06-08-2007 08:02 AM - edited 03-03-2019 05:21 PM
Hi,
I implement the rate limited to wan interface. the object is following
192.168.5.1
192.168.16.6
...
...
is controlled by "rate limited", others (172.16.x.x and some 192.168.y.x) will not controlled by "rate limited".
the config is following:
inter ser 1/0
rate-limit output access-group 60 1024000 2000 2000 conform-action continue exceed-action drop
ip access-list 60 permit host 192.168.5.1
ip access-list 60 permit host 192.168.16.6
:
Now, I would like to re-config the rate limited as following:
inter ser 1/0
rate-limit output access-group 60 1024000 2000 2000 conform-action continue exceed-action drop
ip access-list 60 deny host 172.16.x.x
ip access-list 60 deny host 192.168.y.x
ip access-list 60 permit any any
It means that we revert the the access list.
are both config with same result? please advice. Thanks
Best regards
06-08-2007 08:07 AM
With your 1st access-list you are rate-limiting traffic for hosts 192.168.5.1 and 192.168.16.6 only.
With the 2nd access-list, you are rate-limiting everything except traffic for hosts 172.16.x.x and 192.168.y.x
I would recommend using a more specific access-list where you actually define which is the source and which is the destination. For example:
ip access-list 160 deny ip any host 172.16.x.x
or
ip access-list 160 deny ip host 172.16.x.x any
(depends on direction of your traffic)
Hope this helps.
06-08-2007 08:14 AM
Hi,
As u knw, ACL searches the entries sequentially & stops after a match. Also, ACLs add to the overhead on router CPU.
Keeping these 2 in mind, its better to go with your 1st case rather than 2nd, as both mean the same (as per subnets mentioned by you)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide