What you describe would be something like this:
class-map match-all Printer
match access-group name Printer
!
policy-map WAN-OUT
class Printer
shape average 1000000
class class-default
fair-queue
random-detect
!
int WAN
service-policy output WAN-OUT
!
ip access-list extended Printer
permit ip any 192.0.2.0 0.0.0.255
This would match traffic going to 192.0.2/24 and shape it to 1Mbps. However I don't think this is necessarily what you want, what if there is no other demand to the circuit, wouldn't you want print job to get full capacity at that time?
Maybe classify traffic in 3 classes, like
- Important
- Normal
- Scavanger
Configuration could be something like:
class-map match-any Important
match access-group name Important
match precedence 4 5 6 7
match precedence 1 2 3
class-map match-any Normal
match precedence 0
match access-group name Normal
class-map match-any Scavanger
match access-group name Scavanger
!
class-map match-all QOS5
match qos-group 5
class-map match-all QOS3
match qos-group 3
class-map match-all QOS0
match qos-group 0
!
policy-map LAN-IN
class Scavanger
set qos-group 0
class Important
set qos-group 5
class Normal
set qos-group 3
!
policy-map WAN-OUT
class QOS5
priority percent 80
class QOS3
bandwidth percent 20
class QOS0
!
int LAN
service-policy input LAN-IN
int WAN
service-policy output WAN-OUT
!
Now in LAN ingress we match on traffic and give it internal qos-group 5, 3, 0, these numbers are insignificant they could be anything, it's just way to differentiate the traffic without mangling the existing CoS/PREC/DSCP bits.
After we've marked the traffic in LAN ingress, on WAN egress we match on the earlier defined qos-groups and treat traffic differently.
Here we give Important traffic 80% low-latency privilege to the capacity. For Normal traffic we give 20% contract, so if Important traffic sends 100% and you start to send Normal traffic, 20% of Important traffic would be dropped in favor of letting some Normal traffic pass. We give no contractual capacity to Scavanger class, it'll only send if either Important or Normal class are using less than contractual capacity.
I would suggest creating a static route to Null 0 on the external router:
ip route 192.168.0.0 255.255.248.0 Null 0
- Static route to Null interface is seen as a connected interface on the local router.
Then advertise the summary address in whatever routing protocol is originating the routes with a network statement in the routing process.
When you redistribute from one routing process to the other the summary route should be injected into the OSPF process.
You could also filter out the subnets with a prefix list or route map to be sure the smaller subnets don't get injected.
Hopefully this helps.
Best Answer
You could monitor the traffic
on the router, Cisco IOS 12.4(20)T and later, there is a packet capture feature, with filtering on interface name and direction and ACL.
monitor capture buffer holdpackets filter access-list <number>
monitor capture point ...
possibly with interface name, direction, and more - use the inline help to see possibilitiesshow monitor capture buffer holdpackets dump
, useexport
instead ofdump
to get a PCAP file for Wireshark analysisFor details and examples, follow the link or look at a Cisco troubleshooting manual.
on the switchport, where the router is connected to, for this you could set up a mirror port on the switch and monitor this via Wireshark
on the firewall, where the traffic passes
Cisco ASAs are capable of remotely doing packet capturing and giving you the output as a PCAP file which you can open locally with Wireshark. The ASDM provides an assistant for this. Step by step, you can specify source and destionation interface, ACLs or src/dest networks/host, and the protocol you like to watch. That's why I like having ASAs in place everywhere - with a router CLI may seem a bit complicated.