Rate limit on subinterface

Unanswered Question
Dec 21st, 2009

I need to solve to a scenario. The remote sites are being monitored by IP cameras from head office on 2 Mbps link . the IT team has apparently no control over cameras so i need to rate limit the IP cameras traffic on branch router. The Video traffic is coming on dedicated seperate subinterface on LAN . How can i limit it to use a max of 128Kbps WAN link

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Reza Sharifi Mon, 12/21/2009 - 10:50

Hi Omair,

If you want to rate limit your 2 Mb WAN link to 128000 for certain IP segment you can try some thing like this example:

Interface s0/0

rate-limit input access-group 101 128000 24000 48000 conform-action transmit exceed-action drop
ip address a.b.c.d
rate-limit output access-group 101 200000 24000 48000 conform-action transmit exceed-action drop

access-list 101 permit ip  ( is the IP adress segment for your cameras)

Also, please refer to this document for more info on rate limiting




Marwan ALshawi Mon, 12/21/2009 - 17:44

You can use rate limiting using CAR as mentioned by Reza Post

or you could use MQC for this limiting to police the cameras traffic to max of 128 K

lets assume your cameras IPs and

access-list 100 permit ip host any

access-list 100 permit ip host any

class-map IP_CAMERA

match access-group 100

policy-map POLICE


police cir 128000

then in your remote site ( where the cameras setup ) apply the above policy i on your WAN link in the outbound direction

int x/x

service-policy output POLICE

to verify it

show policy-map int x/x

good luck

if helpful Rate

omair.siddiqui Wed, 12/23/2009 - 12:53

Thanks for reza and marwan!!! Thats really helpful. The IP cameras resides att braches and braches are using 1811 router (with 8 port builtin switch) On 1811  VLANs are created, video vlan is seperated there.. Whynot i apply MQC or ratelimit on video VLAN. or would i need to deploy it WAN itnerface of 1811. Thanks

sachinraja Wed, 12/23/2009 - 12:59

Hi Omair

Its better to do it at the WAN router, as reza mentioned.. on routers you can have modular qos configurations applied which makes it easier to manage.. on switches you might find it tough to implement prioritization, policing, based on your switch model.. also as a best practice, you can mark packets (video/voice/data) at the edge, and have qos policing done on your exit point , which is the wan router.. i think you are on the right track restricting traffic on routers...

Hope this helps..


omair.siddiqui Wed, 12/23/2009 - 13:03

Thanks Sachin;

I agree with you. Actually 1811 is router as well as 8 port switch. Therefore i am curious to know the best place is VLAN or WAN interface?

sachinraja Wed, 12/23/2009 - 13:12

Hi Omair

If it is going to be rate-limiting, then you can do it on the LAN interface, for the incoming traffic... but if you want to do class based policers, you can apply it on the outgoing interface, since that is the point you want to restrict the traffic...

Hope this helps.. all the best..


Reza Sharifi Wed, 12/23/2009 - 13:05

Hi Omair,

You should deploy it on the outbound interface of you WAN.

How many camera you are deploying at the branch office and what speed?

I know most cameras use 10/100/1000 coming out of the encoder to the switch.

If you have a lot of camera, you should think about using Muticast.

If memory serves me right, the camera do about 5MB each. Of course some of the new camera do HD also.



omair.siddiqui Thu, 12/24/2009 - 03:49

I personally visit the customer premises and find out that instead of IP cameras they are using 16 plain camereas that are connected to a server with DVR cards. So essentially i will have to play with a single IP address rather than 16 IP addresses. I am not quite sure if 256 K is enough for 16 cameras (2 are rotating cameras).

The cameras portion comes under different dept and we do not have control over it so the only thing we can do is to configure our router to limit it.


This Discussion