Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Restrict 512Kbps bandwidth to some workstations

Hello,

we have 3 workstations which have static nats.

How can you restrice at most 512 kbps bandwidth to these workstations ?

Regards

Hamid

7 REPLIES

Re: Restrict 512Kbps bandwidth to some workstations

Hi,

Do you manage the firewall? If so you could police bandwidth based on IP addresses. See below

https://supportforums.cisco.com/docs/DOC-1230

Don't forget to rate posts that are helpful.

New Member

Re: Restrict 512Kbps bandwidth to some workstations

>>

Do you manage the firewall? If so you could police bandwidth based on IP addresses. See below

https://supportforums.cisco.com/docs/DOC-1230

<<

sorry for my unattention

we want to config a router cisco 2851(c2800nm-adventerprisek9-mz.124-24.T6.bin ios).

Re: Restrict 512Kbps bandwidth to some workstations

You're probably going to have to shape outbound and police inbound to 512k to your natted addresses.

Let's say that you have addresses 192.168.1.50 - 52 and they map to 5.5.5.50 - 52, you could do something like this:

ip access-list ext Shape

permit ip host 5.5.5.50 any

permit ip host 5.5.5.51 any

permit ip host 5.5.5.52 any

ip access-list ext Police

permit ip any host 5.5.5.50

permit ip any host 5.5.5.51

permit ip any host 5.5.5.52

class-map match-any Shape

match access-group name Shape

class-map match-any Police

match access-group name Police

policy-map Police

class Police

police 512000

     exceed-action drop

policy-map Shape

class Shape

shape average 512000

int s0/0 (outside interface)

service-policy input Police

service-policy output Shape

HTH,

John

Please rate useful posts...

HTH, John *** Please rate all useful posts ***
New Member

Re: Restrict 512Kbps bandwidth to some workstations

Many thnaks for your comment

Does below configs convey us to our desired purpose ?

----------------------------------------------------

ip nat inside source static 192.168.10.50 X.X.X.10 extendable

ip nat inside source static 192.168.10.51 X.X.X.11 extendable

ip nat inside source static 192.168.10.52 X.X.X.12 extendable

interface GigabitEthernet0/0

description $ETH-LAN$

ip address 192.168.10.1 255.255.255.0

ip access-group 150 in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface GigabitEthernet0/1

description $ETH-WAN$

ip address X.X.X.226 255.255.255.224

ip access-group 150 in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

service-policy input Police

service-policy output Shape

ip access-list ext Shape

permit ip host X.X.X.50 any

permit ip host X.X.X.51 any

permit ip host X.X.X.52 any

ip access-list ext Police

permit ip any host X.X.X.50

permit ip any host X.X.X.51

permit ip any host X.X.X.51

class-map match-any Shape

match access-group name Shape

class-map match-any Police

match access-group name Police

policy-map Police

class Police

police 512000

exceed-action drop

policy-map Shape

class Shape

shape average 512000

access-list 150 deny   tcp any eq 1034 any log

access-list 150 deny   tcp any eq 1080 any log

access-list 150 deny   tcp any eq 1214 any log

access-list 150 deny   tcp any eq 2535 any log

access-list 150 deny   tcp any eq 1433 any log

access-list 150 deny   tcp any eq 3127 any log

access-list 150 deny   tcp any eq 2745 any log

access-list 150 deny   tcp any eq 4444 any log

access-list 150 deny   udp any eq 1434 any log

access-list 150 deny   udp any range 135 netbios-ss any

access-list 150 deny   tcp any range 1036 1037 any log

access-list 150 deny   tcp any any eq 81 log

access-list 150 deny   tcp any any eq 445 log

access-list 150 deny   tcp any any eq 1080 log

access-list 150 deny   tcp any any eq ident

access-list 150 deny   tcp any any eq 1214

access-list 150 deny   tcp any any eq 2745

access-list 150 deny   tcp any any eq 5101

access-list 150 deny   tcp any any eq 5554

access-list 150 deny   tcp any any eq 6129

access-list 150 deny   tcp any any eq 9996

access-list 150 deny   udp any any eq 1434

access-list 150 deny   tcp any any eq 11768

access-list 150 deny   tcp any any eq 15118

access-list 150 deny   tcp any any range 1022 1025

access-list 150 deny   tcp any any range 135 139

access-list 150 deny   udp any any range 135 netbios-ss

access-list 150 permit tcp any any eq 443

access-list 150 permit udp any any eq domain

access-list 150 permit tcp any any eq domain

access-list 150 permit tcp any any eq 8181

access-list 150 permit tcp any any eq 8080

access-list 150 permit tcp any any eq 1433

access-list 150 permit ip any any

--------------------------------------------------

Regards

Hamid

Re: Restrict 512Kbps bandwidth to some workstations

Hamid,

You police on the traffic before it's natted and shape after it's natted. So you're acl will reflect the public addresses.

John

HTH, John *** Please rate all useful posts ***
New Member

Restrict 512Kbps bandwidth to some workstations

Dear j,blakley,

>>

You police on the traffic before it's natted and shape after it's natted. So you're acl will reflect the public addresses.

>>

do you have a better solution ?

Regards

Hamid

Restrict 512Kbps bandwidth to some workstations

Hi Hanidrezaaf,

A different approach to your problem is to use GTS (generic traffic shaping)

The syntax of the command is the next

traffic-shape rate bit-rate burst-size excess-burst-size

The next config can be applied to  the ethernet (LAN) interface in order to limit all output to 512k

interface LAN-per user

 traffic-shape rate 512000

Then you can apply the next config to the WAN interface to limit the output to 512 for each of the 3 users


interface

traffic-shape group 101 512000

traffic-shape group 102 512000

traffic-shape group 103 512000

Where 101,102,103 are the Access lists that match the user traffic

Hope that helps,

Vasilis

Please rate the useful posts

852
Views
0
Helpful
7
Replies
CreatePlease to create content