Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k

Bandwidth Restriction

Hi,

i have got internet router cisco 1700 series, my fastethernet has got 1 public IP address eg. 10.10.10.1 connected to LAN& S0/0 as got public IP address eg. 1.1.1.1 which is connected to ISP(1 Mbps lease line). i have been using few public IP address to my LAN for FTP,Webserver,Mail Server etc... now is there any option in the router where i can restrict only 128 Kbps alone for my FTP server. where FTP server IP is 10.10.10.2, since FTP alone is occupying almost entire bandwidth, users on my LAN trying to access internet is become very very slow.

2 REPLIES
Purple

Re: Bandwidth Restriction

Hi,

You can indeed do this. You can apply a service policy on your egress interface which restricts the outgoing FTP traffic to 128k in times of congestion...

Option 1 - Egress Policy on WAN link

=====================================

class-map FTPTraffic

match ip access-group 101

!

policy-map PolicyOut

class FTPTraffic

bandwidth 128

class class-default

bandwidth 896

!

int serial0

description 1024k link to ISP

ip address

bandwidth 1024

max-reserved-bandwidth 100

service-policy output PolicyOut

!

access-list 101 tcp permit any eq 21 any

!

This option will guarantee 128k to FTP traffic but will allow it to use up any excess bandwidth if available.

Option 2 - Inress Policy on LAN link

=====================================

class-map FTPTraffic

match ip access-group 101

!

policy-map PolicyIn

class FTPTraffic

police 128000

!

int ethernet0

description LAN link

ip address x.x.x.x y.y.y.y

service-policy input PolicyOut

!

access-list 101 tcp permit 10.10.10.2 eq 21 any

This option will place a hard-limit of 128k on FTP traffic.

Hope that helps - pls rate the post if it does.

Regards,

Paresh/

Re: Bandwidth Restriction

Hello,

unfortunately the config above will not work, because it does not describe FTP traffic properly.

TCP port 21 is only the control session, whereas the data transfer with active FTP is done through TCP port 20. Data transfer in general will cause your congestion problems. With passive FTP you will have dynamically assigned port numbers and then an access-list is NOT able to grab the majority of FTP transfer at all.

So you need to use NBAR for your case. The config would look like this:

ip cef

class-map match-all FTPserver

match ip address 100

match protocol ftp

policy-map Output1

class FTPserver

shape average 128000

interface Serial0

description 1Mbps to ISP

ip address 1.1.1.1 255.255.255.252

bandwidth 1024

service-policy output Output1

access-list 100 permit host 10.10.10.2 any

The class-map FTP describes traffic, which is from host 10.10.10.2 AND is FTP. This includes active and passive FTP control session and data session.

In the policy this traffic is limited to 128 kbps through shaping, i.e. there is never more than 128 kbps utilization from FTP traffic on your WAN link.

In case you would like to limit FTP only in case there is other traffic please use the following policy:

class-map match-all FTPserver

match ip address 100

match protocol ftp

class-map match-all NonFTPserver

match not class FTPserver

policy-map Output1

class NonFTPserver

bandwidth percent 75%

This will guarantee 75% of the bandwidth to traffic not being FTP from your server. This will only restrict FTP traffic when thre is no other traffic.

Cisco does recommend not to plan for more than 75% percent of interface bandwidth, because of L2 keepalives, and system messages in general.

Hope this helps! Please rate all posts.

Regards, Martin

142
Views
10
Helpful
2
Replies
CreatePlease to create content