Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Bandwidth Limit based on Source IP?


I am trying to think of a way to apply a bandwidth limit based upon Source IP subnet.

I need to have the ability to limit both the outbound and inbound traffic.

So I created the following config:

policy-map bw-limit-inbound
 class bw-limit-class
  police 10000

class-map match-any bw-limit-class
 match access-group 150

access-list 150 permit ip any

If I apply the Service Policy inbound, it does police the upload to 100Kbps.

If I apply it outbound, it does nothing to the download.

Any reason for this?

I am applying this to an SVI



Hi, You would normally create



You would normally create a QoS policy which shapes traffic, and apply this outbound when you want to limit traffic rates in an outbound direction. i.e.

class-map match-any TEST

match access-group 140



class TEST

shape average 10000


int gi0/0

service-policy LIMIT_OUTBOUND out


i.e. policing - is used inbound, and shaping is normally used outbound - I hope this answers your question?


Very best wishes





You state that inbound works

You state that inbound works that means that the access-list is OK, it says traffic coming from going to any should match

However the return traffic is coming from any going to, so You have to add that into an access-list.

It will probably work with just adding

access-list 150 permit ip any


Hi GuysJust to update this

Hi Guys

Just to update this thread, I figured out where I was going wrong!

As mentioned by Mikael, the ACL only shows traffic one way, hence why it was not applying the service policy to the download.

I have three subnets I want to Police both outbound and inbound so I started with Three ACLs:

access-list 197 permit ip any
access-list 197 permit ip any
access-list 198 permit ip any
access-list 198 permit ip any
access-list 199 permit ip any
access-list 199 permit ip any

I then created the relevant class maps:

class-map match-all vlan998-download
 match access-group 198
class-map match-all vlan999-download
 match access-group 199
class-map match-all vlan997-download
 match access-group 197

class-map match-all vlan998-upload
 match access-group 198
class-map match-all vlan999-upload
 match access-group 199
class-map match-all vlan997-upload
 match access-group 197

Then the service policies:

policy-map download-limit
 class vlan997-download
  police 2000000
 class vlan998-download
  police 3000000
 class vlan999-download
  police 4000000

policy-map upload-limit
 class vlan997-upload
  police 200000
 class vlan998-upload
  police 300000
 class vlan999-upload
  police 400000

Then finally applied those to the relevant SVI:

interface Vlan102
 ip vrf forwarding WAN2
 ip address
 ip nat inside
 ip virtual-reassembly in
 service-policy output download-limit
 service-policy input upload-limit


CreatePlease to create content