Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Bandwidth Limit based on Source IP?

Hi

I am trying to think of a way to apply a bandwidth limit based upon Source IP subnet.

I need to have the ability to limit both the outbound and inbound traffic.

So I created the following config:

policy-map bw-limit-inbound
 class bw-limit-class
  police 10000

class-map match-any bw-limit-class
 match access-group 150

access-list 150 permit ip 172.16.99.0 0.0.0.255 any

If I apply the Service Policy inbound, it does police the upload to 100Kbps.

If I apply it outbound, it does nothing to the download.

Any reason for this?

I am applying this to an SVI

Thanks

3 REPLIES
Bronze

Hi, You would normally create

Hi,

 

You would normally create a QoS policy which shapes traffic, and apply this outbound when you want to limit traffic rates in an outbound direction. i.e.

class-map match-any TEST

match access-group 140

 

policy-map LIMIT_OUTBOUND

class TEST

shape average 10000

 

int gi0/0

service-policy LIMIT_OUTBOUND out

 

i.e. policing - is used inbound, and shaping is normally used outbound - I hope this answers your question?

 

Very best wishes

 

Mike

 

Silver

You state that inbound works

You state that inbound works that means that the access-list is OK, it says traffic coming from 172.16.99.0/24 going to any should match

However the return traffic is coming from any going to 172.16.99.0/24, so You have to add that into an access-list.

It will probably work with just adding

access-list 150 permit ip any 172.16.99.0 0.0.0.255

/Mikael

Hi GuysJust to update this

Hi Guys

Just to update this thread, I figured out where I was going wrong!

As mentioned by Mikael, the ACL only shows traffic one way, hence why it was not applying the service policy to the download.

I have three subnets I want to Police both outbound and inbound so I started with Three ACLs:

access-list 197 permit ip 172.16.97.0 0.0.0.255 any
access-list 197 permit ip any 172.16.97.0 0.0.0.255
access-list 198 permit ip 172.16.98.0 0.0.0.255 any
access-list 198 permit ip any 172.16.98.0 0.0.0.255
access-list 199 permit ip 172.16.99.0 0.0.0.255 any
access-list 199 permit ip any 172.16.99.0 0.0.0.255

I then created the relevant class maps:

class-map match-all vlan998-download
 match access-group 198
class-map match-all vlan999-download
 match access-group 199
class-map match-all vlan997-download
 match access-group 197

class-map match-all vlan998-upload
 match access-group 198
class-map match-all vlan999-upload
 match access-group 199
class-map match-all vlan997-upload
 match access-group 197

Then the service policies:

policy-map download-limit
 class vlan997-download
  police 2000000
 class vlan998-download
  police 3000000
 class vlan999-download
  police 4000000

policy-map upload-limit
 class vlan997-upload
  police 200000
 class vlan998-upload
  police 300000
 class vlan999-upload
  police 400000

Then finally applied those to the relevant SVI:

interface Vlan102
 ip vrf forwarding WAN2
 ip address 10.20.2.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 service-policy output download-limit
 service-policy input upload-limit

 

1113
Views
0
Helpful
3
Replies
CreatePlease to create content