
Building configuration...
Current configuration : 2463 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
ip cef
ip domain name CISCO
ip name-server 10.152.55.254
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.20.1
!
ip dhcp pool vlan10
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 8.8.8.8
!
ip dhcp pool vlan20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 8.8.8.8
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username Taner privilege 15 secret 5 $1$Ry/W$hxzSqBX4bLT0hiCluD37h.
!
!
ip tcp synwait-time 5
!
class-map match-all link_3kbps
match access-group name acl_3kbps
!
!
policy-map policy_3kbps
class link_3kbps
police 50000 10000 conform-action transmit exceed-action drop
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
rate-limit output access-group 120 8000 1500 2000 conform-action transmit exceed-action drop
duplex auto
speed auto
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
service-policy input policy_3kbps
service-policy output policy_3kbps
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 192.168.10.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
default-information originate
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
no ip http server
no ip http secure-server
!
ip nat inside source list 10 interface FastEthernet0/1 overload
ip nat inside source list 20 interface FastEthernet0/1 overload
!
!
ip access-list extended acl_3kbps
permit ip host 192.168.20.20 any
permit ip any host 192.168.20.20
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 20 permit 192.168.20.0 0.0.0.255
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login local
transport input ssh
line vty 5 15
login local
transport input ssh
!
!
end
What is different?
The access list is different:
ip access-list extended acl_3kbps
permit ip host 192.168.20.20 any
permit ip any host 192.168.20.20
Now I want to check this in real cisco router with 10 megabits per second.
05-29-2017 04:36 AM
to check its correct and taken then do ... show policy-map interface gx/x
Post your full qos when your finished ill check it , what you have done is very close to ready
05-29-2017 10:27 AM
service-policy input qos-lan-in, this should be apllied in my subinterface of vlan network.
These three things I should apply in my wan interface:
service-policy output wan-shape-10mbps
service-policy type performance-monitor input LIVEACTION-POLICY-UNIFIED
service-policy type performance-monitor output LIVEACTION-POLICY-UNIFIED
Hm let's try again step by step:
First I should to create two extended access lists for inbound and outbound traffic for the host:
Okay I create them:
access-list 101 permit ip any host 192.168.10.2
access-list 102 permit ip host 192.168.10.2 any
Okay I am ready with access lists.
Now I need to create two traffic classes, and every one class I apply the access list.
Okay I create them and apply access lists to them:
class-map class1
match access-group 101
exit
class-map class2
match access-group 102
Okay now I am ready and with this.
Now I need to create Policy Map and I create it:
policy-map policy1
class class1
bandwidth 10000
queue-limit 30
exit
class class2
bandwidth 10000
And I am ready with policy map.
Now I need to apply the policy to subinterface for inside interface of router and to outside interface of router.
Int f0/1.10
service-policy output policy1
int f0/0
service-policy output policy1
?
But I am comfused, because I read different examples.
Please explain me if you have time and you want one clear example how to configure policy and interfaces and access lists for traffic shaping of one vlan host with my packet tracer project.
Here is my packet tracer project:
I will be happy to correct my configuration there with description and commands:
https://drive.google.com/file/d/0BwVZQQnU1Yx-d0dUNHkzaWxjSVU/view?usp=sharing
Here is my configuration:
EdgeRouter(config)#do show run
Building configuration...
Current configuration : 1720 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname EdgeRouter
!
!
!
!
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.10.2
ip dhcp excluded-address 192.168.20.1
!
ip dhcp pool Vlan10
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 8.8.8.8
ip dhcp pool Vlan20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 8.8.8.8
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
!
class-map match-all class1
match access-group 101
class-map match-all class2
match access-group 102
!
policy-map policy1
class class1
bandwidth 10000
queue-limit 30
class class2
bandwidth 10000
!
!
!
!
!
interface FastEthernet0/0
ip address 172.16.0.1 255.255.255.252
ip nat outside
service-policy output policy1
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
!
router ospf 1
log-adjacency-changes
network 192.168.10.0 0.0.0.3 area 0
network 192.168.20.0 0.0.0.3 area 0
default-information originate
!
ip nat inside source list nat interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.0.2
!
ip flow-export version 9
!
!
ip access-list standard nat
permit 192.168.10.0 0.0.0.255
permit 192.168.20.0 0.0.0.255
access-list 101 permit ip host 192.168.10.2 any
access-list 102 permit ip any host 192.168.10.2
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
Here is the show command of policy interface:
EdgeRouter#SHOw policy-map interface
FastEthernet0/0
Service-policy output: policy1
Class-map: class1 (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 101
Queueing
Output Queue: Conversation 265
Bandwidth 10000 (kbps)Max Threshold 30 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
Class-map: class2 (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 102
Queueing
Output Queue: Conversation 266
Bandwidth 10000 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
Class-map: class-default (match-any)
3 packets, 1035 bytes
5 minute offered rate 24 bps, drop rate 0 bps
Match: any
05-29-2017 04:24 AM
Hello Mark Malone, can you confirm that my configuration is correct ?
Can you look at my access lists?
R1(config)#access-list 101 permit ip host 192.168.10.2 any
R1(config)#access-list 102 permit ip any host 192.168.10.2
I can simulate the scenario in GNS3:
But one more question I should apply the policy to wan interface too?
I should apply the policy to vlan sub interface too?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: