cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7178
Views
32
Helpful
27
Replies

Rate limiting at vlan interface on Cat6509

tdennehy
Level 1
Level 1

I would like to rate limit the users on vlan 2099 - it is for guest users.  I have already put a filter on that vlan to limit the protocols and it works fine.  The rate-limiting does not work at all. Can someone tell if I am missing something? vlan access-map Filter_Guest 10 match ip address Guest_WLAN_Restriction action forward ! vlan filter Filter_Guest vlan-list 2099 ip access-list extended Guest_WLAN_Restriction permit udp any any eq bootps permit udp any any eq bootpc permit udp any any eq domain permit tcp any any eq domain permit udp any any eq 80 permit tcp any any eq www permit tcp any any eq 443 deny  ip any any interface Vlan2099 description = Dilbert_Development ip address 10.128.254.254 255.255.255.0 ip helper-address 123.123.133.1 ip helper-address 123.123.32.1 rate-limit input access-group 175 64000 8000 8000 conform-action transmit exceed-action drop rate-limit output access-group 175 64000 8000 8000 conform-action transmit exceed-action drop

27 Replies 27

Lei Tian
Cisco Employee
Cisco Employee

Hi,

CAR is the legacy way of doing rate limiting; have you try policy-map and policing instead?

HTH,

Lei Tian

I did try a policy-map and policing and it did not work. I believe I had it misconfigured since I read something last night that leads me to that conclusion.

allan.thomas
Level 8
Level 8

Hi,

The only aspect from your description that I see has no correlation to what you are attempting to limit is the access-group 175.  Under the rate-limit command you specify the match criteria as a specific access-group, do you have the ip access-list 175 configured as it does not appear within the information you have provided?

Regards

Allan.

Allen,

I forgot to put that in the question.  The ACL is as follows:

access-list 175 permit ip any any

I must be missing something... because it just isn't working!

Thanks,

Tim

I found this statement on this webpage:

"In order to enable CAR, you must enable Cisco Express Forwarding (CEF) on the box. In addition, you must configure a CEF-switched interface for CAR"

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_tech_note09186a00800fb50a.shtml

I want to enable it on an VLAN, since the machines are downstream and not directly connected to this 6509. The VLAN interface is on the 6509.

Jim Coyne
Cisco Employee
Cisco Employee

ip access-list extended RATELIMIT
permit ip any any
!
class-map RATELIMIT
match access group RATELIMIT
!
policy-map RATELIMIT

class RATELIMIT
  police 64000 8000 8000 conform-action transmit exceed-action drop
!
int Vlan 2099
service-policy output RATELIMIT
service-policy input RATELIMIT

Jim,

I tried that already. My policy is identical to yours, but I plugged yours in just in case I mistyped something. Your policy doesn't work either. I must be missing some other global command is all I can think.

Here's what I have below. I have a laptop on my desk on that vlan, IP is 10.128.254.152, and can hit the speed test site on the internet and has unrestricted downloads and uploads.

mls qos

!

class-map match-all identify_Guest_WLAN_Ratelimit

match access-group name Guest_WLAN_Ratelimit

class-map match-all RATELIMIT

match access-group name RATELIMIT

!

!

policy-map police-WLAN-Guest-traffic

class identify_Guest_WLAN_Ratelimit

police cir 64000 bc 8000 be 8000 conform-action transmit exceed-action drop violate-action drop

policy-map RATELIMIT

class RATELIMIT

police cir 64000 bc 8000 be 8000 conform-action transmit exceed-action drop violate-action drop

interface Vlan2099

description = Dilbert_Development

ip address 10.128.254.254 255.255.255.0

service-policy input RATELIMIT

service-policy output RATELIMIT

ip access-list extended Guest_WLAN_Ratelimit

permit ip any any

ip access-list extended RATELIMIT

permit ip any any

Thanks,

Tim

What's the output of sh policy-map interface vlan 2099?

CSFC6503#sh policy-map interface vlan 2099

Vlan2099

Service-policy input: RATELIMIT

class-map: RATELIMIT (match-all)

Match: access-group name RATELIMIT

police :

64000 bps 8000 limit 8000 extended limit

Earl in slot 5 :

0 bytes

5 minute offered rate 0 bps

aggregate-forwarded 0 bytes action: transmit

exceeded 0 bytes action: drop

aggregate-forward 0 bps exceed 0 bps

Class-map: class-default (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

Service-policy output: RATELIMIT

class-map: RATELIMIT (match-all)

Match: access-group name RATELIMIT

police :

64000 bps 8000 limit 8000 extended limit

Earl in slot 5 :

5190 bytes

5 minute offered rate 0 bps

aggregate-forwarded 5190 bytes action: transmit

exceeded 0 bytes action: drop

aggregate-forward 0 bps exceed 0 bps

Class-map: class-default (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

Hi Tim,

I suspect that object criteria is falling into the class-default which is specifically for traffic that is not specifically classified.  As you have all one class which consist of essentially everything could you try configuring the policy-map as follows so that you only have the class class-default within it, and then try testing again:-

policy-map RATELIMIT

  class class-default

   police cir  64000 bc 8000 be 8000 conform-action transmit exceed-action drop  violate-action drop

interface Vlan2099

description =  Dilbert_Development

ip address 10.128.254.254 255.255.255.0

service-policy input RATELIMIT

service-policy output RATELIMIT

Could you post the show policy-map, and show interface policy-map command.

Thanks

Allan.

Allen,

Here is what the config looks like now:

policy-map RATELIMIT

class class-default

police cir 64000 bc 8000 be 8000 conform-action transmit exceed-action drop violate-action drop

class-map match-all RATELIMIT

match access-group name RATELIMIT

ip access-list extended RATELIMIT

permit ip any any

interface Vlan2099

description = Dilbert_Development

ip address 10.128.254.254 255.255.255.0

service-policy input RATELIMIT

service-policy output RATELIMIT

CSFC6503#sho policy-map

Policy Map police-WLAN-Guest-traffic

Class identify_Guest_WLAN_Ratelimit

police cir 64000 bc 8000 be 8000 conform-action transmit exceed-action d

rop violate-action drop

Policy Map RATELIMIT

Class class-default

police cir 64000 bc 8000 be 8000 conform-action transmit exceed-action d

rop violate-action drop

CSFC6503#sh policy-map interface vlan 2099

Vlan2099

Service-policy input: RATELIMIT

class-map: class-default (match-any)

Match: any

police :

64000 bps 8000 limit 8000 extended limit

Earl in slot 5 :

0 bytes

5 minute offered rate 0 bps

aggregate-forwarded 0 bytes action: transmit

exceeded 0 bytes action: drop

aggregate-forward 0 bps exceed 0 bps

Service-policy output: RATELIMIT

class-map: class-default (match-any)

Match: any

police :

64000 bps 8000 limit 8000 extended limit

Earl in slot 5 :

602 bytes

5 minute offered rate 0 bps

aggregate-forwarded 602 bytes action: transmit

exceeded 0 bytes action: drop

aggregate-forward 0 bps exceed 0 bps

CSFC6503#

Hi Tim,

From the show policy-map interface vlan2099, the outbound service-policy appears to have bytes matched.  To specifically test whether the policed cir is working you could revise the policy so that the conform action is set to drop, this will ensure that any traffic matched which conforms within the CIR is dropped directly.

This would prove that the policy is working as desired and that the your testing is not exceeding the CIR.  I would also configure the access-list to be more explicit and configure it so initially only your testing IP host is configured to any, and any to your IP host.  The example I provided in my previous post simply negates the requirement to have a separate access-list to match-on as the class class-default provides the same catch-all.

Regards

Allan.

Allan,

I have another box that I use for testing, and I applied the config to it and it works. The main difference is the machine I'm hitting the bandwidth server is on copper, plugged into a copper port on the 6509.

The box that isn't working is a user that enters the box through a vlan trunk. What are the odds that traffic entering through a trunk isn't supported?

I'm going to go prove my theory in a few minutes.

Thanks,

Tim

Hi Tim,

That shouldn't be a problem, if that is the case, then I assume that you have not configured the physical trunk interface on the 6500 for vlan based QoS?  If you haven't could add this command 'mls qos vlan-based' to the appropriate interface and try your tests again?

Regards

Allan.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco