Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Rate limiting at vlan interface on Cat6509

I would like to rate limit the users on vlan 2099 - it is for guest users.  I have already put a filter on that vlan to limit the protocols and it works fine.  The rate-limiting does not work at all. Can someone tell if I am missing something? vlan access-map Filter_Guest 10 match ip address Guest_WLAN_Restriction action forward ! vlan filter Filter_Guest vlan-list 2099 ip access-list extended Guest_WLAN_Restriction permit udp any any eq bootps permit udp any any eq bootpc permit udp any any eq domain permit tcp any any eq domain permit udp any any eq 80 permit tcp any any eq www permit tcp any any eq 443 deny  ip any any interface Vlan2099 description = Dilbert_Development ip address 10.128.254.254 255.255.255.0 ip helper-address 123.123.133.1 ip helper-address 123.123.32.1 rate-limit input access-group 175 64000 8000 8000 conform-action transmit exceed-action drop rate-limit output access-group 175 64000 8000 8000 conform-action transmit exceed-action drop

  • LAN Switching and Routing
27 REPLIES
Cisco Employee

Re: Rate limiting at vlan interface on Cat6509

Hi,

CAR is the legacy way of doing rate limiting; have you try policy-map and policing instead?

HTH,

Lei Tian

New Member

Re: Rate limiting at vlan interface on Cat6509

I did try a policy-map and policing and it did not work. I believe I had it misconfigured since I read something last night that leads me to that conclusion.

Re: Rate limiting at vlan interface on Cat6509

Hi,

The only aspect from your description that I see has no correlation to what you are attempting to limit is the access-group 175.  Under the rate-limit command you specify the match criteria as a specific access-group, do you have the ip access-list 175 configured as it does not appear within the information you have provided?

Regards

Allan.

New Member

Re: Rate limiting at vlan interface on Cat6509

Allen,

I forgot to put that in the question.  The ACL is as follows:

access-list 175 permit ip any any

I must be missing something... because it just isn't working!

Thanks,

Tim

New Member

Re: Rate limiting at vlan interface on Cat6509

I found this statement on this webpage:

"In order to enable CAR, you must enable Cisco Express Forwarding (CEF) on the box. In addition, you must configure a CEF-switched interface for CAR"

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_tech_note09186a00800fb50a.shtml

I want to enable it on an VLAN, since the machines are downstream and not directly connected to this 6509. The VLAN interface is on the 6509.

Cisco Employee

Re: Rate limiting at vlan interface on Cat6509

ip access-list extended RATELIMIT
permit ip any any
!
class-map RATELIMIT
match access group RATELIMIT
!
policy-map RATELIMIT

class RATELIMIT
  police 64000 8000 8000 conform-action transmit exceed-action drop
!
int Vlan 2099
service-policy output RATELIMIT
service-policy input RATELIMIT

New Member

Re: Rate limiting at vlan interface on Cat6509

Jim,

I tried that already. My policy is identical to yours, but I plugged yours in just in case I mistyped something. Your policy doesn't work either. I must be missing some other global command is all I can think.

Here's what I have below. I have a laptop on my desk on that vlan, IP is 10.128.254.152, and can hit the speed test site on the internet and has unrestricted downloads and uploads.

mls qos

!

class-map match-all identify_Guest_WLAN_Ratelimit

match access-group name Guest_WLAN_Ratelimit

class-map match-all RATELIMIT

match access-group name RATELIMIT

!

!

policy-map police-WLAN-Guest-traffic

class identify_Guest_WLAN_Ratelimit

police cir 64000 bc 8000 be 8000 conform-action transmit exceed-action drop violate-action drop

policy-map RATELIMIT

class RATELIMIT

police cir 64000 bc 8000 be 8000 conform-action transmit exceed-action drop violate-action drop

interface Vlan2099

description = Dilbert_Development

ip address 10.128.254.254 255.255.255.0

service-policy input RATELIMIT

service-policy output RATELIMIT

ip access-list extended Guest_WLAN_Ratelimit

permit ip any any

ip access-list extended RATELIMIT

permit ip any any

Thanks,

Tim

Cisco Employee

Re: Rate limiting at vlan interface on Cat6509

What's the output of sh policy-map interface vlan 2099?

New Member

Re: Rate limiting at vlan interface on Cat6509

CSFC6503#sh policy-map interface vlan 2099

Vlan2099

Service-policy input: RATELIMIT

class-map: RATELIMIT (match-all)

Match: access-group name RATELIMIT

police :

64000 bps 8000 limit 8000 extended limit

Earl in slot 5 :

0 bytes

5 minute offered rate 0 bps

aggregate-forwarded 0 bytes action: transmit

exceeded 0 bytes action: drop

aggregate-forward 0 bps exceed 0 bps

Class-map: class-default (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

Service-policy output: RATELIMIT

class-map: RATELIMIT (match-all)

Match: access-group name RATELIMIT

police :

64000 bps 8000 limit 8000 extended limit

Earl in slot 5 :

5190 bytes

5 minute offered rate 0 bps

aggregate-forwarded 5190 bytes action: transmit

exceeded 0 bytes action: drop

aggregate-forward 0 bps exceed 0 bps

Class-map: class-default (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

4761
Views
32
Helpful
27
Replies