Indeed, I believe whilst c3750 support traffic-shaping, the c3550 does
not.
BTW, instead of assigning a /30 per user as wasting 75% of your IP
address space, try looking that the 'private vlan' IOS command, which
should allow you to use much bigger subnets and still control the user-
user traffic.
/Pete
On 14 Dec 2008, at 13:10, Marco Matarazzo wrote:
Hi Justin,
I have an ISP situation where there is about 1000 users sitting
behind Cisco
3550 switches. Each port is 1 user and is configured with an
individual
VLAN where each VLAN is assigned a small network subnet and
corresponding
DHCP scope.
The problem is that it seems (so I have been told) is these 3550's
will not
effectively bandwidth limit at the port level. Incoming bandwith is
limited
as configured, but outgoing is not. So, I am looking at a pf
solution but
google is not turning up any specific information for such a
situation.
This is not true. It's more tricky, but you can actually limit both
inbound
and outbound at the port level, and it's quite effective too. Of
course
OpenBSD is capable of that too, but for 1000 vlans you'll have to
split the
load across multiple firewalls (or multiple cluster of firewalls)
since
there're hardcoded limits on the number of queues you can create
(256 cbqs
and 64 hfsc if I remember well, it's been discussed in the past
however!)
The config for the 3550 is something like this:
Define the class-maps (all-in and all-out are different because of
hardware
limitations)
class-map match-any all-out
match ip dscp default
class-map match-any all-in
match access-group 100
Define the policy maps:
policy-map 1mbit-in
class all-in
police 1024000 192000 exceed-action drop
policy-map 1mbit-out
class all-out
police 1024000 192000 exceed-action drop
And apply the policies to the interfaces:
interface FastEthernet0/4
description CustomerX
no switchport
ip address 1.2.3.4 255.255.255.x (or if it's a switchport, just
"switchport
mode access" and then "switchport access vlan x")
ip rip advertise 3
no cdp enable
service-policy input 1mbit-in
service-policy output 1mbit-out
Also note that this is rate-limiting, not bandwidth shaping, but it
may fit
your requirements!
Cheers,
]\/[arco
