Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Traffic policing

Hi .

I need to do some traffic policing.

I have 2  IP in my LAN who needs diferentiated policing. - policing 500k - policing 1M

I have configured the class-maps as folow.

class-map match-any SG1

match access-group 161

class-map match-any SG2

match access-group 162



policy-map SHAP

class SG1

    police 500000 conform-action transmit  exceed-action drop

class SG2

    police 1000000 conform-action transmit  exceed-action drop

access-list 161 permit ip host any

access-list 162 permit ip host any

And i applyed the policy map to the input direction on the Fa4 (wan interface)

The problem is that i don`t see matches on the access-lists .

If i put the any any at the end the shaping functions so i guess the problem is with access-list / NAT.

Vlan 1 ip /24

WAN Ip xx.xx.xx.xx

NAT is performed in order to get to the internet.

Any ideas ?

  • WAN Routing and Switching
Cisco Employee

Traffic policing

Hello, is your LAN correct? If that is the case the service policy should be applied in the output direction if applied to the WAN interface. Also based on the results of my testing if you police on the WAN interface the acl 161 and 162 would need to match on the NAT'd address. I suggest applying service policy input on the LAN interface. In this configuration you can use the inside local address aka address space.



Re: Traffic policing


      Policing is fine using on Inbound direction. In your case,you just need to know that Police is done before NAT Process. You may try to change ACLs. It would be  "permit ip any host ".