Cisco IOS TrafficShaping for ADSL traffic

Sin_Chase · 14 Oct 2009 at 15:25

So, I am trying to implement some QoS Traffic Shaping on my Cisco 877 to ensure certain clients on the network do not hose my bandwidth.

Have played with a couple of things but cannot get it to work.

For testing I am plugged into fe0 with my system and am trying to shape FTP traffic to have 90% bandwidth over anything else.

This is what I currently have on fe0

Code:

sinhome#show policy-map interface fastEthernet 0
 FastEthernet0

  Service-policy output: SHAPE_LAN

    Class-map: class-default (match-any)
      358 packets, 21480 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
      Traffic Shaping
           Target/Average   Byte   Sustain   Excess    Interval  Increment
             Rate           Limit  bits/int  bits/int  (ms)      (bytes)
          1680000/1680000   10500  42000     42000     25        5250

        Adapt  Queue     Packets   Bytes     Packets   Bytes     Shaping
        Active Depth                         Delayed   Delayed   Active
        -      0         358       21480     0         0         no

      Service-policy : FTPSHAPE

        Class-map: PREMIUM (match-any)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: protocol nfs
            0 packets, 0 bytes
            5 minute rate 0 bps
          Queueing
            Output Queue: Conversation 73
            Bandwidth 90 (%)
            Bandwidth 1512 (kbps) Max Threshold 64 (packets)
            (pkts matched/bytes matched) 0/0
        (depth/total drops/no-buffer drops) 0/0/0

        Class-map: class-default (match-any)
          273 packets, 16380 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: any
          Queueing
            Output Queue: Conversation 74
            Bandwidth 10 (%)
            Bandwidth 168 (kbps) Max Threshold 64 (packets)
            (pkts matched/bytes matched) 0/0
        (depth/total drops/no-buffer drops) 0/0/0

And this is the relevant config:

Code:

class-map match-any PREMIUM
 match protocol ftp
!
!
policy-map FTPSHAPE
  class PREMIUM
  bandwidth percent 90
  class class-default
  bandwidth percent 10
!
policy-map SHAPE_LAN
  class class-default
  shape average 1680000
  service-policy FTPSHAPE

!
interface FastEthernet0
 description LAN
 service-policy output SHAPE_LAN

You cannot apply GTS to ATM0, Dialer1 etc so thats why it is on fe0 with the shape average of 1680000 (I'm on 2Mbit but I have understated it to make sure I am triggering). Am I missing something?

I start a HTTP download off and it takes 100% of the bandwidth, then I trigger a FTP download which should trigger shaping, but the shaping is not happening.

Help please!

Sin_Chase · 14 Oct 2009 at 15:46

I might be doing this wrong, as in output being upload, and I want input.

As GTS wont work on input can anyone recommend what method to use?

Sin_Chase · 14 Oct 2009 at 16:05

Ok, this works

Code:

class-map match-any THROTTLE
 match protocol ftp
!
!
policy-map THROTTLEDSL
  class THROTTLE
  police cir 1500000
    conform-action transmit
    exceed-action drop
    violate-action drop

Code:

interface Dialer1
 description newtel-DSL$FW_OUTSIDE$
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer idle-timeout 0
 no cdp enable
 ppp pap sent-username ********** password 7 ***************
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
 service-policy input THROTTLEDSL

Sin_Chase · 14 Oct 2009 at 16:20

Next step, applying it to an access-group instead of protocol.

Using:

Code:

access-list 11 permit 192.168.1.1

class-map match-any THROTTLE
  match access-group 11

But it does not seem to be working. Is the Dialer1 interface only capable of matching against protocols?

bigredshark · 15 Oct 2009 at 08:29

Without seeing your whole config it's difficult to say but as you're running NAT, I'm not sure the attempt to match an internal IP on the dialer interface input will actually match anything. I can't say for sure as I've never had reason to configure NAT and policy maps together like this...

iaind · 15 Oct 2009 at 10:34

Can't really help - looks like you've got it mostly under control anyway

Was just wondering if these sort of configs would work on switches in order to throttle bandwidth on ports and vlans?

bigredshark · 15 Oct 2009 at 11:33

iaind said:
Can't really help - looks like you've got it mostly under control anyway

Was just wondering if these sort of configs would work on switches in order to throttle bandwidth on ports and vlans?

You can do some vlan based rate limiting on some switches (from memory it works well on 2960s and better...). It's not as good as the router stuff and a little more confusing to configure but cisco have some good example configs floating around.

It's been a while but I remember trying to bend my head round a rate shaping config on a 3750 we were using as a router - possible but not recommended in that particular scenario...

Sin_Chase · 15 Oct 2009 at 11:51

bigredshark said:
Without seeing your whole config it's difficult to say but as you're running NAT, I'm not sure the attempt to match an internal IP on the dialer interface input will actually match anything. I can't say for sure as I've never had reason to configure NAT and policy maps together like this...

Think my efforts would be better directed at a fe port?

As for my whole config:

(cleared of QoS stuff)

Code:

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname sinhome
!
boot-start-marker
boot-end-marker
!
no logging buffered
logging console critical
enable secret 5 ********************
enable password 7 *****************
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.101 192.168.1.254
!
ip dhcp pool sdm-pool
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.254
   dns-server 213.133.223.11
   lease 0 2
!
!
ip tcp synwait-time 10
ip ftp username cisco
ip ftp password 7 ************************
no ip bootp server
ip domain name sin.local
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW https
!
!
crypto pki trustpoint TP-self-signed-4281229074
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4281229074
 revocation-check none
 rsakeypair TP-self-signed-4281229074
!
!
crypto pki certificate chain TP-self-signed-4281229074
 certificate self-signed 01 nvram:IOS-Self-Sig#3401.cer
username **** privilege 15 secret 5 *********************************************
!
!
!
!
!
!
interface ATM0
 description $ES_WAN$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
 dsl enable-training-log
!
interface FastEthernet0
 description LAN
!
interface FastEthernet1
 description LAN
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 192.168.1.254 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Dialer1
 description newtel-DSL$FW_OUTSIDE$
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer idle-timeout 0
 no cdp enable
 ppp pap sent-username ****** password 7 **************
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
!
ip classless
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static udp 192.168.1.1 3784 interface Dialer1 3784
ip nat inside source static tcp 192.168.1.1 5005 interface Dialer1 5005
ip nat inside source static tcp 192.168.1.1 5004 interface Dialer1 5004
ip nat inside source static tcp 192.168.1.1 5003 interface Dialer1 5003
ip nat inside source static tcp 192.168.1.1 5002 interface Dialer1 5002
ip nat inside source static tcp 192.168.1.1 5001 interface Dialer1 5001
ip nat inside source static tcp 192.168.1.1 5000 interface Dialer1 5000
ip nat inside source static tcp 192.168.1.1 113 interface Dialer1 113
ip nat inside source static udp 192.168.1.1 113 interface Dialer1 113
ip nat inside source static udp 192.168.1.1 54321 interface Dialer1 54321
ip nat inside source static tcp 192.168.1.1 54321 interface Dialer1 54321
ip nat inside source static tcp 192.168.1.1 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.1.1 3784 interface Dialer1 3784
ip nat inside source static tcp 192.168.1.1 21 interface Dialer1 21
ip nat inside source static tcp 192.168.1.1 12345 interface Dialer1 12345
ip nat inside source static tcp 192.168.1.1 5900 interface Dialer1 5900
!
logging trap debugging
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=0
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=0
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any any eq ftp
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 permit udp any any eq 3784
access-list 101 permit tcp any any eq 3784
access-list 101 permit tcp any any eq 5900
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp any any eq 12345
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 54321
access-list 101 permit udp any any eq 54321
access-list 101 permit udp any any eq 113
access-list 101 permit tcp any any eq ident
access-list 101 permit tcp any any eq 5000
access-list 101 permit tcp any any eq 5001
access-list 101 permit tcp any any eq 5002
access-list 101 permit tcp any any eq 5003
access-list 101 permit tcp any any eq 5004
access-list 101 permit tcp any any eq 5005
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 deny   icmp any any echo-reply
access-list 101 deny   icmp any any time-exceeded
access-list 101 deny   icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny   ip any any
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
no cdp run
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco".

