Networking – Cisco Traffic Policing

Published by Nick Carlton on

There may come a time where you need to limit the speed of a connection coming through a router. This could be part of an internal network or part of and ISP's network.

I am going to demonstrate this on an ISP topology where we are limiting the customers speed to the internet.

Lets see the topology:

So here we are going to limit the customers speed to 5mbps upload and 50mbps download.

Lets look at the upload and download speed currently:

Before traffic policing we are getting 91mbps download and 19mbps upload.

The Configuration

Create an ACL to map the traffic we want to police:

ISP_EDGE(config)# access-list 101 permit ip any host 178.63.25.2
ISP_EDGE(config)# access-list 102 permit ip host 178.63.25.2 any

The IP address used in the ACL's is the customers public IPv4 address

These ACL's will catch all upload and download traffic (ingress and egress). We have two separate ACL's because the desired upload and download speeds are different. ACL 101 will catch download traffic and ACL 102 will catch upload traffic

Now we need to link these ACL's to Class Map's.

ISP_EDGE(config)# class-map match-all Customer-1-Download
ISP_EDGE(config-cmap)# match access-group 101
ISP_EDGE(config)# class-map match-all Customer-1-Upload
ISP_EDGE(config-cmap)# match access-group 102

These Class Maps are used to match traffic, here we have chosen the ACL's we created before.

Now to tie the Class Maps to a Policy Map.

ISP_EDGE(config)# policy-map speedcontrol
ISP_EDGE(config-pmap)# class Customer-1-Download
ISP_EDGE(config-pmap-c)# police cir 50000000
ISP_EDGE(config-pmap-c-police)# conform-action transmit
ISP_EDGE(config-pmap-c-police)# exceed-action drop
ISP_EDGE(config-pmap)# class Customer-1-Upload
ISP_EDGE(config-pmap-c)# police cir 5000000
ISP_EDGE(config-pmap-c-police)# conform-action transmit
ISP_EDGE(config-pmap-c-police)# exceed-action drop

The police command sets the speed that we will police, the number is in bits per second. The value entered would limit to 50mbps and 5mbps.

Now we have tied all of the pieces together we need to apply it to a port on the ISP router.

ISP_EDGE(config)# interface GigabitEthernet 0/1
ISP_EDGE(config-if)# service-policy input speedcontrol
ISP_EDGE(config-if)# service-policy output speedcontrol

This applies the Policy Map to the port that connects to the Customer equipment.

The speed should now have taken effect. Lets see the speedtest after:

The results of this speed test, tell us that the configuration worked.

If you don't see this change in speed. Double check your configuration.

The main benefits to doing traffic policing on the ISP equipment is so that you do not have to touch any of the customers equipment. Also if this was configured on the customer equipment, there is a possibility that they may be able to adjust the policing speed to increase their speed.

Categories: Expert Tutorial
Tags:

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Cisco

VXLAN EVPN Multi-Site – Part 9 – External Access outside Fabric

In the last part, we got route leaking in tenant VRFs working, in this part, we will look at giving the VRFs a way out of the Fabric! We have added some new devices to Read more…

Cisco

VXLAN EVPN Multi-Site – Part 8 – L3VNI Configuration – Multi Tenant Leaking

In the last part, we got a multiple tenant VRFs working, in this part, we will look at joining the tenants up via route leaking. Lets remind ourselves of the topology: So, currently we have Read more…

Cisco

VXLAN EVPN Multi-Site – Part 7 – L3VNI Configuration – Multi Tenant

In the last part, we got a single tenant VRF working, in this part, we will look at splitting vlan 1001 off into its own separate Tenant to show a multi-tenant setup. Lets remind ourselves Read more…