If you followed my recent Cisco Catalyst rate-limiting post, you already know that policing traffic on a Cisco Catalyst switch requires a bit of thought. Mainly, you have to do a bit of calculating to determine the best bucket size for your application. The good news is that achieving the same affect on a Cisco IOS-based router is much easier.
You can enable shaping on an interface (or sub-interface) in three easy steps. Just remember: class, policy, interface.
Class
class-map match-any CLASS_SLAP
match any On the router, we have the ability to tell the class map to match any traffic. This is in contrast to the Catalyst switch where we had to specify an access-list to match on. This saves us a step and achieves the exact same results. In this case, we are going to assign all traffic to the CLASS_SLAP class.
Policy
policy-map POLICY_SLAP
class CLASS_SLAP
shape average 8000000Now it's time to define our policy map. In this case, we're going to take any traffic that matched the CLASS_SLAP class (which, as you remember, is all traffic) and apply a shaping policy to it. We use the shape average 8000000 configuration command to limit our speed (the CIR) to 8 Mbps. Another configuration command available for a policy map is bandwidth, which has a similar effect. Unfortunately, a policy map utilizing the bandwidth configuration command can not be applied to a sub-interface. This limitation may not be a problem for you, though.
Interface
interface GigabitEthernet0/3.429
encapsulation dot1Q 429
service-policy output POLICY_SLAPFinally, we need to apply the policy map to an interface using the service-policy configuration command. In this example, I used a sub-interface to make the example a little more applicable to real word circumstances. I've also applied the policy map in the outbound direction. Thus, the users of VLAN 429 are only allowed to download at an aggregate of 8 Mbps.
Wasn't that easy? How do your own experiences compare?
UPDATE: I recently added a post that discusses rate limiting based on time of day. Check it out!
Related Reading:
Get Slaptijack updates delivered to your Inbox or RSS Reader for free!
The reason you cannot use "bandwidth" command on a subinterface is that it's a queuing command (applies only when the output queue becomes saturated) and there are no per-subint queues on a router.
The "shape" command is different, as it delays out-of-contract traffic in a separate virtual queue which can be implemented for any interface type.
You are exactly right, Ivan.
Thanks for the input!
I'm new to traffic shaping. Is this using Policing, or Shaping? I have a Cisco 3560G that I would like to use GTS on. The goal is to limit one of my users to 13Mb/s, but also to give his game-traffic a higher priority. Based on the Cisco website at http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a00800a3a25.shtml shaping looks like it would be a lot better situation for my scenario. Would you mind telling me what you think?
@Todd Smith -
This post describes traffic shaping. Remember that traffic shaping only works on output. Therefore, if you want to also control input speed on an interface, you'll need to use policing, too.
Not true. Traffic shaping can be applied in either the inbound or outbound direction. Example:
class-map voip
match ip rtp 16384 17800
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data
class-map filetransfer
match access-group 101
policy-map traffic-inbound
class voip
set ip dscp 46
priority 256
class filetransfer
police 128000 16000 16000 conform-action set-dscp- transmit 26 exceed-action set-dscp-transmit 30
violate-action drop
policy-map traffic-outbound
class voip
set ip dscp 46
priority 256
class filetransfer
police 128000 16000 16000 conform-action set-dscp- transmit 26 exceed-action set-dscp-transmit 30
violate-action drop
interface serial 0/1
service-policy input traffic-inbound
service-policy output traffic-outbound
The above configuration will "shape" the traffic for VoIP and FTP applications in both directions and limit their bandwidths to 256kbps and 128kbps repectively. However, If you just want to limit bandwidth, the rate-limit command is probably a better choice than the above. The advantage of the above, is that you can set the class of service, set IP precedence and set the IP DSCP value as well as set bandwidth limits all in one shot. Hope this was helpful.
Shape VOIP traffic man?
It's better you lost the packet than you delay the transmission, or retransmit.
The priority command provides a minimum and maximum bandwidth guarantee. If you have a known amount of VoIP traffic, this should improve performance as it guarantees the necessary amount of bandwidth.
As to Brian's other comment, I consider there to be a difference between policing and shaping. The difference may be too fine to matter in many cases, though.
Can you both control input and output bandwith on the same interface?
You can only apply one policy-map per interface per direction so what is to be used for the second direction?
julito see my comment above. Yes you can control the input and output bandwidth on an interface. You can use the "rate-limit" command or use the "class-map", "policy-map" and "service-policy" commands similar to what I posted in the above example.
I've been told that the Rate-Limit command is brutal, and causes applications lots of issues - to the point that you wouldn't want to implement it.
Have I been told an untruth? (to put it mildly)
Also, do packets marked with DSCP QoS (in the EF queue) risk an equal chance of being dropped by the Rate-Limit than packets with no QoS set? (we have VoIP packets QoS'ed into the EF queue).
I have to give a server ip most of the bandwidth traffic on my internets circuit. would this be be best way to acomplich that?
The server ip is
20.20.151.11
subnet mask
255.255.255.224
gateway
20.20.151.1
Ray -
You should be able to do what you're asking. Create an access-list and then use
match access-group <access-list>in your class map.Would this work ?
class-map match-any DR-Cluster-ESXI
match access-group 101
!
!
policy-map POLICY_ESXI
class DR-Cluster-ESXI
!
access-list 101 permit ipinip 0.0.0.0 20.20.151.12 any
!
interface GigabitEthernet9/1
service-policy output traffic-outbound
Thanks for your help!
Ray
Also the shape average is not supported in my 6500. What else can I use??
It might be even simpler by using class-default, thus leaving out the class-map. Am I right?
Mark
You are right, Mark.
In that case, our policy map would look like this:
Cool :-)
... and thanks for both posts!
Mark
Hi. I have a Cisco and i want to limit all connections. There is only one network 192.168.0.1-254 Max down speed is 50mbps, and Up is about 30mbps. I want to limit every IP in network to have max Down 15mbps and Up 5mbps. Can u help me with commands?