Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6258
Views
0
Helpful
9
Replies

Traffic Shaping

Go to solution
tanner.zaitt
Level 3
Level 3

‎05-26-2017 03:19 AM

Hello CISCO friends.
I have trouble with Traffic Shaping in Cisco router.
I want to setup download and upload limits only for one host in one vlan network.
For example I want to setup 10 MB/s download and 10 MB/s upload speed for this one host.
I tried and can do that for one vlan network but for one host of vlan network I can't do it.
Can you help me with this task I will be happy to see your answers.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎05-26-2017 03:50 AM

Hi

match the policy against an access-list with jus the host ip matched for the parameters you want

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_mqc/configuration/xe-3s/qos-mqc-xe-3s-book/qos-apply.html

Configuration Examples for Applying QoS Features Using the MQC

Creating a Traffic Class

In the following example, we create traffic classes and define their match criteria. For the first traffic class (class1), we use access control list (ACL) 101 as match criteria; for the second traffic class (class2), ACL 102. We check the packets against the contents of these ACLs to determine if they belong to the class.

class-map class1
  match access-group 101
  exit
class-map class2
  match access-group 102
  end

Creating a Policy Map

In the following example, we define a traffic policy (policy1) containing the QoS features that we will apply to two classes: class1 and class2. The match criteria for these classes were previously defined in Creating a Traffic Class).

For class1, the policy includes a bandwidth allocation request and a maximum packet count limit for the queue reserved for that class. For class2, the policy specifies only a bandwidth allocation request.

policy-map policy1
  class class1
    bandwidth 3000
    queue-limit 30
    exit
  class class2
    bandwidth 2000
    end

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎05-26-2017 03:50 AM

Hi

match the policy against an access-list with jus the host ip matched for the parameters you want

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_mqc/configuration/xe-3s/qos-mqc-xe-3s-book/qos-apply.html

Configuration Examples for Applying QoS Features Using the MQC

Creating a Traffic Class

In the following example, we create traffic classes and define their match criteria. For the first traffic class (class1), we use access control list (ACL) 101 as match criteria; for the second traffic class (class2), ACL 102. We check the packets against the contents of these ACLs to determine if they belong to the class.

class-map class1
  match access-group 101
  exit
class-map class2
  match access-group 102
  end

Creating a Policy Map

In the following example, we define a traffic policy (policy1) containing the QoS features that we will apply to two classes: class1 and class2. The match criteria for these classes were previously defined in Creating a Traffic Class).

For class1, the policy includes a bandwidth allocation request and a maximum packet count limit for the queue reserved for that class. For class2, the policy specifies only a bandwidth allocation request.

policy-map policy1
  class class1
    bandwidth 3000
    queue-limit 30
    exit
  class class2
    bandwidth 2000
    end
0 Helpful

Go to solution
tanner.zaitt
Level 3
Level 3
In response to Mark Malone

‎05-26-2017 08:59 AM

Thank you, I appreciate your help.
Please show me how I should to write the access list and all syntax from start to end.
I am junior with these things.


For example I am with this topology:
http://imgur.com/a/9gqUk



My router configuration is:

R1#show run

Building configuration...

Current configuration : 1451 bytes

!

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname R1

!

!

!

!

ip dhcp excluded-address 192.168.10.1

ip dhcp excluded-address 192.168.20.1

!

ip dhcp pool vlan10

network 192.168.10.0 255.255.255.0

default-router 192.168.10.1

dns-server 8.8.8.8

ip dhcp pool vlan20

network 192.168.20.0 255.255.255.0

default-router 192.168.20.1

dns-server 8.8.8.8

!

!

!

ip cef

no ipv6 cef

!

!

!

!

license udi pid CISCO2911/K9 sn FTX15249490

!

!

!

!

!

!

!

!

!

!

!

spanning-tree mode pvst

!

class-map match-all class1

match access-group 101

class-map match-all class2

match access-group 102

!

policy-map poicy1

class class1

bandwidth 3000

queue-limit 30

class class2

bandwidth 2000

!

!

!

!

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/0.10

encapsulation dot1Q 10

ip address 192.168.10.1 255.255.255.0

!

interface GigabitEthernet0/0.20

encapsulation dot1Q 20

ip address 192.168.20.1 255.255.255.0

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/2

no ip address

duplex auto

speed auto

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

ip flow-export version 9

!

!

access-list 101 permit ip host 192.168.10.2 any

access-list 102 permit ip any host 192.168.10.2

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end





To configure limitation for host 192.168.10.2 I use these commands:

R1(config)#access-list 101 permit ip host 192.168.10.2 any

R1(config)#access-list 102 permit ip any host 192.168.10.2

R1(config)#class-map class1

R1(config-cmap)#match access-group 101

R1(config)#class-map class2

R1(config-cmap)#match access-group 102

R1(config)#policy-map poicy1

R1(config-pmap)#class class1

R1(config-pmap-c)#bandwidth 3000

R1(config-pmap-c)#queue-limit 30

R1(config-pmap-c)#exit

R1(config-pmap)#class class2

R1(config-pmap-c)#bandwidth 2000




0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to tanner.zaitt

‎05-29-2017 02:19 AM

bandwidth would need to be set to 10000 not 3000 that's 3mb

are you doing this on a LAB as you wont really be able to test qos on virtual routers , might be able to get iperf to work across it  bit its difficult to generate traffic on gns3

the policy map needs to be applied to the wan interface too , whether your doing inbound or outbound qos

0 Helpful

Go to solution
tanner.zaitt
Level 3
Level 3
In response to Mark Malone

‎05-29-2017 04:23 AM

Okay but the access lists are correct? 

