Best way to limit HTTP traffic?

Tyara MM · ‎05-25-2017

I am using this but it lets one computer use all the speed:

policy-map main-in
class http
police cir 1000000
conform-action transmit
exceed-action drop
violate-action drop

policy-map out
class http
shape average 1000000
police cir 1000000 conform-action transmit exceed-action drop violate-action drop

Julio E. Moisa · ‎05-25-2017

Hi

Have you tried to match an ACL into the class-map?

For example (outbound):

access-list 100 permit 192.168.1.0 0.0.0.255 any eq 80
access-list 100 permit 192.168.2.0 0.0.0.255 any eq 80

class-map HTTP
match access-group 100
or just
match protocol http

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Georg Pauwen · ‎05-26-2017

Hello,

what platform is this configured on ? Some platforms do not support egress policing.

Either way, in addition to Julio's post, here is what you could try:

access-list 101 permit tcp 192.168.1.1 any eq www

class-map match-all http
match protocol http
match access-group 101

policy-map main-in
class http
police cir 1000000 187500 conform-action transmit exceed-action drop
class class-default

Joseph W. Doherty · ‎05-26-2017

Why are you shaping and policing in your "out" policy, especially at the same rate?

Yes, what you have would allow one or any combination of hosts to use the 1 Mbps you've limited HTTP to. Could you further explain what you're trying to accomplish?

Tyara MM · ‎05-26-2017

Sorry for confusing everyone. I wrote the post in a hurry and didn't explain what I'm trying to do.

I already have the http class-map set up and it's capturing http traffic. The police is also working fine.

As I said, with the current method it lets a single PC use all the bandwidth. Is there any way to limit it so once PC can't use all the bandwidth but is able to use a certain amount?

Julio E. Moisa · ‎05-26-2017

Hi

Have you tried use 'host' on the ACL and then apply the ACL into a class-map using the same scheme?

access-list 100 permit tcp host 192.168.1.10 any eq 80

class-map PC-HTTP
match access-group 100

policy-map POLICY
class PC-HTTP
police cir 1000000 187500 conform-action transmit exceed-action drop

Then apply the policy-map under the interface for outbound way.

if you execute: sh policy-map interface <interface>, you will see the default-class where the rest of the traffic is passing with no restrictions.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Tyara MM · ‎05-26-2017

Outbound is not a problem since I can shape it. The problem is the inbound traffic. I can't shape it so if one PC uses all the traffic other PCs have their packets dropped because of the police. And it's not a particular PC. It can be any PC.

Julio E. Moisa · ‎05-26-2017

Have you tried similar but modifying the ACL?

access-list 101 permit tcp any eq 80 host 192.168.1.10

class-map PC-HTTP
match access-group 101

policy-map POLICY-IN
class PC-HTTP
police cir 1000000 187500 conform-action transmit exceed-action drop

An then apply it for inbound direction? it should just be applied for the host 192.168.1.10, the rest of the traffic should be impacted.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<