I have a problem using rate-limiting on a Cisco 831 (IOS 12.3(8)T11). We have the following situation. There is an IPSEC tunnel from the 831 to an external company. Within this we have a GRE tunnel for multicast traffic. One of our developers must receive multicast traffic from the other side, via the VPN. The problem is, there is too much traffic and I would like to be able to limit this, as this is seriously disrupting our normal internet access.
I have tried the following on the external interface of the 831:
rate-limit input 4000000 1000000 1000000 conform-action transmit exceed-action drop
rate-limit output 4000000 1000000 1000000 conform-action transmit exceed-action drop
Unless I got something wrong, this should limit all traffic to 4Mbps, with some bursts. However, this is not working at all. When we start receiving multicast traffic via the tunnel, the router is overloaded, 100% CPU usage and I can't do anything with it. Traffic monitoring on our border router shows the limiting didnt work at all.
Is there anything I am doing wrong ? What can I do to limit this ? Many thanks in advance.
If your processor is at 100%, then you may not have CEF enabled - turn that on with "ip cef" in global config mode.
Is your router set up do handle multicast trafffic? You may be recieving the same stream several times for different hosts, which would defeat the point of multicast traffic. Have a look at configuring PIM on your 831 - failing that, is there any other node on your network that could act as an aggregate point for the traffic? This would cut down the amount of traffic flows. But in the mean time "ip multicast rate-limit" is the best way to rate limit multicast traffic.
last cleared 1d06h ago, conformed 0 bps, exceeded 0 bps
As you can see, exceeded bps is 0 but I can asure you this device was receiving data with 10Mbps. I have tried with and without ACL but it made no difference. Besides, this devices is dedicated so limiting everything is acceptable. Yes, cef is enabled. PIM sparse mode is configured on the tunnel interface, PIM is configured.
The "ip multicast rate-limit" is a nice suggestion but you will notice that the command is not available in the IOS version I have (mentioned in the original post). I would like to keep the IOS upgrade as a last resort though. I can't understand tho why the interface rate limiting didnt work.
Also, something strange. When the router is under heavy load due to multicast traffic, I do a "show proc cpu hist" and I see it at 100%. However, if I do a "show proc cpu sorted" there is NO process over 1-2% ! Is that normal ?
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...