Best practices for controlling inbound bandwidth per protocol

Unanswered Question
Mar 12th, 2008
User Badges:

Next week our company will be turning up a full rate DS3 and I am trying to figure out what is the best method to manage (limit) how much bandwidth a protocol can potentially use. Right out of the gate I want to only allow 15Mbps (in and out) of the circuit to be used (we are currently using an NxT1 (4 - T-1's) design), so the jump in bandwidth will be significant for us. I plan to use the rest of the circuits' bandwidth as we grow.

I really would like to control the amount of ingress traffic coming into us. I'm assuming that applying my access groups to the Internet facing interface is my best bet?

I have done quite a bit of reading up on CAR and it looks as if this could work for me, but is it the best method?

Below is a down and dirty rate-limiting config that I threw together.

rate-limit input access-group 109 3088000 16000 24000 conform-action set-prec-transmit 5 exceed-action transmit

rate-limit input access-group 110 7168000 24000 32000 conform-action transmit exceed-action drop

rate-limit input access-group 111 1544000 16000 24000 conform-action transmit exceed-action drop

rate-limit input access-group 112 1544000 16000 24000 conform-action transmit exceed-action drop

rate-limit input 3088000 16000 24000 conform-action transmit exceed-action drop

access-list 109 remark PrioritizeCorptraffic

access-list 109 permit esp any any

access-list 109 permit ip xx.xx.233.0 any

access-list 110 remark HTTP

access-list 110 permit tcp any eq www any

access-list 111 remark SMTP

access-list 111 permit tcp any eq smtp any

access-list 112 remark FTP

access-list 112 permit tcp any eq ftp any

Any input is greatly appreciated.

Thank you,

Brad Denham

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Joseph W. Doherty Thu, 03/13/2008 - 18:47
User Badges:
  • Super Bronze, 10000 points or more

You didn't mention the hardware platform, assuming a router, I would suggest using a shaper over a rate limiter. If you want to shape per protocol, this could be accomplished using shapers with CBWFQ classes. Define two shapers, set for output on both the internal and external facing interfaces.


The shaper for your inbound traffic (the one on the internal facing interface), will limit bandwidth to clients, but traffic will burst higher on the DS3.


This Discussion