In GNS3 in the end virtual machine host I am with 80 kb/s download and upload trough GNS3 virtual router that connect to the physical network, to ISP  and I can't simulate traffic, real traffic like 20 MB/S. You are right. 

I will implement traffic shaping in real environment with real cisco hardware but I prepare myself to do it with your help thanks again.

I think that I find my mistake, Wan interface is the key, I applied the policy to inside interface, to interface of vlan network where is sub interface, for example int f0/0.10 and all hosts on vlan network 10 are with traffic shaping. 

You tell me now I should to apply it to Wan outside interface where the router connects to other router or isp and traffic shaping will work well only for host in the access list that I defined. Do I think correctly? 

Is this reason to I have troubles with this task? 

I am without good experience yet and I do easy mistakes. 

Thanks again. I will try it and I will give you feedback. 

I think everything will be fine with policy. 




But one more question I should apply it to wan interface too?
I should apply the policy to vlan sub interface too?

 

Thank you.

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to tanner.zaitt

‎05-29-2017 04:25 AM

correct your qos should be applied to the wan going outbound and if you want you can use an inbound policy going into your lan interface

interface GigabitEthernet0/0/0.1
 description 
 encapsulation dot1Q 1 native
 ip address xxxxxxxxxxxxxxxxxxxxx
 service-policy input qos-lan-in

interface GigabitEthernet0/0/1
 description
 bandwidth 10000
 service-policy output wan-shape-10mbps
 service-policy type performance-monitor input LIVEACTION-POLICY-UNIFIED
 service-policy type performance-monitor output LIVEACTION-POLICY-UNIFIED
end

0 Helpful

Go to solution
tanner.zaitt
Level 3
Level 3
In response to Mark Malone

‎06-04-2017 08:21 PM

Hello Mark Melone can you help me ?
I am here and I can't continue up.

I can restrict upload speed but I can't restrict download speed?

What I do?

For upload speed I doo  these steps:

ip access-list extended upload
permit ip host 192.168.20.20 any

class-map upload
macth access-group name upload

policy-map upload
class upload
police 8000 1000 

interface f0/0.20 
service-policy input upload


And this works  for upload.

But for download I cant find solution?

Whit this in gns 3 simulation I successfully limite upload speed from 200 kbps to 4 kbps.

I think I am close to success.

Now I see limitations in download and upload.
In attachment you can see my topology in GNS3.

Without restrictions download and upload speeds are:
Download  585.15kbps  or 73.14 KB/sec
Upload 184.38kbps or 23.05 KB/sec 

With Restrictions download and upload speeds are:

Download 44.17kbps or 5.52 KB/sec
Upload 36.83kbps or 4.6 KB/sec

Restrictions work only for host 192.168.20.20, if I change my IP to 192.168.20.19 then the restrictions don't work.
Ieeeeeeeeeeee.


My configuration is:

R1(config-ext-nacl)#do show run
Building configuration...

Current configuration : 2463 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
ip cef
ip domain name CISCO
ip name-server 10.152.55.254
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.20.1
!
ip dhcp pool vlan10
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 8.8.8.8
!
ip dhcp pool vlan20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 8.8.8.8
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username Taner privilege 15 secret 5 $1$Ry/W$hxzSqBX4bLT0hiCluD37h.
!
!
ip tcp synwait-time 5
!
class-map match-all link_3kbps
match access-group name acl_3kbps
!
!
policy-map policy_3kbps
class link_3kbps
police 50000 10000 conform-action transmit exceed-action drop
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
rate-limit output access-group 120 8000 1500 2000 conform-action transmit exceed-action drop
duplex auto
speed auto
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
service-policy input policy_3kbps
service-policy output policy_3kbps
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 192.168.10.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
default-information originate
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
no ip http server
no ip http secure-server
!
ip nat inside source list 10 interface FastEthernet0/1 overload
ip nat inside source list 20 interface FastEthernet0/1 overload
!
!
ip access-list extended acl_3kbps
permit ip host 192.168.20.20 any
permit ip any host 192.168.20.20
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 20 permit 192.168.20.0 0.0.0.255
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login local
transport input ssh
line vty 5 15
login local
transport input ssh
!
!
end




What is different?

The access list is different:

ip access-list extended acl_3kbps
permit ip host 192.168.20.20 any
permit ip any host 192.168.20.20

Now I want to check this in real cisco router with 10 megabits per second.


