02-25-2008 02:22 PM - edited 03-03-2019 08:51 PM
I'm trying to rate limit ftp and www traffic out of our 20mb/s connection. The goal is to not let downloads exceed 2mb/s. Here is what I'm using and it doesn't seem to be working (router is a 2811 running 12.3(8)).
access-list 103 permit tcp any any eq www
access-list 104 permit tcp any any eq ftp
int fa0/1
rate-limit input access-group 103 2000000 250000 250000 conform-action transmit exceed-action drop
rate-limit input access-group 104 2000000 250000 250000 conform-action transmit exceed-action drop
rate-limit output access-group 103 2000000 250000 250000 confrom-action transmit exceed-action drop
rate-limit output access-group 104 2000000 250000 250000 conform-action transmit exceed-action drop
I'm not really sure what I should be using for the burst numbers. I simply want to stop ftp or www from pulling more than 10% of the total 20mb/s bandwidth of interface fa0/1
Thanks for any help!
Rick
Solved! Go to Solution.
02-25-2008 09:14 PM
Actually burst numbers means that how much you allow for the pump.
rate-limit input access-group 104 2000000 2500 2500 conform-action transmit exceed-action drop
use this because burst always in byrtes. Now the above list says the traffic can burst upto 2.5 Mb.
Also i want to add one thing you should use
access-list 103 permit tcp any any eq 443
regards
shivlu
02-26-2008 09:56 AM
The inbound traffic resulting from downloading from webpages isn't boud to port 80, but is dynamic. If you want to rate-limit inbound ftp and www you need to expand the (inbound) ACL to
ip access-list 103 permit tcp any eq www any
ip access-list 103 permit tcp any eq ftp any
This is because the reply traffic (inbound) have a static source port (80 for http) but a dynamic inbount port
02-25-2008 09:14 PM
Actually burst numbers means that how much you allow for the pump.
rate-limit input access-group 104 2000000 2500 2500 conform-action transmit exceed-action drop
use this because burst always in byrtes. Now the above list says the traffic can burst upto 2.5 Mb.
Also i want to add one thing you should use
access-list 103 permit tcp any any eq 443
regards
shivlu
02-26-2008 04:42 AM
HI,
You can use single acl 103
access-list 103 permit tcp any any eq www
access-list 103 permit tcp any any eq 443
access-list 103 permit tcp any any eq ftp
access-list 103 permit tcp any any eq ftp-data
you can reduce the burst size...like this.
rate-limit input access-group 103 2000000 24000 32000 conform-action transmit exceed-action drop
HTH....Pls. rate all helpful posts...
BR
*aijaz*
02-26-2008 09:32 AM
Okay, that consolidation looks good. And I see that the burst rates are in bytes.
However...
I have this -
rate-limit input access-group 103 2000000 2500 2500 conform-action transmit exceed-action drop
rate-limit output access-group 103 2000000 2500 2500 conform-action transmit exceed-action drop
And we are still able to peg out the ELA circuit (20mb/s) at 60% with downloads. Only saw 25 packets exceed and get dropped. What numbers should I be using to get a maximum rate of 2mb/s?
Thanks!
Rick
02-26-2008 09:56 AM
The inbound traffic resulting from downloading from webpages isn't boud to port 80, but is dynamic. If you want to rate-limit inbound ftp and www you need to expand the (inbound) ACL to
ip access-list 103 permit tcp any eq www any
ip access-list 103 permit tcp any eq ftp any
This is because the reply traffic (inbound) have a static source port (80 for http) but a dynamic inbount port
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: