Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6649
Views
5
Helpful
5
Replies

PRIORITIZE BY DESTINATION IP ADDRESS

Go to solution
johnhuston
Level 1
Level 1

‎07-29-2012 05:55 AM - edited ‎03-04-2019 05:06 PM

I am new here and looking for a configuration example to help me prioritize specific IP addreses from a subnet to two or three specific internal ip addresses.  If anyone has a link or an example they would be willing to share I would greatly appreciate your help.

+================+                      +=============+

=  Subnet 10.2.2.0/x   = -----> rtr ---->rtr = General Network =

+================+                      +=============+

I have never done this before.  It is to help a site where we have limited bandwidth and need to prioritize the packets.  Naturally processes and machines at the site  have priority but we are unwilling to pay for a higher bandwidth.

Thanks!!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to johnhuston

‎07-29-2012 09:56 AM

Yes, you can create your acls like that as well and it will match any traffic coming from host to host.

access-list 101 permit ip host 10.2.2.1 host 172.16.1.1

access-list 101 permit ip host 10.2.2.2 host 172.16.1.2

etc.

You can set a dscp value outbound on the wan side, or set it on the lan side to make a decision on the wan side. The latter would require a separate service policy inbound on the lan side. If you set the value outbound on the wan side, depending on the way your connection is the ISP might strip your tag and you won't receive what you think you should be on the other side.

To set the tag, you can do something like:

class-map match-any SetTag

match access-group 101

class-map match-all Web

match dscp af21

policy-map SetTag

class SetTag

set dscp af21

policy-map Web

class Web

bandwidth 512

police 768000 conform transmit exceed drop

int

service-policy output Web

int

service-policy input SetTag

This would set your host traffic to tag af21 inbound on the lan side and then match that tag outbound on the wan side. Generally, you would match on the other side though for managing the traffic inbound on the wan side. You can also set your tag outbound at the same time of setting the tag:

policy-map Web

class Web

set dscp af21

bandwidth 512

police 768000 conform transmit exceed drop

Then you'd match on af21 on the inbound direction on the wan side of the other end. Along with that, you can also set the tag on the police command:

police 768000 conform transmit exceed set-dscp-transmit af21

This is usually in response to when you don't want to necessarily drop the traffic here, but you may need to drop the traffic later on down the path.

Just remember that whatever you do outbound on your router can possibly be overwritten by the ISP. If you're on an mpls network, you usually have to go through the ISP to have them honor your tags so they won't overwrite them.

HTH,

John

* Please rate if it helps *

HTH, John *** Please rate all useful posts ***

View solution in original post

5 Replies 5

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎07-29-2012 06:14 AM

You can use acls to identify the traffic. Something like:

access-list 101 permit 10.2.2.0 0.0.0.255 host 172.25.25.25 eq www

access-list 101 permit 10.2.2.0 0.0.0.255 host 172.25.25.50 eq ftp

Then you apply to a class map:

class-map match-any Web

match access-group 101

Then apply to a policy-map:

policy-map Web

class Web

bandwidth 512

police 768000 conform transmit exceed drop

Then apply to the outside interface:

int s0/0

service-policy output Web

The bandwidth command reserves that amount (512K) for this subnet when going to these hosts. The police command will start policing this traffic if it goes above 768k. This isn't a low latency queue, so if you're needing something for voice, you'll want to use the "priority" command instead of bandwidth and then remove the policer because the priority command polices for you.

HTH,

John

* Please rate useful posts *

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
johnhuston
Level 1
Level 1
In response to John Blakley

‎07-29-2012 09:33 AM

Thank you for the speedy reply.  I just want to ask one more question.

Is it possible to do this without the "eq" statements?  Another way to ask the question would be to use specific IP addresses such as:

access-list 101 permit host 10.2.2.1 host 172.16.1.1

access-list 101 permit host 10.2.2.2 host 172.16.1.2

Also, I have never done this but understand that you can mark or color the packet going in and out with a dsfp (sp) bit?

If so how do you do this?

Thank you again for your help.

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to johnhuston

‎07-29-2012 09:56 AM

Yes, you can create your acls like that as well and it will match any traffic coming from host to host.

access-list 101 permit ip host 10.2.2.1 host 172.16.1.1

access-list 101 permit ip host 10.2.2.2 host 172.16.1.2

etc.

You can set a dscp value outbound on the wan side, or set it on the lan side to make a decision on the wan side. The latter would require a separate service policy inbound on the lan side. If you set the value outbound on the wan side, depending on the way your connection is the ISP might strip your tag and you won't receive what you think you should be on the other side.

To set the tag, you can do something like:

class-map match-any SetTag

match access-group 101

class-map match-all Web

match dscp af21

policy-map SetTag

class SetTag

set dscp af21

policy-map Web

class Web

bandwidth 512

police 768000 conform transmit exceed drop

int

service-policy output Web

int

service-policy input SetTag

This would set your host traffic to tag af21 inbound on the lan side and then match that tag outbound on the wan side. Generally, you would match on the other side though for managing the traffic inbound on the wan side. You can also set your tag outbound at the same time of setting the tag:

policy-map Web

class Web

set dscp af21

bandwidth 512

police 768000 conform transmit exceed drop

Then you'd match on af21 on the inbound direction on the wan side of the other end. Along with that, you can also set the tag on the police command:

police 768000 conform transmit exceed set-dscp-transmit af21

This is usually in response to when you don't want to necessarily drop the traffic here, but you may need to drop the traffic later on down the path.

Just remember that whatever you do outbound on your router can possibly be overwritten by the ISP. If you're on an mpls network, you usually have to go through the ISP to have them honor your tags so they won't overwrite them.

HTH,

John

* Please rate if it helps *

HTH, John *** Please rate all useful posts ***

Go to solution
johnhuston
Level 1
Level 1
In response to John Blakley

‎07-29-2012 12:24 PM

Thank you for helping me.  This helps me a quite a bit.  Again I am new to this and learning.  I read all around of CCO and couldn't find anythign like this.

It was very nice of you to help me and to do as quickly as you did.

Thank You!!

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to johnhuston

‎07-29-2012 01:09 PM

No problem at all Here is some documentation to look at:

http://www.cisco.com/en/US/docs/ios-xml/ios/qos_mqc/configuration/12-4/qos-mqc.html

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/fqos_c.html

The first one is on 12.4 IOS and will walk you through configuring qos with mqc. The 2nd link are the different commands like police, shape, bandwidth, etc.

HTH, John *** Please rate all useful posts ***
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card