Preview file
287 KB
0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to tanner.zaitt

‎05-29-2017 04:36 AM

to check its correct and taken  then do ... show policy-map interface gx/x

Post your full qos when your finished ill check it , what you have done is very close to ready

0 Helpful

Go to solution
tanner.zaitt
Level 3
Level 3
In response to Mark Malone

‎05-29-2017 10:27 AM

 service-policy input qos-lan-in, this should be apllied in my subinterface of vlan network.
 
These three things I should apply in my wan interface:
service-policy output wan-shape-10mbps
 service-policy type performance-monitor input LIVEACTION-POLICY-UNIFIED
 service-policy type performance-monitor output LIVEACTION-POLICY-UNIFIED

Hm let's try again step by step:

First I should to create two extended access lists for inbound and outbound traffic for the host:
Okay I create them:
access-list 101 permit ip any host 192.168.10.2
access-list 102 permit ip host 192.168.10.2 any
Okay I am ready with access lists.

Now I need to create two traffic classes, and every one class I apply  the access list.
Okay I create them and apply access lists to them:
class-map class1
match access-group 101
exit
class-map class2
match access-group 102
Okay now I am ready and with this.

Now I need to create Policy Map and I create it:
policy-map policy1
class class1
bandwidth 10000
queue-limit 30
exit
class class2
bandwidth 10000
And I am ready with policy map.

Now I need to apply the policy to subinterface for inside interface of router and to outside interface of router.
Int f0/1.10
service-policy output policy1
int f0/0
service-policy output policy1
 
?



But I am comfused, because I read different examples.
Please explain me if you have time and you want one clear example how to configure policy and interfaces and access lists for traffic shaping of one vlan host with my packet tracer project.

Here is my packet tracer project:
I will be happy to correct my configuration there with description and commands:
https://drive.google.com/file/d/0BwVZQQnU1Yx-d0dUNHkzaWxjSVU/view?usp=sharing

Here is my configuration:

EdgeRouter(config)#do show run

Building configuration...

Current configuration : 1720 bytes

!

version 12.2

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname EdgeRouter

!

!

!

!

ip dhcp excluded-address 192.168.10.1

ip dhcp excluded-address 192.168.10.2

ip dhcp excluded-address 192.168.20.1

!

ip dhcp pool Vlan10

network 192.168.10.0 255.255.255.0

default-router 192.168.10.1

dns-server 8.8.8.8

ip dhcp pool Vlan20

network 192.168.20.0 255.255.255.0

default-router 192.168.20.1

dns-server 8.8.8.8

!

!

!

no ip cef

no ipv6 cef

!

!

!

!

!

!

!

!

!

!

!

!

!

class-map match-all class1

match access-group 101

class-map match-all class2

match access-group 102

!

policy-map policy1

class class1

bandwidth 10000

queue-limit 30

class class2

bandwidth 10000

!

!

!

!

!

interface FastEthernet0/0

ip address 172.16.0.1 255.255.255.252

ip nat outside

service-policy output policy1

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

!

interface FastEthernet0/1.10

encapsulation dot1Q 10

ip address 192.168.10.1 255.255.255.0

ip nat inside

!

interface FastEthernet0/1.20

encapsulation dot1Q 20

ip address 192.168.20.1 255.255.255.0

ip nat inside

!

router ospf 1

log-adjacency-changes

network 192.168.10.0 0.0.0.3 area 0

network 192.168.20.0 0.0.0.3 area 0

default-information originate

!

ip nat inside source list nat interface FastEthernet0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 172.16.0.2

!

ip flow-export version 9

!

!

ip access-list standard nat

permit 192.168.10.0 0.0.0.255

permit 192.168.20.0 0.0.0.255

access-list 101 permit ip host 192.168.10.2 any

access-list 102 permit ip any host 192.168.10.2

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end


Here is the show command of policy interface:

EdgeRouter#SHOw policy-map interface

FastEthernet0/0

Service-policy output: policy1

Class-map: class1 (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group 101

Queueing

Output Queue: Conversation 265

Bandwidth 10000 (kbps)Max Threshold 30 (packets)

(pkts matched/bytes matched) 0/0

(depth/total drops/no-buffer drops) 0/0/0

Class-map: class2 (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group 102

Queueing

Output Queue: Conversation 266

Bandwidth 10000 (kbps)Max Threshold 64 (packets)

(pkts matched/bytes matched) 0/0

(depth/total drops/no-buffer drops) 0/0/0

Class-map: class-default (match-any)

3 packets, 1035 bytes

5 minute offered rate 24 bps, drop rate 0 bps

Match: any






Preview file
306 KB
0 Helpful

Go to solution
tanner.zaitt
Level 3
Level 3
In response to tanner.zaitt

‎05-29-2017 04:24 AM

Hello Mark Malone, can you confirm that my configuration is correct ?
Can you look at my access lists?

R1(config)#access-list 101 permit ip host 192.168.10.2 any

R1(config)#access-list 102 permit ip any host 192.168.10.2

I can simulate the scenario in GNS3:

But one more question I should apply the policy to wan interface too?
I should apply the policy to vlan sub interface too?



Preview file
287 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents