Cisco 2621 rate-limiting?

[arisythila]

Hello, I have a cisco 2621 router. I cannot seem to figure out how to work rate limiting on this router. Does anybody know of a how-to guide to do it?

Thanks

~Michael

 

[burtsbees]

And you're saying that the "rate-limit" command did not work?

Burt

 

[arisythila]

Well it went through it just didn't rate limit.

How does one go about showing the ratelimit?

~Michael

 

[burtsbees]

show interface fa0/1 rate-limit

Burt

 

[arisythila]

birdhost-gw#show interface fa0/1 rate-limit
FastEthernet0/1
Input
matches: access-group 101
params: 5000000 bps, 5000 limit, 5000 extended limit
conformed 21098 packets, 3606614 bytes; action: transmit
exceeded 76 packets, 105197 bytes; action: drop
last packet: 578748ms ago, current burst: 66 bytes
last cleared 13:23:25 ago, conformed 0 bps, exceeded 0 bps
Output
matches: access-group 101
params: 5000000 bps, 5000 limit, 5000 extended limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 367638888ms ago, current burst: 0 bytes
last cleared 13:23:18 ago, conformed 0 bps, exceeded 0 bps
birdhost-gw#

So it is there.. It's just not limiting it.

5mb should be about 500-600KB/sec correct?

 

[arisythila]

birdhost-gw#show interface fa0/0 rate-limit
FastEthernet0/0
Input
matches: access-group 101
params: 5000000 bps, 5000 limit, 5000 extended limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 367734580ms ago, current burst: 0 bytes
last cleared 14:44:20 ago, conformed 0 bps, exceeded 0 bps
Output
matches: access-group 101
params: 5000000 bps, 5000 limit, 5000 extended limit
conformed 216985 packets, 29307818 bytes; action: transmit
exceeded 427 packets, 573960 bytes; action: drop
last packet: 674448ms ago, current burst: 66 bytes
last cleared 14:44:09 ago, conformed 4000 bps, exceeded 0 bps

IT's on fa0/0 too.

 

[burtsbees]

Yes...5Mb/sec=625KB/sec...looks fine to me...what's the problem you're noticing?

Burt

 

[arisythila]

Well, When I download something, It downloads at 5000KB/sec instead of 500-600kb/sec

~Michael

 

[arisythila]

birdhost-gw#show access-list
Extended IP access list 101
10 permit ip host 207.14.32.245 any (15521 matches)
20 permit ip host 207.14.32.247 any (227058 matches)
birdhost-gw#

Maybe the access list is not setup correctly?

~Michael

 

[burtsbees]

Hmmm...would you want to limit just the one IP address, or all of them? If just that IP address, then perhaps don't include it in the output statement? That way, it won't match the "any" keyword, to whatever else may be out there...
When you say that you download something, where are you downloading from? The true test would be from that IP address, not from your network...

Burt

 

[arisythila]

I want to rate limit those IP addresses. So this customer cannot use bandwidth hes not paying for. He paid for 5mb of bandwidth up and down, last month he used 40mb up and down.

I downloaded something from microsoft. outside of the network

Thanks

~Michael

 

[burtsbees]

I understand the customer that did 40MB and paid for 5MB...but is this the only one? Reason I ask is because you can rate limit w/o an acl, and it will affect all incoming traffic. Back with more tomorrow (busy with kids).

Burt

 

[arisythila]

I thought I setup an access control list. Or are you saying I'm going to need more than one access list? one for this one customer, one for all the rest?

As I start getting more customers I want to add more access control lists. Especially for the dedicated customers. Right now I just have 15 dedicated customer. Only one is going WAY over his bandwidth. rest are all below. but sooner or later I will probably put them in a access list.

~Michael

 

[burtsbees]

What I'm saying is that with no acl and

rate-limit input 5000000 5000 5000 conform-action transmit exceed-action drop

instead of

rate-limit input access-group 101 5000000 5000 5000 conform-action transmit exceed-action drop

will limit everyone, not just a specific IP address or two---note no reference to an acl...

Burt

 

[arisythila]

I want specific access groups.

So 101 can be 5mb
102 can be 10mb
103 can be 15mb
so forth.

I followed your instructions there.

 

[burtsbees]

I'm thinking someone else may have to jump in here...my ftp server died, so i can't really test anything at the moment. I'll do a bit of research when I can to try to make heads or tales of the whole thing. The only thing I can sday at this point is to get rid of the output statement, and limit it rediculously low, so you can see if it truly works or not... The way you were testing it---I guess you tried from the IP address that you limited...right? Like you limited 207.14.32.245 and tested it FROM the host with this IP address??

Burt

 

[arisythila]

yes, I tried to rate-limit x.x.x.245 to 5mb, tried to download something, I have not tried to upload yet. Let me try that real quick.

 

[brianinms]

You need modular QOS. You may also consider obtaining a layer 3 switch in place of your router as then you can configure private vlans for the clients.

http://www.cisco.com/univercd/cc/td...0/120newft/120limit/120xe/120xe5/mqc/mcli.htm

 

[arisythila]

Yeah, I was thinking about getting a Cisco 2960 switch. (right now I have a HP Procurve 2626-PWR) But the problem with that is I also rate limit VPS's (virtual private servers) So the MAC address, or even the port may have 2-3 different speeds. So it has to be IP address based.

Thanks Brian

 

[burtsbees]

Brian---why won't the rate-limiting work?

Burt

 

[arisythila]

http://www.hp.com/rnd/products/switches/switch2600series/overview.htm

This is the switch I have, the HP Procurve 2626-PWR. Layer 3 switch.

Then of course the 2621 router.

~Michael