Rate-Limit Command 4

[osuman]

Hello,
I want to restrict traffic on my LAN so that no one user uses too much bandwidth. I understand that the rate-limit command is a good way to do this. Let's say that my users are assigned addresses in a 192.168 network and I want to restrict all the IP's in that range to 200k of bandwidth.

Can someone provide an example of what the command for this would look like? It seems all the other examples I've run across are trying to accomplish way more than something this simple.

Do I need to setup an access list first? If so, what would the command for that look like.

Thanks in advance for any help.

 

[KiscoKid]

Don't worry it's rather straight forward. Something like the following may work for you

interface S0/0
rate-limit input access-group 101 200000 37500 37500 conform-action transmit exceed-action drop
ip address a.b.c.d 255.255.255.252
rate-limit output access-group 101 200000 37500 37500 conform-action transmit exceed-action drop

access-list 101 permit ip 192.168.0.0 0.0.255.255

Any questions let me know

 

[osuman]

KiscoKid,
Thanks for the reply. I'm glad it should be easy. I do have a couple follow-up questions:

1) Can you further explain why you included the line "ip address a.b.c.d 255.255.255.252"? Is that the IP address of the interface?

2) I want to verify that this will limit the rate for each specific IP (user) in the network and not limit the entire interface. I ask because an example on Cisco webpage that looks similar to what you provided was for an example where you want to limit the entire interface.

Thanks again.

 

[KiscoKid]

Hi again

Yeh the IP address listed there is meant to be just the serial interface's IP address and doesn't really come into consideration for the rate limiting configuration.

This particular rate limit config will only rate limit anyone who has an address that begins with 192.168.x.x. Everyone eelse will be able to use the full line speed of the interface.

If you want to lock down the interface to everyone, regardless of which IP address they come from, you amend it slightly as follows:

interface S0/0
rate-limit input 200000 37500 37500 conform-action transmit exceed-action drop
rate-limit output 200000 37500 37500 conform-action transmit exceed-action drop

(note the loss of the 'access-roup 101'in the statement)

Hope this helps

 

[osuman]

Ok,
And not to belabor the point, but just to be sure I'm clear. If I were to implement the above commands (without the access-list) multiple users will be able to use up 200K each, until the full utilization of the bandwidth is taken. For example, if I had one T1 WAN connected, and 2 LAN users. Each would be limited at 200Kb and if both were using their maximum, a total of 400Kb of the 1.5 Mbps would be used. Correct?

Again, the above example is what I'm after. But the Cisco page I saw (

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/qos_c/qcpart1/qccar.htm)

made it sound like the rate-limit command will limit the total throughput of the interface to the amount specified (in this case 200Kb). That's NOT what I want. I want to utilize the full bandwidth of my WAN connection(s).

I really appreciate the help.

 

[KiscoKid]

No that's not what would happen. The above command less the access list will restrict the entire interface for ALL users to 200k, i.e. you will never see the utilisation on that interface go above 200k.

To allocate more bandwidth but with rate limit control you will need to classify those users with an access list and set the appropriate rate they can transmit at.

For instance, if you had 5 rate limit statements that were matching against 5 different access lists and these access lists permitted a single user (i.e. 192.168.1.1 through to 192.168.1.5), the result of this would be that 192.168.1.1 could have 200k and no more. The same is true for hosts 192.168.1.2 through to 192.168.1.5.

Anyone else with an 192.168.1.x address that does not end in 1-5 can use any amount of WAN bandwidth they want (they're not rate limited).

A lot of ISPs employ this approach on shared infrastructure to prevent people taking more than their contractually obliged to have. So on some ISP router interfaces you could literally see 1000's of these statements all restricting either individual IP addresses or a small group of IP addresses.

Hopefully that's clarified things but if not, let me know.

 

[osuman]

That makes sense. It's a subtle difference that's important though. Basically, with an access list it rate limits per IP/User/Host, allowing full utilization of the WAN interface. Without the access-list, it's restricting the WAN interface itself to go use more than a certain amount. (As you said, for contractual agreements). Is this right?

Next question: How will this rate limiting work if you load balancing across 2 WAN connections with different line speeds (say 1 DSL and 1 T-1)?

(Granted I might need to look into load balancing more first)

 

[osuman]

Apologies. In previous post go=not.

 

[KiscoKid]

Basically, with an access list it rate limits per IP/User/Host, allowing full utilization of the WAN interface. Without the access-list, it's restricting the WAN interface itself to go use more than a certain amount. (As you said, for contractual agreements). "

Spot on. That's exactly right.

You can rate limit on load-balanced, dual links. You'll just need to apply the rate limit statements as before and amend them to reflect the different in available line rate. However sometimes a backup interface has less capacity and usually it's agreed that during a fault condition there may be, for example 50% loss of bandwidth. Hence your second/backup interface should reflect this reduced bandwidth availability.

Glad I could help!

 

[osuman]

I implemented the rate-limit command as you suggested, but it doesn't seem to work.

My method of testing the rate limit is to simply download a large file from the Internet. If the rate-limiting is working, my expectation was that I shouldn't be able to download faster than 64KB/sec. However, with my current config, I can download a file from microsoft at 600KB/sec+.

Anyone know what I'm doing wrong?

Here's my (now rather complicated) config:

2811#show run brief
Building configuration...

Current configuration : 6240 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 2811
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.254
!
ip dhcp pool everyone
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 4.2.2.2 4.2.2.1
lease 30
!
!
ip domain name yourdomain.com
ip name-server 4.2.2.2
!
!
!
key chain key1
key 1
key-string VertNet
!
crypto pki trustpoint TP-self-signed-2946453244
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2946453244
revocation-check none
rsakeypair TP-self-signed-2946453244
!
!
crypto pki certificate chain TP-self-signed-2946453244
certificate self-signed 01
oer master
port 4444
max-range-utilization percent 10
keepalive 1
!
border 192.168.2.1 key-chain key1
interface ATM0/2/0 external
interface FastEthernet0/0 external
interface FastEthernet0/1 external
interface Vlan1 internal
interface Serial0/0/0 external
interface Serial0/1/0 external
!
learn
throughput
periodic-interval 1
monitor-period 2
prefixes 200
aggregation-type prefix-length 32
!
oer border
local Loopback0
port 4444
active-probe address source interface Vlan1
master 192.168.2.1 key-chain key1
!
!
!
!
!
interface Loopback0
ip address 192.168.2.1 255.255.255.0
!
interface Multilink1
description Internet to
ip address a.b.c.e 255.255.255.252
ip nat outside
ip virtual-reassembly
rate-limit input access-group 1 256000 37500 50000 conform-action transmit ex
ed-action drop
rate-limit output access-group 1 256000 37500 50000 conform-action transmit e
eed-action drop
ppp multilink
ppp multilink group 1
!
interface FastEthernet0/0
description DSL(Modem)
ip address 10.0.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
rate-limit input access-group 1 256000 37500 50000 conform-action transmit ex
ed-action drop
rate-limit output access-group 1 256000 37500 50000 conform-action transmit e
eed-action drop
duplex auto
speed auto
!
interface FastEthernet0/1
description DSL(Modem)
ip address 10.0.2.2 255.255.255.0
ip nat outside
ip virtual-reassembly
rate-limit input access-group 1 256000 37500 50000 conform-action transmit ex
ed-action drop
rate-limit output access-group 1 256000 37500 50000 conform-action transmit e
eed-action drop
duplex auto
speed auto
!
interface FastEthernet0/3/0
description Local LAN access point
!
interface FastEthernet0/3/1
!
interface FastEthernet0/3/2
!
interface FastEthernet0/3/3
!
interface Serial0/0/0
description T1 circuit id
bandwidth 1536
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
no fair-queue
no cdp enable
ppp multilink
ppp multilink group 1
!
interface Serial0/1/0
description T1 circuit id
bandwidth 1536
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
no fair-queue
ppp multilink
ppp multilink group 1
!
interface ATM0/2/0
description DSL(WIC-1ADSL)
no ip address
no ip mroute-cache
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
pvc 1/150
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Vlan1
description Local LAN access
ip address 192.168.1.254 255.255.255.0
ip nat inside
no ip virtual-reassembly
rate-limit input access-group 1 256000 37500 50000 conform-action transmit ex
ed-action drop
rate-limit output access-group 1 256000 37500 50000 conform-action transmit e
eed-action drop
!
interface Dialer0
ip address dhcp
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp pap sent-username <username deleted> password 0 <password deleted>
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.2.1
ip route 0.0.0.0 0.0.0.0 10.0.1.1
ip route 0.0.0.0 0.0.0.0 a.b.c.d
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat pool DSL 10.0.1.2 10.0.1.2 netmask 255.255.255.0
ip nat pool DSL2 10.0.2.2 10.0.2.2 netmask 255.255.255.0
ip nat pool T1 a.b.c.e a.b.c.e netmask 255.255.255.0
ip nat inside source route-map DSL pool DSL overload
ip nat inside source route-map DSL2 pool DSL2 overload
ip nat inside source route-map T1 pool T1 overload
ip nat inside source static tcp 192.168.2.1 23 10.0.1.2 23 extendable
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 3 permit 192.168.1.0 0.0.0.255
route-map DSL permit 10
match ip address 1
match interface FastEthernet0/0
!
route-map T1 permit 10
match ip address 1
match interface Multilink1
!
route-map DSL2 permit 10
match ip address 1
match interface FastEthernet0/1
!
!
!
control-plane
!
!

scheduler allocate 20000 1000
!
end

2811#

 

[plshlpme]

i think its because your input rate limit access list is only matching the source of 192.168.1.x

so when packets are coming from the net nothing will ever match.. you need to match on the destination address for inputs on your multilink..

ie access-list 101 permit any 192.168.1.x
and i think it will have to be applied on your VLAN after the NAT takes place.

does that make sense?

 

[plshlpme]

or rather

access-list 101 permit ip any 192.168.1.0 0.0.0.255

 

[osuman]

Thanks for your help.

I added:

"access-list 101 permit ip any any"

and then

"rate-limit input access-group 101 256000 256000 256000 conform-action transmit exceed-action drop"

to each WAN interface and it started working.

I didn't need to add it to the vlan.

 

[plshlpme]

theonly thing there is you are rate limiting everybody.. if you wanted to do it per host then you would have to change your access-list to only match certain hosts.