|
|
Question : Problem: Traffic Shape on Cisco 3660 Router
|
|
Hi, I am the new guy in here. Anyway, here is my problem We have several offices all over the country. We are using LL (lease Line) connections (64Kbs) between head office to side departments. Side department offices are using to much internet, smtp (email, exchange). My Exchange and Proxy server in here. So, when they want to go in internet, they are coming my head office proxy server. So, Internet and Exchange (email) are eating my bandwidth. I have to make traffic shaping. So, I tried couple shuts. It was like this before: ! interface Serial2/0:13 description XXXXXXXXX bandwidth 64 ip unnumbered Loopback0 encapsulation ppp no fair-queue compress stac !
I created Access list first:
access-list 105 permit tcp A.B.C.D (ip in an other department ) host E.F.G.H (ip in my head office proxy) eq 8080---(proxy port)
then i made a traffic shaping,
router(config-if)#traffic-shape rate 8000 (interface serial 2/0:13 and I am trying to put 8Kbit=1KByte)
then show run like this
interface Serial2/0:13 description XXXXXXXX bandwidth 64 ip unnumbered Loopback0 encapsulation ppp no fair-queue compress stac traffic-shape group 105 8000 8000 8000 1000 !
Now, I have no idea why it put other eight thousands and one thousand . I know these are burst-size and excess-burst-size , but i dont know how they works, thats why i just put the command like this: router(config-if)#traffic-shape rate 8000
well, after that, router>sh traffic-shape statistics s2/0:13 Access Queue Packets Bytes Packets Bytes Shaping I/F List Depth Delayed Delayed Active Se2/0:13 105 0 0 0 0 0 no
so, as you understood, traffic shaping doesnt work. Because, i did "ip accounting" and i saw some of computers internet connections again and they were taking more than 8000Kbit. Also, i tried to download data from internet, and i saw data was coming to computer more than 8KByte. It doesnt suppose to be more than 1K. Last testing was form MacAfee, i use speedometer. It said my internet connection was 32Kbit.
So, it doesnt work, doesnt work, doesnt work.
Last thing I took off "traffic shape group 105" and put "traffic shaping rate" on this interface: router(config-if)#no traffic-shape group 105 router(config-if)#traffic-shape rate 64000 (because of I have 64Kbit Lease line connection between head office to this department)
Then Lets see, "traffic-shape statistics" router#sh traffic-shape statistics s2/0:13 Access Queue Packets Bytes Packets Bytes Shaping I/F List Depth Delayed Delayed Active Se2/0:13 0 99 22607 8 3883 yes
so, it looks like works. But I doesnt because i didnt shape my connections. I just put the rate 64000bit for my connection. For testing , I use again MacAfee speedometer and ip accounting command, I saw they can still take( download) over than 5K. I think It just made bandwidth 64Kb. I dont want this. I just want to put rate on internet connection and my exchange connection.
After I did these I did also like these, router(config)#int s2/0:13 router(config-if)#traffic-shape rate 64000 router(config-if)#traffic-shape group 105 8000 After that It says mix of shaping with and without access lists prohibited And sh run look like:
! interface Serial2/0:13 description XXXXXXXXX bandwidth 64 ip unnumbered Loopback0 encapsulation ppp no fair-queue compress stac traffic-shape rate 64000 8000 8000 1000 !
So, It didnt take group 105 8000.
Those configurations applied on my main router in our head office. Just for out going traffic from main router to there. I didnt do anything on the other side department router. I thing every configuration should make on main router. I dont think we should configure the other side department router. Anyway, it all about outgoing traffic in main office.
I am posting these very high importance and urgent. 500 points.
I need to solve this problem ASAP. Thank you for any comment and helping.
Best Regards.
|
Answer : Problem: Traffic Shape on Cisco 3660 Router
|
|
a couple of things:
You've got your src/destination's wrong (the source will be the proxy) access-list 105 permit tcp A.B.C.D (ip in an other department ) host E.F.G.H (ip in my head office proxy) eq 8080---(proxy port)
This is because traffic shaping only works outbound on an interface, so the source of the main traffic from the hub to the spoke will be *sourced* from E.F.G.H ea 8080, and the remote office IP will be the destination.
Also, you might want to figure out exactly what the Mining Application uses as far as ip addresses/ports/protocols and change how you do your shaping...i.e. explicityly deny traffic related to the mining app and then just 'permit ip any any' as the last line of the shaping access-list so that you can just in effect say: if you're not the mining app, you're rate limited...
so: access-list 105 deny tcp host A.B.C.D (ip of mining app server) eq any access-list 105 permit ip any any (all the rest of the stuff)
interface Serial2/0:13 traffic-shape group 105 8000 8000 8000 1000
This may be sufficient, but since this only affects outbound traffic, you may want to consider building this on outbound interfaces of the spoke routers.
|
|
|
|