We are a school district with limited bandwidth. For now, each school has a T1 and 99% utilization. I'm trying to implement a service policy to give priority to email, file shares, active directory, testing sites, etc. I planned on giving it 50% of the bandwidth.
Heres what Ive come up with so far:
access-list 198 permit ip 188.8.131.52 0.0.0.255 any
access-list 198 permit ip 10.1.252.0 0.0.0.255 any
access-list 198 permit ip 10.1.60.0 0.0.0.255 any
class-map match-any Priority_Traffic
match access-group 198
bandwidth percent 50
int serial 0/0.1
service-policy input Priority_Traffic
I figured I'm missing something bc the serial will not show the policy when I do a show run. Also, am I correct to put this on the serial as input since most of the traffic is downloaded? For the ACL, Im trying to say anything from these outside IP's have 50% reserved for clients inside the lan.
By the way this is a 2621xm w 12.23.
Let me know if I'm unclear or if you need more info. Thanks in advance
To verify the policy-map is applied and working, use
show policy-map interface xxx
Are your schools connected to Internet and using a VPN to communicate with each other, or do you have a private (MPLS) network from a provider?
In general, limiting traffic inbound on your serial will not decrease line utilization because the traffic has already passed the line. You should apply the policy outbound in order to reserce the bandwidth for the specific applications. This will of course not limit download volumes unless the downloads come from other schools (hence my question above). You can only limit the number of bandwidth allocated to download requests, and try to limit the download volume in this way. Finally, I suggest you create class-maps with the specific applications (not IP addresses), as this will give you better control of what you exactly are prioritizing. You could add an entry in your ACL:
access-list 198 permit tcp x.x.x.x x.x.x.x any eq smtp (or pop3)
Alternatively you can use NBAR (Protocol Discovery). An example:
match protocol smtp
This requires the use of NBAR which is enabled on your input (LAN) interface where the traffic is coming from with:
ip nbar protocol-discovery
Thanks Thomas, when I do the sh policy... nothing regarding the policy is listed under the sub int. The schools are connected by frame relay, no vpn. Nice suggestion on NBAR.
If you can, educate me here. I've noticed there's more downstream utilization ie from youtube.com to internal clients. But you're saying instead of applying the policy to serial input I should apply to fasteth output? If I do this I need to rearrange my acls ie permit ip any 10.1.60.0 0.0.0.255 pop3? I guess I was thinking wrong, I thought I had to police return traffic on the serial input.
you can also use NBAR and filter on a url such as youtube.com So if your match condtion is true you can police this down to whatever bandwidth you want. Give them 10kbps hehe and see what they say. I think in your case I would do more policing then using the bandwidth command. By using the bandwidth command you are restricting them to a certain percentage of BW, but if nothing else is on the line you can allow it to burst. Policing allows you to mark traffic as discard eligble or you can drop the traffic if you want to.
Also I have dealt with school boards many of times and I know budget for IT gear is always tight but have they ever considered WAN optimization products? If they are hitting lots of testing sites and school related sites you can get WAN opt products and greatly reduce your BW utilization.
Thomas, should I apply this policy on the local school router or the central office router that connects this school? If so, I see what you mean by applying to the outbound int. Thanks.
If each site has 99% utilization I seriously doubt traffic shapping will help you any. I believe cisco recommends anything above 60-65% utlization, then additional bandwidth needs to be purchased.
We are actually in the process of upgrading our bandwidth, but I was hoping this would hold us over till it happens. Which as it looks, a year or 2.
Roger, I still try to understand why the show command does not show the applied policy map as it should ... did you enable "ip cef" on the router? As to the other question, I meant to apply the policy outbound on the serial interface. Since you can not limit return traffic as you do not control the last hop before your router, you need to limit outbound requests (such as download requests - to the extent that this is possible), or prioritize critical applications on your outbound link. I would have two additional questions: is your Frame network a hub-and-spoke topology, and where is the Internet breakout? At each location, or only your main location?
Yes, it is a hub and spoke, the internet is at our central office where all the schools connect into. I also tried applying the policy on our frame relay switch here at the co, c3845 12.4 advipserv, and the command would not take. It mentioned CBWFQ not supported on sub int. Also I did a sh ip cef and it seems enabled. Thanks for the help.
Generally, trying to manage congestion inbound is ineffective. What you want to do is manage the congestion outbound, on the device sending to you.
I believe the policy-map you defined isn't legal for an inbound policy. I recall some of the older IOSs only logged errors to the console and/or syslog for some policy configuration errors. If you're using Telnet, this might explain why it appears to accept the command but doesn't complain.
If you do control the far side, first insure both sides are using fair-queue. If this is true, and you're still unhappy with performance, I would next suggest identification of bandwidth hogs with determination whether they can be deprioritized. If they can, then an outbound policy as follows might help.
e.g. (NB: syntax may be incorrect, especially for older IOSs)
(assume FTP is bandwidth hog)
class-map match-any BandwidthHog
match protocol FTP
bandwidth remaining percent 1
interface serial #
service-policy output YourPolicy