12-25-2007 12:58 PM - edited 03-03-2019 08:02 PM
Hi Experts,
We are utilizing a P2P link for access to a citrix farm and also to the internet via the customer network.
I need to limit the amount of bandwidth the users in our network use over the link to access the internet, but I am just not able to figure out the logic I should be using in the Access List to filter out just the internet traffic.
Can some one please advise about the ACL and also the right approach to implementing the rate limit.
Regards,
Imran.
12-25-2007 02:19 PM
Hi,
first of all, rate-limit is bad because it damages TCP and make performances miserable. Please configure shaping instead.
This said, the concept is simple, all what doesn't go to your network, goes to the internet. So:
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
Apply this access list to the traffic shaping in policy-map. All what doesn't go to 10.x.x.x will match ACL and be shaped. Replace 10.x.x.x with the address you use internally.
Hope this helps, please rate post if it does!
12-25-2007 07:36 PM
HI Imran, [Pls Rate if HELPS]
Here follows the Method:
-------------------------------
!
class-map match-all Citrix via P2P
match access-group 120
!
!
policy-map QOS_Internet
class Citrix via P2P
bandwidth 5500
class class-default
fair-queue
!
interface FastEthernet0/0
description "connected to Service Provider Internet Cloud"
rate-limit input access-group 120 5496000 1000000 1000000 conform-action transmit exceed-action drop
rate-limit input access-group 121 4496000 9000 18000 conform-action transmit exceed-action drop
!
interface FastEthernet0/1
description "Connected to LAN Backbone"
service-policy output QOS_Internet
ACL:
-------
access-list 120 permit ip host xx.xx.xx.xxx host xx.xx.xx.xx
!! ACL 120 means matching traffic to Citrix
access-list 121 permit ip any any
!! ACL 121 means any traffic to Internet
In the above QOS sample, considering the overall Bandwidth of the Link to be 10 Mbps.
The Traffic to Citrix Server via P2P Connection is bandwidth reserved to 5496000 bytes and traffic to Internet is bandwidth reserved to 4496000 bytes.
Hope this is Informative.
PLS RATE if HELPS
Best Regards,
Guru Prasad R
12-26-2007 06:32 AM
Hi,
We have shaping enabled on our router. The problem is that I am unable to define bandwidth more than 384 under the policy map. We have 768 Kbps of BW available and we want to use strictly about 100 kbps of BW for Intertnet traffic.
Serial0/3/0.151 is our P2P link.
Also looking at the access list below-
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
it seems that 10.0.0.0 is the source and we need to filter filter based on destination, so should it be modified?
I am posting the config of our local router. Please can you review the same and advise if there is something wrong in the Frame Relay config.
Thanks.
12-26-2007 09:37 PM
HI IMRAN,
If you can't define Bandwidth more than 384 under Policy Map means then verify whether anywhere in the Interface (connected to Service Provider) the Bandwidth is defined / restricted.
Also, check with Service Provider for any restrictions.
DO RATE ALL HELPFUL POSTS
Best Regards,
Guru Prasad R
12-28-2007 04:40 PM
Don't forget to use "max-reserved-bandwidth 100" on the interface with the policy. If you don't you are limited to having 75% of the BW of the interface "reservable" since IOS "keeps" 25% for overhead. If you know what your traffic is, use the above so you can control 100%.
Note: in our QoS policies we always have a class for telnet/ssh/ftp/syslog/ntp/etc. so we can reach the device even when it's busy...
HTH
Paul
12-25-2007 09:14 PM
hi imran,
in addition to guru said
u should be clear on how u match the citrix
traffic
two ways to do that
1. NBAR (Network based application recognition) will catch automatically if you include in the configuration match protocol
as citrix (downside of using NBAR is cpu utilisation may go high.incase your protocol citrix is not listed in ios, you have to use
pdlm (download pdlm from cisco website)
2.with access-list you can use the citrix
well known port number which will match all citrix traffic based on port
rgds
shiva
12-26-2007 06:08 PM
Please can someone advise. I've posted the config above the previous post.
Thanks.
Imran.
12-28-2007 10:47 PM
!
ip access-list extended NON-CITRIX
deny tcp any host 10.3.81.104
deny tcp any host 10.3.80.9
deny tcp any host 10.3.81.91
deny tcp any host 10.3.240.24
deny tcp any host 10.3.240.26
deny tcp any any eq 22
deny tcp any any eq telnet
deny tcp host 10.3.81.104 any
deny tcp host 10.3.80.9 any
deny tcp host 10.3.81.91 any
deny tcp host 10.3.240.24 any
deny tcp host 10.3.240.26 any
deny tcp any eq 22 any
deny tcp any eq telnet any
deny tcp any host 10.3.84.153 eq 3389
deny tcp any host 10.3.84.155 eq 3389
deny tcp any host 10.3.84.151 eq 3389
deny tcp any host 10.3.80.10 eq 3389
deny tcp any host 10.3.80.62 eq 3389
deny tcp any host 10.3.81.1
deny tcp any host 10.3.81.2
deny tcp any host 10.3.80.54
deny tcp any host 10.3.81.60
deny tcp any host 162.137.43.201
deny tcp any host 162.137.46.212
deny tcp any host 10.5.81.5
deny tcp host 10.3.84.153 eq 3389 any
deny tcp host 10.3.84.155 eq 3389 any
deny tcp host 10.3.84.151 eq 3389 any
deny tcp host 10.3.80.10 eq 3389 any
deny tcp host 10.3.80.62 eq 3389 any
deny tcp host 10.3.81.1 any
deny tcp host 10.3.81.2 any
deny tcp host 10.3.80.54 any
deny tcp host 10.3.81.60 any
deny tcp host 162.137.43.201 any
deny tcp host 162.137.46.212 any
deny tcp host 10.5.81.5 any
deny tcp any host 10.3.80.72
deny tcp host 10.3.80.72 any
permit ip any any
!
class-map match-any NON-CITRIX
description ALL NON CITRIX TRAFFIC
match access-group name NON-CITRIX
!
policy-map CITRIXServers
no class IMPTOOLS
class NON-CITRIX
shape average 100000
!
12-30-2007 10:21 PM
HI,
class class-default
fair-queue
is mandaory to allow the other types of traffic to avoid drop.
Do RATE ALL HELPFUL POSTS
Best Regards,
Guru Prasad R
12-31-2007 10:01 AM
That is not required :)
12-31-2007 10:06 AM
Indeed not required, but recommendable.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: