Re: Rate limiting not working

rts-net-support · ‎06-20-2006

Hello all,

I have a problem using rate-limiting on a Cisco 831 (IOS 12.3(8)T11). We have the following situation. There is an IPSEC tunnel from the 831 to an external company. Within this we have a GRE tunnel for multicast traffic. One of our developers must receive multicast traffic from the other side, via the VPN. The problem is, there is too much traffic and I would like to be able to limit this, as this is seriously disrupting our normal internet access.

I have tried the following on the external interface of the 831:

rate-limit input 4000000 1000000 1000000 conform-action transmit exceed-action drop

rate-limit output 4000000 1000000 1000000 conform-action transmit exceed-action drop

Unless I got something wrong, this should limit all traffic to 4Mbps, with some bursts. However, this is not working at all. When we start receiving multicast traffic via the tunnel, the router is overloaded, 100% CPU usage and I can't do anything with it. Traffic monitoring on our border router shows the limiting didnt work at all.

Is there anything I am doing wrong ? What can I do to limit this ? Many thanks in advance.

Stefan

leonvd79 · ‎06-20-2006

Hello Stefan,

What does the CAR information for that particular interface tell you?

#show interface FastEthernet 0/0 rate-limit

Cisco recommends the following values for the normal and extended burst parameters:

normal burst = configured rate * (1 byte)/(8 bits) * 1.5 seconds

extended burst = 2 * normal burst

normal burst : 4,000,000 / 8 * 1,5 = 750,000

extended burst : 750,000 * 2 = 1,500,000

This results into the following configuration

rate-limit input 4000000 750000 1500000 conform-action transmit exceed-action drop

rate-limit output 4000000 750000 1500000 conform-action transmit exceed-action drop

You can also rate-limit by traffic type using access-list to classify the traffic that is subjective to CAR. This way you can free up bandwidth for time-sensitive/mission critical applications.

Refer to the command reference for rate-limit:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_r/qrfcmd8.htm#wp1037428

And the CAR configuration guide:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt1/qcfcar.htm

HTH

Leon

* Please rate posts.

jeric_saldua · ‎06-20-2006

Hi Stefan,

Must try to apply ACL as suggested by Leon. I just want to find out the result as am facing the same problem.

Thanks

leighharrison · ‎06-20-2006

Hi there chaps,

The best thing to rate-limit multicast traffic is to use the command "ip multicast rate-limit" on your interface. Check out this link for specifics:-

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fiprmc_r/mult/1rfmult2.htm#wp1078547

If your processor is at 100%, then you may not have CEF enabled - turn that on with "ip cef" in global config mode.

Is your router set up do handle multicast trafffic? You may be recieving the same stream several times for different hosts, which would defeat the point of multicast traffic. Have a look at configuring PIM on your 831 - failing that, is there any other node on your network that could act as an aggregate point for the traffic? This would cut down the amount of traffic flows. But in the mean time "ip multicast rate-limit" is the best way to rate limit multicast traffic.

Regards,

LH

Please rate all posts

samirsuri · ‎06-20-2006

I think it will also be helpful if you enable PIM SPARSE mode instead of PIM dense unless you have already done so .

rts-net-support · ‎06-21-2006

Hello all,

I have replied yesterday but for some reason my post got lost so I'll try again.

Here is an out put of the interface rate-limit info:

cmegw#sh interfaces ethernet 1 rate-limit

Ethernet1 Internet Transit Network$ETH-LAN$$FW_OUTSIDE$

Input

matches: access-group 170

params: 4000000 bps, 1000000 limit, 1000000 extended limit

conformed 4110832 packets, 709858449 bytes; action: transmit

exceeded 0 packets, 0 bytes; action: drop

last packet: 8ms ago, current burst: 147 bytes

last cleared 1d06h ago, conformed 52000 bps, exceeded 0 bps

Output

matches: access-group 170

params: 4000000 bps, 1000000 limit, 1000000 extended limit

conformed 28961 packets, 3873956 bytes; action: transmit

exceeded 0 packets, 0 bytes; action: drop

last packet: 872ms ago, current burst: 0 bytes

last cleared 1d06h ago, conformed 0 bps, exceeded 0 bps

cmegw#

As you can see, exceeded bps is 0 but I can asure you this device was receiving data with 10Mbps. I have tried with and without ACL but it made no difference. Besides, this devices is dedicated so limiting everything is acceptable. Yes, cef is enabled. PIM sparse mode is configured on the tunnel interface, PIM is configured.

The "ip multicast rate-limit" is a nice suggestion but you will notice that the command is not available in the IOS version I have (mentioned in the original post). I would like to keep the IOS upgrade as a last resort though. I can't understand tho why the interface rate limiting didnt work.

Also, something strange. When the router is under heavy load due to multicast traffic, I do a "show proc cpu hist" and I see it at 100%. However, if I do a "show proc cpu sorted" there is NO process over 1-2% ! Is that normal ?