Next week our company will be turning up a full rate DS3 and I am trying to figure out what is the best method to manage (limit) how much bandwidth a protocol can potentially use. Right out of the gate I want to only allow 15Mbps (in and out) of the circuit to be used (we are currently using an NxT1 (4 - T-1's) design), so the jump in bandwidth will be significant for us. I plan to use the rest of the circuits' bandwidth as we grow.
I really would like to control the amount of ingress traffic coming into us. I'm assuming that applying my access groups to the Internet facing interface is my best bet?
I have done quite a bit of reading up on CAR and it looks as if this could work for me, but is it the best method?
Below is a down and dirty rate-limiting config that I threw together.
rate-limit input access-group 109 3088000 16000 24000 conform-action set-prec-transmit 5 exceed-action transmit
rate-limit input access-group 110 7168000 24000 32000 conform-action transmit exceed-action drop
rate-limit input access-group 111 1544000 16000 24000 conform-action transmit exceed-action drop
rate-limit input access-group 112 1544000 16000 24000 conform-action transmit exceed-action drop
rate-limit input 3088000 16000 24000 conform-action transmit exceed-action drop
access-list 109 remark PrioritizeCorptraffic
access-list 109 permit esp any any
access-list 109 permit ip xx.xx.233.0 0.0.0.255 any
access-list 110 remark HTTP
access-list 110 permit tcp any eq www any
access-list 111 remark SMTP
access-list 111 permit tcp any eq smtp any
access-list 112 remark FTP
access-list 112 permit tcp any eq ftp any
Any input is greatly appreciated.