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
banner motd ^CCC
                        You are Accessing Restricted Equipment
                        All Activities are Monitored and Logged
                        Unauthorised Use Prohibited

                        By accessing you agree to have your activites Monitored and Logged
^C
!
line con 0
 password 7 71125508
 no modem enable
 transport output telnet
line aux 0
line vty 0 4
 access-class 102 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

bigredshark · 15 Oct 2009 at 12:03

Sin_Chase said:

Think my efforts would be better directed at a fe port?

As for my whole config:

Code:

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname sinhome
!
boot-start-marker
boot-end-marker
!
no logging buffered
logging console critical
enable secret 5 ********************
enable password 7 *****************
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.101 192.168.1.254
!
ip dhcp pool sdm-pool
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.254
   dns-server 213.133.223.11
   lease 0 2
!
!
ip tcp synwait-time 10
ip ftp username cisco
ip ftp password 7 ************************
no ip bootp server
ip domain name sin.local
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW https
!
!
crypto pki trustpoint TP-self-signed-4281229074
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4281229074
 revocation-check none
 rsakeypair TP-self-signed-4281229074
!
!
crypto pki certificate chain TP-self-signed-4281229074
 certificate self-signed 01 nvram:IOS-Self-Sig#3401.cer
username **** privilege 15 secret 5 *********************************************
!
!
!
!
!
!
interface ATM0
 description $ES_WAN$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
 dsl enable-training-log
!
interface FastEthernet0
 description LAN
!
interface FastEthernet1
 description LAN
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 192.168.1.254 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Dialer1
 description newtel-DSL$FW_OUTSIDE$
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer idle-timeout 0
 no cdp enable
 ppp pap sent-username ****** password 7 **************
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
!
ip classless
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static udp 192.168.1.1 3784 interface Dialer1 3784
ip nat inside source static tcp 192.168.1.1 5005 interface Dialer1 5005
ip nat inside source static tcp 192.168.1.1 5004 interface Dialer1 5004
ip nat inside source static tcp 192.168.1.1 5003 interface Dialer1 5003
ip nat inside source static tcp 192.168.1.1 5002 interface Dialer1 5002
ip nat inside source static tcp 192.168.1.1 5001 interface Dialer1 5001
ip nat inside source static tcp 192.168.1.1 5000 interface Dialer1 5000
ip nat inside source static tcp 192.168.1.1 113 interface Dialer1 113
ip nat inside source static udp 192.168.1.1 113 interface Dialer1 113
ip nat inside source static udp 192.168.1.1 54321 interface Dialer1 54321
ip nat inside source static tcp 192.168.1.1 54321 interface Dialer1 54321
ip nat inside source static tcp 192.168.1.1 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.1.1 3784 interface Dialer1 3784
ip nat inside source static tcp 192.168.1.1 21 interface Dialer1 21
ip nat inside source static tcp 192.168.1.1 12345 interface Dialer1 12345
ip nat inside source static tcp 192.168.1.1 5900 interface Dialer1 5900
!
logging trap debugging
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=0
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=0
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any any eq ftp
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 permit udp any any eq 3784
access-list 101 permit tcp any any eq 3784
access-list 101 permit tcp any any eq 5900
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp any any eq 12345
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 54321
access-list 101 permit udp any any eq 54321
access-list 101 permit udp any any eq 113
access-list 101 permit tcp any any eq ident
access-list 101 permit tcp any any eq 5000
access-list 101 permit tcp any any eq 5001
access-list 101 permit tcp any any eq 5002
access-list 101 permit tcp any any eq 5003
access-list 101 permit tcp any any eq 5004
access-list 101 permit tcp any any eq 5005
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 deny   icmp any any echo-reply
access-list 101 deny   icmp any any time-exceeded
access-list 101 deny   icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny   ip any any
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
no cdp run
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco".

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
banner motd ^CCC
                        You are Accessing Restricted Equipment
                        All Activities are Monitored and Logged
                        Unauthorised Use Prohibited

                        By accessing you agree to have your activites Monitored and Logged
^C
!
line con 0
 password 7 71125508
 no modem enable
 transport output telnet
line aux 0
line vty 0 4
 access-class 102 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Nah, applying to the dialer interface makes sense and works as you've proven. The problem is likely when you match against an access list specifying an internal IP you get no matches, because the traffic hasn't yet been nat'd so no traffic inbound has that destination IP. So either you need to match protocol or a public IP (which only works if you've got multiple static public IPs and from your config you haven't).

There is almost certainly a way to do it but it's escaping me at the moment (I've been working for ISPs for too long, I'm used to having surplus public IPs and not bothering with NAT). Try and bear in mind that around this area there's usually more than one way to skin a cat with Cisco equipment.

There are ways revolving around around VRFs and looping interfaces back into the router but they are crimes against network architecture and should be banned (also, I doubt a low end cisco will support it)

Sin_Chase · 15 Oct 2009 at 12:16

As long as it works I don't mind class matching against:

Anything being downloaded to fe1.
Anything being downloaded by an internal IP address/range (which we seem to think will not work because of NATing)

I do not mind throttling fe1 as it will only be internet bound traffic so if there is a solution that way I am all ears.

bigredshark · 15 Oct 2009 at 12:25

Umm, there might be, I don't know how fully featured the switch part of the router is.

Usually you can only effectively shape traffic inbound to a port (there are exceptions but this is a good rule of thumb) and that doesn't work here for an IP access list because of the NAT. So you're left with port/vlan based rate limiting features, seeing as all ports are in vlan1 you can't do vlan based though...

I'm struggling for a quick solution actually...sure you can't shape based on protocol alone?

Sin_Chase · 15 Oct 2009 at 12:44

Protocol alone? Nope.

It would work policing say HTTP traffic from clients connected via wireless on fe1 but it would also police my traffic connected directly on fe0.

Surely it must be possible as many many consumer routers support QoS for bandwidth throttling. My old Billion 7300G throttles bandwidth perfectly based on IP, protocol etc.

Could I setup fe1 through 3 to be in VLAN2, throttle that VLAN and have it access VLAN1 also? (this would not be required but usefull)

bigredshark · 15 Oct 2009 at 13:10

Well everything is done the standard Cisco way (which is pretty good, it's logical and structured at least). The problem is using the standard cisco building blocks, traffic is inspected and assigned to service policies at ingress into the router, there's no way to apply a service policy in the middle of the router if that makes sense, so when it examines it at ingress it can't filter on internal IP as it hasn't yet been NAT'd so all traffic is going to the one public IP.

I'd also caution that this will only work so well anyway as you're relying on TCP windows and the connection backing off to make it work at all (it won't work at all with UDP traffic for instance). It ideally needs QOS applied before it goes into the bandwidth limited link at the other (ISP) end but you obviously don't have that option - most of this QOS stuff is designed for outbound traffic (and that'll work great if you want to prioritise VOIP over a file upload or similar but that's not your requirement).

If you had a router terminating your ADSL and doing NAT, then a second doing the QOS it'd also work great as it'd be coming into the router with the private destination IP and the access list would match it fine. But I suspect you don't want to buy another router!

It does seem strange, but then again no Cisco IOS router supports uPNP (I think that's still true...) which is a widely available consumer feature. In this case it's because Cisco don't want to break their established standard of how things are done. Sucks...

Sin_Chase · 15 Oct 2009 at 13:14

I have a second router, but I specifically came off that onto an 877 because it was unreliable and kept falling over!

Surely I can throttle on a fe port? Like I said, the clients I want to throttle will only be accessing the Dialer interface so if I can throttle the port before it even gets there that would work?

fe0 - My systems
fe1 - Wireless AP
Wireless AP - Everything else coming to net

Ideally I want to throttle fe1 input and output, even if that means limiting the 100mbit capability of the fe port, if this makes sense?

I can throttle VLAN1 with:

class-map match-any LOW
match any

policy-map THROTTLE
class LOW
police 500000
conform-action transmit
exceed-action drop
violate-action drop

interface vlan1
service-policy input THROTTLE
service-policy output THROTTLE

But applying this to fe ports does not work.

It seems the 877 out of the box comes with vlan1 configured on the 4 switch ports, but with advanced IP Services (which I have) you can have up to 4 VLANs. I am too much of a cisco noob to wrap my head around this and start configuring different VLANs!

Sin_Chase · 15 Oct 2009 at 13:48

How does this look?

Code:

class-map match-any LOW
 match any 
!
!
policy-map THROTTLE
  class LOW
  police cir 500000
    conform-action transmit 
    exceed-action drop 
    violate-action drop 
policy-map THROTTLEUP
  class LOW
  police cir 250000
    conform-action transmit 
    exceed-action drop 
    violate-action drop 

interface FastEthernet0
 description LAN
!
interface FastEthernet1
 description WIRELESS-AP Access
 switchport access vlan 2
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 192.168.1.254 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address 192.168.2.254 255.255.255.0
 ip access-group 103 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
 service-policy input THROTTLE
 service-policy output THROTTLEUP

access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any

Chief Wiggum · 15 Oct 2009 at 18:14

I'm far from a QoS expert, but you are taking into account that the policy will only come into effect when the interface is congested right?

So if you apply it to a 100mb interface, you won't see the QoS kick in till it gets busy...

Sin_Chase · 15 Oct 2009 at 18:29

Chief - With shaping yes.

With policing - no

I have got it working with another vlan and policing.

But for some reason policing the upload below 256000bps kills upload.

At 256000 it will hold and do its thing, albeit at about half of what it should upload but anything below means a 96000byte chunk is uploaded then the connection drops.

Any ideas?

Goliath · 15 Oct 2009 at 18:32

iaind said:
Can't really help - looks like you've got it mostly under control anyway

Was just wondering if these sort of configs would work on switches in order to throttle bandwidth on ports and vlans?

Remember a switch is L2 and a router is L3 - so a switch is basically limited to rate-limiting on what it can see in the CoS field so it isn't really worth the effort unless you are trunking or using IPT etc. Ine thing you can do however is control the amount of multicast/broadcast traffic compared to unicast - search Cisco for Storm Control.

wij · 15 Oct 2009 at 18:55

Slightly different application and it was a total bodge but I turned around a Cisco 851 (used the WAN port for LAN and visa versa) and I was able to do input / output based policing on two VLANs I didn't try doing anything protocol based but it might work.

FA04 or whatever the WAN port was is then into a managed switch for distribution.

If you want I can see about finding the config somewhere for you.

wij · 15 Oct 2009 at 19:02

iaind said:
Can't really help - looks like you've got it mostly under control anyway

Was just wondering if these sort of configs would work on switches in order to throttle bandwidth on ports and vlans?

My 2960 sort of can:

It has % based rate limit on port egress and QoS based policing on the ingress which can be applied to class matches based on ACL's so it should be possible to do protocol / destination based ingress rate limiting but egress would affect all traffic passing through the port.

I am fairly sure that 3550, 3560 and 3760's support both ingress / egress QoS based shaping and policing.