Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to Control bandwidth to certain IP's with a cisco 2600

Status
Not open for further replies.
May 7, 2003
30
US
ok, after spending months on here hoping the some clues to this I have got a little desperate. I currently have a cisco 2600 for a "backbone" connection to the net. I want to be able to control bandwidth, up&down, to each IP behind the cisco. I was hoping it worked like a access list but it looks like no such luck. I have spend days in cisco's site, as usual, and only find myself more perplexed then when I started. If there is no simple way to do this then is there a GOOD site or doc that explains this process without having spent the last 20 years learning cisco jargon? I have noticed that cisco laugage does make good sense once you spend huge amounts of time with each command to understand it. Sooo, a basic example of it would work, without all the extra's. Just need something to start the R&D process.
 
Without getting too far into cisco lingo I would say try using Committed Access Rate (CAR). This allows bandwidth management through rate limiting. It allows you to control the maximum rate for traffic transmitted or received on an interface. You most often want to implement this at the edge of your network to limit traffic in and out of the network. You must have Cisco Express Forwarding enabled in order to perform Rate Limiting to enable this, issue this command in global configuration: ip cef

create an access-list (standard or extended) depending on how detailed you want to get with your rate-limiting.

access-list 90 permit 10.3.1.1 0.0.0.0

go to specific interface and setup rate-limit

Router(config)# inter ether 0
Router(config-if)# rate-limit input access-group 90 125000 5000 5000 conform-action transmit exceed-action drop

The bandwidth values used above are for 10-only ethernet interface type bandwidth. Values should be picked based on the interface bandwidth and the rate at which you want to limit a traffic type. If you want a specific block of addresses to be less than the allowable bandwidth then use less for the specific access-group you are performing the rate-limit with.

breakdown of the rate-limit command I used

rate-limit [input or output] access-group [number of access-list being applied] 125000=bits per second of interface 5000=burst-normal-amount 5000=burst-max-amount conform-action transmit exceed-action drop

the conform action I used was basically saying if traffic is at 125000bps or less then transmit allow for 5000bps over during bursty traffic if this is exceeded then drop packet.
 
Thanks, that helped alot. Just a note. For what ever reason 8000 is the least I can put in the burst. I have notice however that the bandwidth is controled from inside to outside of the router, but not inside to inside. Now, since the rate is set in the fastethernet, shouldn't that work for both?
 
no offense but if you want to understand all this mess you will have to put the time in. you will only end up coming back for little things if you don't put the time in to study the fundamentals. you rate limit bandwidth via ip address without breaking the ip addresses down into groups and using some sort of queueing or bandwidth reservation as suggested in the previous posts. after all that work all someone would have to do is change their ip address to get around the limitation. the best solution here would be to decide what applications you want to provide limitations to ie KAZAA or morpheus and then either block the ports (not easily done) or purchase a packet shaping device like PACKETEER to "turn down" the application to prevent the application from hogging bandwidth. then if you want users to have unlimited accesses to bandwidth, certain users, then you password protect the filtering and allow those users to log in through the filter and gain access to the system.

hope this helps but i would recommend getting some ciso certs first before trying to tackle this issue. you will only end up frustrating yourself without the necessary knowledge.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top