×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Rate-Limit Command
4

Rate-Limit Command

Rate-Limit Command

(OP)
Hello,
I want to restrict traffic on my LAN so that no one user uses too much bandwidth. I understand that the rate-limit command is a good way to do this. Let's say that my users are assigned addresses in a 192.168 network and I want to restrict all the IP's in that range to 200k of bandwidth.

Can someone provide an example of what the command for this would look like? It seems all the other examples I've run across are trying to accomplish way more than something this simple.

Do I need to setup an access list first? If so, what would the command for that look like.

Thanks in advance for any help.

RE: Rate-Limit Command

4
Don't worry it's rather straight forward. Something like the following may work for you

interface S0/0
 rate-limit input access-group 101 200000 37500 37500 conform-action transmit exceed-action drop
 ip address a.b.c.d 255.255.255.252
 rate-limit output access-group 101 200000 37500 37500 conform-action transmit exceed-action drop

access-list 101 permit ip 192.168.0.0 0.0.255.255

Any questions let me know

RE: Rate-Limit Command

(OP)
KiscoKid,
Thanks for the reply. I'm glad it should be easy. I do have a couple follow-up questions:

1) Can you further explain why you included the line "ip address a.b.c.d 255.255.255.252"? Is that the IP address of the interface?

2) I want to verify that this will limit the rate for each specific IP (user) in the network and not limit the entire interface. I ask because an example on Cisco webpage that looks similar to what you provided was for an example where you want to limit the entire interface.

Thanks again.

RE: Rate-Limit Command

Hi again

Yeh the IP address listed there is meant to be just the serial interface's IP address and doesn't really come into consideration for the rate limiting configuration.

This particular rate limit config will only rate limit anyone who has an address that begins with 192.168.x.x. Everyone eelse will be able to use the full line speed of the interface.

If you want to lock down the interface to everyone, regardless of which IP address they come from, you amend it slightly as follows:

interface S0/0
 rate-limit input 200000 37500 37500 conform-action transmit exceed-action drop
 rate-limit output 200000 37500 37500 conform-action transmit exceed-action drop

(note the loss of the 'access-roup 101'in the statement)

Hope this helps

RE: Rate-Limit Command

(OP)
Ok,
And not to belabor the point, but just to be sure I'm clear. If I were to implement the above commands (without the access-list) multiple users will be able to use up 200K each, until the full utilization of the bandwidth is taken. For example, if I had one T1 WAN connected, and 2 LAN users. Each would be limited at 200Kb and if both were using their maximum, a total of 400Kb of the 1.5 Mbps would be used. Correct?

Again, the above example is what I'm after. But the Cisco page I saw (http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/qos_c/qcpart1/qccar.htm) made it sound like the rate-limit command will limit the total throughput of the interface to the amount specified (in this case 200Kb). That's NOT what I want. I want to utilize the full bandwidth of my WAN connection(s).

I really appreciate the help.  

RE: Rate-Limit Command

No that's not what would happen. The above command less the access list will restrict the entire interface for ALL users to 200k, i.e. you will never see the utilisation on that interface go above 200k.

To allocate more bandwidth but with rate limit control you will need to classify those users with an access list and set the appropriate rate they can transmit at.

For instance, if you had 5 rate limit statements that were matching against 5 different access lists and these access lists permitted a single user (i.e. 192.168.1.1 through to 192.168.1.5), the result of this would be that 192.168.1.1 could have 200k and no more. The same is true for hosts 192.168.1.2 through to 192.168.1.5.

Anyone else with an 192.168.1.x address that does not end in 1-5 can use any amount of WAN bandwidth they want (they're not rate limited).

A lot of ISPs employ this approach on shared infrastructure to prevent people taking more than their contractually obliged to have. So on some ISP router interfaces you could literally see 1000's of these statements all restricting either individual IP addresses or a small group of IP addresses.

Hopefully that's clarified things but if not, let me know.


RE: Rate-Limit Command

(OP)
That makes sense. It's a subtle difference that's important though. Basically, with an access list it rate limits per IP/User/Host, allowing full utilization of the WAN interface. Without the access-list, it's restricting the WAN interface itself to go use more than a certain amount. (As you said, for contractual agreements). Is this right?

Next question: How will this rate limiting work if you load balancing across 2 WAN connections with different line speeds (say 1 DSL and 1 T-1)?

(Granted I might need to look into load balancing more first)

RE: Rate-Limit Command

(OP)
Apologies. In previous post go=not.

RE: Rate-Limit Command

"Basically, with an access list it rate limits per IP/User/Host, allowing full utilization of the WAN interface. Without the access-list, it's restricting the WAN interface itself to go use more than a certain amount. (As you said, for contractual agreements). "

Spot on. That's exactly right.

You can rate limit on load-balanced, dual links. You'll just need to apply the rate limit statements as before and amend them to reflect the different in available line rate. However sometimes a backup interface has less capacity and usually it's agreed that during a fault condition there may be, for example 50% loss of bandwidth. Hence your second/backup interface should reflect this reduced bandwidth availability.

Glad I could help!

RE: Rate-Limit Command

(OP)
I implemented the rate-limit command as you suggested, but it doesn't seem to work.

My method of testing the rate limit is to simply download a large file from the Internet. If the rate-limiting is working, my expectation was that I shouldn't be able to download faster than 64KB/sec. However, with my current config, I can download a file from microsoft at 600KB/sec+.

Anyone know what I'm doing wrong?

Here's my (now rather complicated) config:

2811#show run brief
Building configuration...

Current configuration : 6240 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 2811
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.254
!
ip dhcp pool everyone
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.254
   dns-server 4.2.2.2 4.2.2.1
   lease 30
!
!
ip domain name yourdomain.com
ip name-server 4.2.2.2
!
!
!
key chain key1
 key 1
  key-string VertNet
!
crypto pki trustpoint TP-self-signed-2946453244
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2946453244
 revocation-check none
 rsakeypair TP-self-signed-2946453244
!
!
crypto pki certificate chain TP-self-signed-2946453244
 certificate self-signed 01
oer master
 port 4444
 max-range-utilization percent 10
 keepalive 1
 !
 border 192.168.2.1 key-chain key1
  interface ATM0/2/0 external
  interface FastEthernet0/0 external
  interface FastEthernet0/1 external
  interface Vlan1 internal
  interface Serial0/0/0 external
  interface Serial0/1/0 external
 !
 learn
  throughput
  periodic-interval 1
  monitor-period 2
  prefixes 200
  aggregation-type prefix-length 32
!
oer border
 local Loopback0
 port 4444
 active-probe address source interface Vlan1
 master 192.168.2.1 key-chain key1
!
!
!
!
!
interface Loopback0
 ip address 192.168.2.1 255.255.255.0
!
interface Multilink1
 description Internet to
 ip address a.b.c.e 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 rate-limit input access-group 1 256000 37500 50000 conform-action transmit ex
ed-action drop
 rate-limit output access-group 1 256000 37500 50000 conform-action transmit e
eed-action drop
 ppp multilink
 ppp multilink group 1
!
interface FastEthernet0/0
 description DSL(Modem)
 ip address 10.0.1.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 rate-limit input access-group 1 256000 37500 50000 conform-action transmit ex
ed-action drop
 rate-limit output access-group 1 256000 37500 50000 conform-action transmit e
eed-action drop
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description DSL(Modem)
 ip address 10.0.2.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 rate-limit input access-group 1 256000 37500 50000 conform-action transmit ex
ed-action drop
 rate-limit output access-group 1 256000 37500 50000 conform-action transmit e
eed-action drop
 duplex auto
 speed auto
!
interface FastEthernet0/3/0
 description Local LAN access point
!
interface FastEthernet0/3/1
!
interface FastEthernet0/3/2
!
interface FastEthernet0/3/3
!
interface Serial0/0/0
 description T1 circuit id
 bandwidth 1536
 no ip address
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 no fair-queue
 no cdp enable
 ppp multilink
 ppp multilink group 1
!
interface Serial0/1/0
 description T1 circuit id
 bandwidth 1536
 no ip address
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 no fair-queue
 ppp multilink
 ppp multilink group 1
!
interface ATM0/2/0
 description DSL(WIC-1ADSL)
 no ip address
 no ip mroute-cache
 shutdown
 no atm ilmi-keepalive
 dsl operating-mode auto
 hold-queue 224 in
 pvc 1/150
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Vlan1
 description Local LAN access
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 no ip virtual-reassembly
 rate-limit input access-group 1 256000 37500 50000 conform-action transmit ex
ed-action drop
 rate-limit output access-group 1 256000 37500 50000 conform-action transmit e
eed-action drop
!
interface Dialer0
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp pap sent-username <username deleted> password 0 <password deleted>
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.2.1
ip route 0.0.0.0 0.0.0.0 10.0.1.1
ip route 0.0.0.0 0.0.0.0 a.b.c.d
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat pool DSL 10.0.1.2 10.0.1.2 netmask 255.255.255.0
ip nat pool DSL2 10.0.2.2 10.0.2.2 netmask 255.255.255.0
ip nat pool T1 a.b.c.e a.b.c.e netmask 255.255.255.0
ip nat inside source route-map DSL pool DSL overload
ip nat inside source route-map DSL2 pool DSL2 overload
ip nat inside source route-map T1 pool T1 overload
ip nat inside source static tcp 192.168.2.1 23 10.0.1.2 23 extendable
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 3 permit 192.168.1.0 0.0.0.255
route-map DSL permit 10
 match ip address 1
 match interface FastEthernet0/0
!
route-map T1 permit 10
 match ip address 1
 match interface Multilink1
!
route-map DSL2 permit 10
 match ip address 1
 match interface FastEthernet0/1
!
!
!
control-plane
!
!

scheduler allocate 20000 1000
!
end

2811#

RE: Rate-Limit Command

i think its because your input rate limit access list is only matching the source of 192.168.1.x

so when packets are coming from the net nothing will ever match.. you need to match on the destination address for inputs on your multilink..

ie access-list 101 permit any 192.168.1.x
and i think it will have to be applied on your VLAN after the NAT takes place.

does that make sense?

RE: Rate-Limit Command

or rather

access-list 101 permit ip any 192.168.1.0 0.0.0.255

RE: Rate-Limit Command

(OP)
Thanks for your help.

I added:

"access-list 101 permit ip any any"

and then

"rate-limit input access-group 101 256000 256000 256000 conform-action transmit exceed-action drop"

to each WAN interface and it started working.

I didn't need to add it to the vlan.

RE: Rate-Limit Command

theonly thing there is you are rate limiting everybody.. if you wanted to do it per host then you would have to change your access-list to only match certain hosts.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close