cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
562
Views
5
Helpful
9
Replies

How to apply a command on a schedule basis.

SludnevTN_2
Level 1
Level 1

I want to apply rate-limit or service-policy to an interface at 00.00 and to revert back at 07.00 everyday.

What are possible solutions?

Thank you.

9 Replies 9

Edison Ortiz
Hall of Fame
Hall of Fame

Tim,

Depending upon the IOS you are using, you can implement Cisco IOS EEM as a solution:

http://www.cisco.com/en/US/products/ps6815/products_ios_protocol_group_home.html

With that said, I don't recommend making changes in the config on routers as a routine. You can run into issues during a config change that can cause a router to reload.

Depending on the requirements, you can also look into Time-Based ACLs.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#timebasedtimerange

HTH,

__

Edison.

Yes!!! Thank you. Time based ACL. Here is the result:

time-range NIGHT

periodic daily 00:00 to 06:59

!

access-list 150 remark This is to rate-limit almost everybody during NIGHT

access-list 150 deny ip host 192.168.11.212 any

access-list 150 deny ip any host 192.168.11.212

access-list 150 deny ip host 192.168.11.210 any

access-list 150 deny ip any host 192.168.11.210

access-list 150 deny ip 192.168.99.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 150 deny ip 192.168.11.0 0.0.0.255 192.168.99.0 0.0.0.255

access-list 150 deny ip 192.168.16.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 150 deny ip 192.168.11.0 0.0.0.255 192.168.16.0 0.0.0.255

access-list 150 deny ip 192.168.16.0 0.0.0.255 192.168.12.0 0.0.0.255

access-list 150 deny ip 192.168.12.0 0.0.0.255 192.168.16.0 0.0.0.255

access-list 150 deny ip host 192.168.11.203 any

access-list 150 deny ip any host 192.168.11.203

access-list 150 deny ip host 192.168.11.42 any

access-list 150 deny ip any host 192.168.11.42

access-list 150 permit ip any any time-range NIGHT

!

interface Vlan3

description INSIDE

ip address 172.16.11.2 255.255.255.0

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

rate-limit input access-group 150 128000 24000 24000 conform-action transmit exceed-action drop

rate-limit output access-group 150 128000 24000 24000 conform-action transmit exceed-action drop

Anyway I still can not understand 24000 24000 - these numbers. I know the recommendation - (128k*1.5)/8 but it does not work. Why?

Thank you anyway.

Those numbers are the committed burst and exceeded burst values reflected in bytes.

What do you mean it does not work?

__

Edison.

Please rate helpful posts

I mean this - For example:

I want to rate-limit everybody to 128 Kbit/s. When I am checking interface traffic load with rate-limit applied - I see that is really "rate-limited", but not to 128 Kbit/s - it is limited to 196-384 Kbit/s - Why?. I am monitoring with IPSwitchGold and Advent Net Netflow. Can you please explain what this "burst rates" mean in real life? Is there any way to rate limit to REALLY xx Kbit/s?

Thank you.

What's the model of the device in question and IOS version?

BTW, I want to correct my previous reply.

Those numbers reflect 'burst normal' and 'burst max' (you will learn to love QoS and how similar the command variables are, NOT :)).

http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_q1.html#wp1015612

Right now - C3845. But I saw the same issue on every device (C1[7,8]xx-C2[6,8,9]XX-C3[7,8]XX) worked with. I will try to read documentation again.

Apply the rate-limit on the physical port instead of the logical interface.

Software rate-limiters will try to average the limit down to the specified value but hard to obtain on the multitude of traffic flows and patterns.

You can also look into using the police command with MQC instead of the legacy rate-limit command.

HTH,

__

Edison.

Thank you Edison.

I will use MQC a bit later. But first I want to understand why I do not have a result with CAR.

(I want to rate-limit to 64 Kbit/s but I see that traffic load is "floating" from 100 Kbit/s to 300 Kbit/s). Why.

Here are my questions:

1. If I will place rate limit to physical NAT outside interface - will it work? I am not sure that that acl #150 will work - it classifies nat inside hosts and "tunneled" networks from other regions. What do you think?

2. You advice me to avoid applying rate-limit to logical interfaces - is it from your experience or it is recommended by documentation? I know that if I am applying rate-limit to Dialer interface - it is not working. Till this moment I thought that it is not working because of incorrect burst-rates. It will never work there? I should replace it to physical interface.

2. I am very sorry, but I still can not understand rate-limit burst numbers? What are they? How can I find out (calculate or monitor and then apply) them? Please show me the logic.

P.S. I have a rate-limit on another VLAN interface:

interface Vlan4

description Wi-Fi For Guests

ip address 192.168.254.1 255.255.255.0

ip nat inside

ip virtual-reassembly

rate-limit input access-group 140 128000 24000 24000 conform-action transmit exceed-action drop

rate-limit output access-group 140 128000 24000 24000 conform-action transmit exceed-action drop

And it is working as I want: traffic does not exceed 128 Kbit/s.

Why this is not working:

interface Vlan3

description INSIDE; PIX.KM4.RU

ip address 172.16.11.2 255.255.255.0

ip nat inside

ip virtual-reassembly

rate-limit input access-group 150 64000 12000 12000 conform-action transmit exceed-action drop

rate-limit output access-group 150 64000 12000 12000 conform-action transmit exceed-action drop

Thank you.

rate-limit is a legacy command but it should still work per your configuration.

After taking a closer look, you may want to verify the ACL 150 encompasses all traffic traversing that interface.

You can determine this by applying a rate-limit to all traffic (not just traffic within the 150 ACL) and see if the throughput is policed to 64kbps. If it's policed to 64kbps, then you need to troubleshoot your ACL.

As for the burst calculation, the recommended formula was illustrated in the link I posted previously for the rate-limit command.

__

Edison.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco