cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1823
Views
0
Helpful
4
Replies

Rate limiting ftp/www

0rsnaric
Level 1
Level 1

I'm trying to rate limit ftp and www traffic out of our 20mb/s connection. The goal is to not let downloads exceed 2mb/s. Here is what I'm using and it doesn't seem to be working (router is a 2811 running 12.3(8)).

access-list 103 permit tcp any any eq www

access-list 104 permit tcp any any eq ftp

int fa0/1

rate-limit input access-group 103 2000000 250000 250000 conform-action transmit exceed-action drop

rate-limit input access-group 104 2000000 250000 250000 conform-action transmit exceed-action drop

rate-limit output access-group 103 2000000 250000 250000 confrom-action transmit exceed-action drop

rate-limit output access-group 104 2000000 250000 250000 conform-action transmit exceed-action drop

I'm not really sure what I should be using for the burst numbers. I simply want to stop ftp or www from pulling more than 10% of the total 20mb/s bandwidth of interface fa0/1

Thanks for any help!

Rick

2 Accepted Solutions

Accepted Solutions

shivlu jain
Level 5
Level 5

Actually burst numbers means that how much you allow for the pump.

rate-limit input access-group 104 2000000 2500 2500 conform-action transmit exceed-action drop

use this because burst always in byrtes. Now the above list says the traffic can burst upto 2.5 Mb.

Also i want to add one thing you should use

access-list 103 permit tcp any any eq 443

regards

shivlu

View solution in original post

The inbound traffic resulting from downloading from webpages isn't boud to port 80, but is dynamic. If you want to rate-limit inbound ftp and www you need to expand the (inbound) ACL to

ip access-list 103 permit tcp any eq www any

ip access-list 103 permit tcp any eq ftp any

This is because the reply traffic (inbound) have a static source port (80 for http) but a dynamic inbount port

View solution in original post

4 Replies 4

shivlu jain
Level 5
Level 5

Actually burst numbers means that how much you allow for the pump.

rate-limit input access-group 104 2000000 2500 2500 conform-action transmit exceed-action drop

use this because burst always in byrtes. Now the above list says the traffic can burst upto 2.5 Mb.

Also i want to add one thing you should use

access-list 103 permit tcp any any eq 443

regards

shivlu

HI,

You can use single acl 103

access-list 103 permit tcp any any eq www

access-list 103 permit tcp any any eq 443

access-list 103 permit tcp any any eq ftp

access-list 103 permit tcp any any eq ftp-data

you can reduce the burst size...like this.

rate-limit input access-group 103 2000000 24000 32000 conform-action transmit exceed-action drop

HTH....Pls. rate all helpful posts...

BR

*aijaz*

Okay, that consolidation looks good. And I see that the burst rates are in bytes.

However...

I have this -

rate-limit input access-group 103 2000000 2500 2500 conform-action transmit exceed-action drop

rate-limit output access-group 103 2000000 2500 2500 conform-action transmit exceed-action drop

And we are still able to peg out the ELA circuit (20mb/s) at 60% with downloads. Only saw 25 packets exceed and get dropped. What numbers should I be using to get a maximum rate of 2mb/s?

Thanks!

Rick

The inbound traffic resulting from downloading from webpages isn't boud to port 80, but is dynamic. If you want to rate-limit inbound ftp and www you need to expand the (inbound) ACL to

ip access-list 103 permit tcp any eq www any

ip access-list 103 permit tcp any eq ftp any

This is because the reply traffic (inbound) have a static source port (80 for http) but a dynamic inbount port

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: