06-15-2009 06:22 AM - edited 03-06-2019 06:15 AM
I want to apply rate-limit or service-policy to an interface at 00.00 and to revert back at 07.00 everyday.
What are possible solutions?
Thank you.
06-15-2009 06:55 AM
Tim,
Depending upon the IOS you are using, you can implement Cisco IOS EEM as a solution:
http://www.cisco.com/en/US/products/ps6815/products_ios_protocol_group_home.html
With that said, I don't recommend making changes in the config on routers as a routine. You can run into issues during a config change that can cause a router to reload.
Depending on the requirements, you can also look into Time-Based ACLs.
HTH,
__
Edison.
06-15-2009 10:49 AM
Yes!!! Thank you. Time based ACL. Here is the result:
time-range NIGHT
periodic daily 00:00 to 06:59
!
access-list 150 remark This is to rate-limit almost everybody during NIGHT
access-list 150 deny ip host 192.168.11.212 any
access-list 150 deny ip any host 192.168.11.212
access-list 150 deny ip host 192.168.11.210 any
access-list 150 deny ip any host 192.168.11.210
access-list 150 deny ip 192.168.99.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 150 deny ip 192.168.11.0 0.0.0.255 192.168.99.0 0.0.0.255
access-list 150 deny ip 192.168.16.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 150 deny ip 192.168.11.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 150 deny ip 192.168.16.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 150 deny ip 192.168.12.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 150 deny ip host 192.168.11.203 any
access-list 150 deny ip any host 192.168.11.203
access-list 150 deny ip host 192.168.11.42 any
access-list 150 deny ip any host 192.168.11.42
access-list 150 permit ip any any time-range NIGHT
!
interface Vlan3
description INSIDE
ip address 172.16.11.2 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
rate-limit input access-group 150 128000 24000 24000 conform-action transmit exceed-action drop
rate-limit output access-group 150 128000 24000 24000 conform-action transmit exceed-action drop
Anyway I still can not understand 24000 24000 - these numbers. I know the recommendation - (128k*1.5)/8 but it does not work. Why?
Thank you anyway.
06-15-2009 10:54 AM
Those numbers are the committed burst and exceeded burst values reflected in bytes.
What do you mean it does not work?
__
Edison.
Please rate helpful posts
06-15-2009 11:21 AM
I mean this - For example:
I want to rate-limit everybody to 128 Kbit/s. When I am checking interface traffic load with rate-limit applied - I see that is really "rate-limited", but not to 128 Kbit/s - it is limited to 196-384 Kbit/s - Why?. I am monitoring with IPSwitchGold and Advent Net Netflow. Can you please explain what this "burst rates" mean in real life? Is there any way to rate limit to REALLY xx Kbit/s?
Thank you.
06-15-2009 11:51 AM
What's the model of the device in question and IOS version?
BTW, I want to correct my previous reply.
Those numbers reflect 'burst normal' and 'burst max' (you will learn to love QoS and how similar the command variables are, NOT :)).
http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_q1.html#wp1015612
06-15-2009 12:02 PM
Right now - C3845. But I saw the same issue on every device (C1[7,8]xx-C2[6,8,9]XX-C3[7,8]XX) worked with. I will try to read documentation again.
06-15-2009 12:12 PM
Apply the rate-limit on the physical port instead of the logical interface.
Software rate-limiters will try to average the limit down to the specified value but hard to obtain on the multitude of traffic flows and patterns.
You can also look into using the police command with MQC instead of the legacy rate-limit command.
HTH,
__
Edison.
06-16-2009 10:00 AM
Thank you Edison.
I will use MQC a bit later. But first I want to understand why I do not have a result with CAR.
(I want to rate-limit to 64 Kbit/s but I see that traffic load is "floating" from 100 Kbit/s to 300 Kbit/s). Why.
Here are my questions:
1. If I will place rate limit to physical NAT outside interface - will it work? I am not sure that that acl #150 will work - it classifies nat inside hosts and "tunneled" networks from other regions. What do you think?
2. You advice me to avoid applying rate-limit to logical interfaces - is it from your experience or it is recommended by documentation? I know that if I am applying rate-limit to Dialer interface - it is not working. Till this moment I thought that it is not working because of incorrect burst-rates. It will never work there? I should replace it to physical interface.
2. I am very sorry, but I still can not understand rate-limit burst numbers? What are they? How can I find out (calculate or monitor and then apply) them? Please show me the logic.
P.S. I have a rate-limit on another VLAN interface:
interface Vlan4
description Wi-Fi For Guests
ip address 192.168.254.1 255.255.255.0
ip nat inside
ip virtual-reassembly
rate-limit input access-group 140 128000 24000 24000 conform-action transmit exceed-action drop
rate-limit output access-group 140 128000 24000 24000 conform-action transmit exceed-action drop
And it is working as I want: traffic does not exceed 128 Kbit/s.
Why this is not working:
interface Vlan3
description INSIDE; PIX.KM4.RU
ip address 172.16.11.2 255.255.255.0
ip nat inside
ip virtual-reassembly
rate-limit input access-group 150 64000 12000 12000 conform-action transmit exceed-action drop
rate-limit output access-group 150 64000 12000 12000 conform-action transmit exceed-action drop
Thank you.
06-16-2009 10:12 AM
rate-limit is a legacy command but it should still work per your configuration.
After taking a closer look, you may want to verify the ACL 150 encompasses all traffic traversing that interface.
You can determine this by applying a rate-limit to all traffic (not just traffic within the 150 ACL) and see if the throughput is policed to 64kbps. If it's policed to 64kbps, then you need to troubleshoot your ACL.
As for the burst calculation, the recommended formula was illustrated in the link I posted previously for the rate-limit command.
__
Edison.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: