Bandwidth Limit based on Source IP?

devils_advocate · ‎04-14-2014

Hi

I am trying to think of a way to apply a bandwidth limit based upon Source IP subnet.

I need to have the ability to limit both the outbound and inbound traffic.

So I created the following config:

policy-map bw-limit-inbound
class bw-limit-class
police 10000

class-map match-any bw-limit-class
match access-group 150

access-list 150 permit ip 172.16.99.0 0.0.0.255 any

If I apply the Service Policy inbound, it does police the upload to 100Kbps.

If I apply it outbound, it does nothing to the download.

Any reason for this?

I am applying this to an SVI

Thanks

luckymike33 · ‎04-14-2014

Hi,

You would normally create a QoS policy which shapes traffic, and apply this outbound when you want to limit traffic rates in an outbound direction. i.e.

class-map match-any TEST

match access-group 140

policy-map LIMIT_OUTBOUND

class TEST

shape average 10000

int gi0/0

service-policy LIMIT_OUTBOUND out

i.e. policing - is used inbound, and shaping is normally used outbound - I hope this answers your question?

Very best wishes

Mike

mlund · ‎04-15-2014

You state that inbound works that means that the access-list is OK, it says traffic coming from 172.16.99.0/24 going to any should match

However the return traffic is coming from any going to 172.16.99.0/24, so You have to add that into an access-list.

It will probably work with just adding

access-list 150 permit ip any 172.16.99.0 0.0.0.255

/Mikael

devils_advocate · ‎05-08-2014

Hi Guys

Just to update this thread, I figured out where I was going wrong!

As mentioned by Mikael, the ACL only shows traffic one way, hence why it was not applying the service policy to the download.

I have three subnets I want to Police both outbound and inbound so I started with Three ACLs:

access-list 197 permit ip 172.16.97.0 0.0.0.255 any
access-list 197 permit ip any 172.16.97.0 0.0.0.255
access-list 198 permit ip 172.16.98.0 0.0.0.255 any
access-list 198 permit ip any 172.16.98.0 0.0.0.255
access-list 199 permit ip 172.16.99.0 0.0.0.255 any
access-list 199 permit ip any 172.16.99.0 0.0.0.255

I then created the relevant class maps:

class-map match-all vlan998-download
match access-group 198
class-map match-all vlan999-download
match access-group 199
class-map match-all vlan997-download
match access-group 197

class-map match-all vlan998-upload
match access-group 198
class-map match-all vlan999-upload
match access-group 199
class-map match-all vlan997-upload
match access-group 197

Then the service policies:

policy-map download-limit
class vlan997-download
police 2000000
class vlan998-download
police 3000000
class vlan999-download
police 4000000

policy-map upload-limit
class vlan997-upload
police 200000
class vlan998-upload
police 300000
class vlan999-upload
police 400000

Then finally applied those to the relevant SVI:

interface Vlan102
ip vrf forwarding WAN2
ip address 10.20.2.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
service-policy output download-limit
service-policy input upload-limit

JOHN FAHEY · ‎10-25-2018

Hello
I have a similliar need to rate limit as devils_avocate outlined above. Am trying to implement on a Nexus 5596 running version 7.3(3)N1(1) with a L3 module. Every think works find till i try to apply the "service-policy" statement to the SVI interface. The syntax is not recognized. Perhaps there is a feature I need to enable ...or it may not be supported on nxos ?

RtRivPD1-1(config-if)# service-policy acl-upload-limit
^
% Invalid command at '^' marker.
RtRivPD1-1(config-if)#

Would anyone have a workaround .

Thanks