cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3138
Views
9
Helpful
11
Replies

Rate limiting Internet traffic

imran_mo
Level 1
Level 1

Hi Experts,

We are utilizing a P2P link for access to a citrix farm and also to the internet via the customer network.

I need to limit the amount of bandwidth the users in our network use over the link to access the internet, but I am just not able to figure out the logic I should be using in the Access List to filter out just the internet traffic.

Can some one please advise about the ACL and also the right approach to implementing the rate limit.

Regards,

Imran.

11 Replies 11

paolo bevilacqua
Hall of Fame
Hall of Fame

Hi,

first of all, rate-limit is bad because it damages TCP and make performances miserable. Please configure shaping instead.

This said, the concept is simple, all what doesn't go to your network, goes to the internet. So:

access-list 100 deny ip 10.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

Apply this access list to the traffic shaping in policy-map. All what doesn't go to 10.x.x.x will match ACL and be shaped. Replace 10.x.x.x with the address you use internally.

Hope this helps, please rate post if it does!

HI Imran, [Pls Rate if HELPS]

Here follows the Method:

-------------------------------

!

class-map match-all Citrix via P2P

match access-group 120

!

!

policy-map QOS_Internet

class Citrix via P2P

bandwidth 5500

class class-default

fair-queue

!

interface FastEthernet0/0

description "connected to Service Provider Internet Cloud"

rate-limit input access-group 120 5496000 1000000 1000000 conform-action transmit exceed-action drop

rate-limit input access-group 121 4496000 9000 18000 conform-action transmit exceed-action drop

!

interface FastEthernet0/1

description "Connected to LAN Backbone"

service-policy output QOS_Internet

ACL:

-------

access-list 120 permit ip host xx.xx.xx.xxx host xx.xx.xx.xx

!! ACL 120 means matching traffic to Citrix

access-list 121 permit ip any any

!! ACL 121 means any traffic to Internet

In the above QOS sample, considering the overall Bandwidth of the Link to be 10 Mbps.

The Traffic to Citrix Server via P2P Connection is bandwidth reserved to 5496000 bytes and traffic to Internet is bandwidth reserved to 4496000 bytes.

Hope this is Informative.

PLS RATE if HELPS

Best Regards,

Guru Prasad R

Hi,

We have shaping enabled on our router. The problem is that I am unable to define bandwidth more than 384 under the policy map. We have 768 Kbps of BW available and we want to use strictly about 100 kbps of BW for Intertnet traffic.

Serial0/3/0.151 is our P2P link.

Also looking at the access list below-

access-list 100 deny ip 10.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

it seems that 10.0.0.0 is the source and we need to filter filter based on destination, so should it be modified?

I am posting the config of our local router. Please can you review the same and advise if there is something wrong in the Frame Relay config.

Thanks.

HI IMRAN,

If you can't define Bandwidth more than 384 under Policy Map means then verify whether anywhere in the Interface (connected to Service Provider) the Bandwidth is defined / restricted.

Also, check with Service Provider for any restrictions.

DO RATE ALL HELPFUL POSTS

Best Regards,

Guru Prasad R

Don't forget to use "max-reserved-bandwidth 100" on the interface with the policy. If you don't you are limited to having 75% of the BW of the interface "reservable" since IOS "keeps" 25% for overhead. If you know what your traffic is, use the above so you can control 100%.

Note: in our QoS policies we always have a class for telnet/ssh/ftp/syslog/ntp/etc. so we can reach the device even when it's busy...

HTH

Paul

shiva_ial
Level 1
Level 1

hi imran,

in addition to guru said

u should be clear on how u match the citrix

traffic

two ways to do that

1. NBAR (Network based application recognition) will catch automatically if you include in the configuration match protocol

as citrix (downside of using NBAR is cpu utilisation may go high.incase your protocol citrix is not listed in ios, you have to use

pdlm (download pdlm from cisco website)

2.with access-list you can use the citrix

well known port number which will match all citrix traffic based on port

rgds

shiva

Please can someone advise. I've posted the config above the previous post.

Thanks.

Imran.

!

ip access-list extended NON-CITRIX

deny tcp any host 10.3.81.104

deny tcp any host 10.3.80.9

deny tcp any host 10.3.81.91

deny tcp any host 10.3.240.24

deny tcp any host 10.3.240.26

deny tcp any any eq 22

deny tcp any any eq telnet

deny tcp host 10.3.81.104 any

deny tcp host 10.3.80.9 any

deny tcp host 10.3.81.91 any

deny tcp host 10.3.240.24 any

deny tcp host 10.3.240.26 any

deny tcp any eq 22 any

deny tcp any eq telnet any

deny tcp any host 10.3.84.153 eq 3389

deny tcp any host 10.3.84.155 eq 3389

deny tcp any host 10.3.84.151 eq 3389

deny tcp any host 10.3.80.10 eq 3389

deny tcp any host 10.3.80.62 eq 3389

deny tcp any host 10.3.81.1

deny tcp any host 10.3.81.2

deny tcp any host 10.3.80.54

deny tcp any host 10.3.81.60

deny tcp any host 162.137.43.201

deny tcp any host 162.137.46.212

deny tcp any host 10.5.81.5

deny tcp host 10.3.84.153 eq 3389 any

deny tcp host 10.3.84.155 eq 3389 any

deny tcp host 10.3.84.151 eq 3389 any

deny tcp host 10.3.80.10 eq 3389 any

deny tcp host 10.3.80.62 eq 3389 any

deny tcp host 10.3.81.1 any

deny tcp host 10.3.81.2 any

deny tcp host 10.3.80.54 any

deny tcp host 10.3.81.60 any

deny tcp host 162.137.43.201 any

deny tcp host 162.137.46.212 any

deny tcp host 10.5.81.5 any

deny tcp any host 10.3.80.72

deny tcp host 10.3.80.72 any

permit ip any any

!

class-map match-any NON-CITRIX

description ALL NON CITRIX TRAFFIC

match access-group name NON-CITRIX

!

policy-map CITRIXServers

no class IMPTOOLS

class NON-CITRIX

shape average 100000

!

HI,

class class-default

fair-queue

is mandaory to allow the other types of traffic to avoid drop.

Do RATE ALL HELPFUL POSTS

Best Regards,

Guru Prasad R

That is not required :)

Indeed not required, but recommendable.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco