rate limit

leungcm · ‎06-08-2007

Hi,

I implement the rate limited to wan interface. the object is following

192.168.5.1

192.168.16.6

...

is controlled by "rate limited", others (172.16.x.x and some 192.168.y.x) will not controlled by "rate limited".

the config is following:

inter ser 1/0

rate-limit output access-group 60 1024000 2000 2000 conform-action continue exceed-action drop

ip access-list 60 permit host 192.168.5.1

ip access-list 60 permit host 192.168.16.6

:

Now, I would like to re-config the rate limited as following:

inter ser 1/0

rate-limit output access-group 60 1024000 2000 2000 conform-action continue exceed-action drop

ip access-list 60 deny host 172.16.x.x

ip access-list 60 deny host 192.168.y.x

ip access-list 60 permit any any

It means that we revert the the access list.

are both config with same result? please advice. Thanks

Best regards

herve.durand · ‎06-08-2007

With your 1st access-list you are rate-limiting traffic for hosts 192.168.5.1 and 192.168.16.6 only.

With the 2nd access-list, you are rate-limiting everything except traffic for hosts 172.16.x.x and 192.168.y.x

I would recommend using a more specific access-list where you actually define which is the source and which is the destination. For example:

ip access-list 160 deny ip any host 172.16.x.x

or

ip access-list 160 deny ip host 172.16.x.x any

(depends on direction of your traffic)

Hope this helps.

bvsnarayana03 · ‎06-08-2007

Hi,

As u knw, ACL searches the entries sequentially & stops after a match. Also, ACLs add to the overhead on router CPU.

Keeping these 2 in mind, its better to go with your 1st case rather than 2nd, as both mean the same (as per subnets mentioned by you)