Monday, June 20, 2016

Network Police

The following examples show how to limit excess traffic to a set of "servers" to 500 Kbps and limit bandwidth to a particular "site" to 2 Mbps.  This is useful for throttling traffic on WAN interfaces.

1) Define a the servers and site
object-group network servers
 host 1.1.1.1
 host 1.1.1.2
 host 1.1.1.3
 host 1.1.1.4
!
object-group network site
 2.2.2.0 255.255.255.0
!

2) Define the class maps (will correllate to the access-lists in step 3)
class-map match-any site_traffic
 match access-group 199
 match  precedence 3
class-map match-any server_traffic
 match access-group 198
 match  precedence 3
!

3) Define an access-list that matches both the "access-group" in step 2 and the "object-group" in step 1.
access-list 198 permit ip any object-group servers
access-list 199 permit ip any object-group site
!
4) Define the limits that you want to apply.
policy-map QoS
 class servers
    police 500000
 class site
   police cir 2000000
!
5) Apply the policy to the interface that you wish to control.
interface FastEthernet0/1
 service-policy output QoS

Without these rules the network traffic could easily exceed the bandwidth available.  For example without the rules, attempted traffic across a 10 Mbps circuit for the site and servers might look like this.

Once the rules are applied, netflow allows us to see the containment of the traffic:


Posted by at
Labels: ,

1 comment:

  1. WilliamOctober 19, 2020 at 10:17 PM

    Hi
    It is great and so amazing post and I am enjoying to read your blog. I am very grateful for the effort put on by you, to guide us, Thank a lot for this informative post ,keep posting such type of wonderful post. Keep it up. We will also offer QuickBooks Customer Service Contact us 1-855-756-1077 for instant help.

    ReplyDelete

Subscribe to: Post Comments (Atom)