Tag Archives: ACL

Time based Policy-map for traffic policing

Recently I was tasked to resolve a problem where a video stream on Saturday and Sunday would get very choppy. This video stream is for a church and as you would expect needs to be perfect. There are multiple remote sites each connected to an MPLS back to the core site which is where the video stream originates. Each site has a 100Mb MPLS link back to the core site.

We wanted to make sure that on Saturday and Sunday that normal traffic (web, file shares) would be capped at around half the useable bandwidth, and the other half was for the stream. This is much more bandwidth than what the stream needs, but we want to make sure its plenty.

So, what we did was implement time based ACLs for both the traffic we want to prioritize, and another ACL for all default traffic that we want to police. We used a ‘any-any’ ACL instead of the class-default because we have to make it time based.

Some of the things to note – the Burst rate really mattered here. I followed the formula from Cisco RATE-SPEED/8 * 1.5. Using this formula solved my issues and things flowed exactly the way I wanted them to.

To test I changed the time on the router to look like Saturday, and then used Iperf to push traffic.

The system clock on the router has to be correct, else everything can be very screwed up. You might be saying why did you use a policer instead of a shaper? good question. I would have used a shaper if my 3750’s supported it. A shaper would have been a better solution here.


– Create Time-range

– Create ACLs using time range

– create class maps

– create policy maps

– apply policy-map to interface


First to create the time-range to match the times we wanted we used the following commands:

config t

time-range Weekend-Service

periodic Saturday 13:00 to Sunday 15:00


Next I created the ACL to match the priority traffic and default traffic

ip access-list ext Priority-traffic

10 permit ip host any time-range Weekend-Service


ip access-list ext Default-Traffic

10 permit ip any any time-range Weekend-Service


Then I created the class and policy map, and attached it to the interface.

Class-map match any Priority-Traffic
match access-group Priority-Traffic

class-map match-any Default-Traffic
match access-group Default-Traffic

policy-map Stream
class Priority-Traffic
set ip dscp ef

class Default-Traffic
police 50000000 937500
set ip dscp default

int gig 1/0
policy-map input stream

There are many commands to test the status, one command is “show policy-map interface”

Cisco ACL Logging: log-input

Using ACL logging can be a very useful tool not only to get info about whats going on, but also for troubleshooting. One way to get much more robust logging is to use the log-input at the end of the ACE.

The log-input command shows the normal things such as source ip/port and destination ip/port but will also so the ingress interface and mac address of the source. Very cool! The following is and example of the output:

*May  1 22:33:38.799: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0-IN permitted
   tcp (Ethernet0/0 000e.9b5a.9839) ->, 1 packet 
*May  1 22:39:15.075: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0-IN permitted
   tcp (Ethernet0/0 000e.9b5a.9839) ->, 9 packets