Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Rate limiting ftp/www

I'm trying to rate limit ftp and www traffic out of our 20mb/s connection. The goal is to not let downloads exceed 2mb/s. Here is what I'm using and it doesn't seem to be working (router is a 2811 running 12.3(8)).

access-list 103 permit tcp any any eq www

access-list 104 permit tcp any any eq ftp

int fa0/1

rate-limit input access-group 103 2000000 250000 250000 conform-action transmit exceed-action drop

rate-limit input access-group 104 2000000 250000 250000 conform-action transmit exceed-action drop

rate-limit output access-group 103 2000000 250000 250000 confrom-action transmit exceed-action drop

rate-limit output access-group 104 2000000 250000 250000 conform-action transmit exceed-action drop

I'm not really sure what I should be using for the burst numbers. I simply want to stop ftp or www from pulling more than 10% of the total 20mb/s bandwidth of interface fa0/1

Thanks for any help!

Rick

2 ACCEPTED SOLUTIONS

Accepted Solutions
Silver

Re: Rate limiting ftp/www

Actually burst numbers means that how much you allow for the pump.

rate-limit input access-group 104 2000000 2500 2500 conform-action transmit exceed-action drop

use this because burst always in byrtes. Now the above list says the traffic can burst upto 2.5 Mb.

Also i want to add one thing you should use

access-list 103 permit tcp any any eq 443

regards

shivlu

Community Member

Re: Rate limiting ftp/www

The inbound traffic resulting from downloading from webpages isn't boud to port 80, but is dynamic. If you want to rate-limit inbound ftp and www you need to expand the (inbound) ACL to

ip access-list 103 permit tcp any eq www any

ip access-list 103 permit tcp any eq ftp any

This is because the reply traffic (inbound) have a static source port (80 for http) but a dynamic inbount port

4 REPLIES
Silver

Re: Rate limiting ftp/www

Actually burst numbers means that how much you allow for the pump.

rate-limit input access-group 104 2000000 2500 2500 conform-action transmit exceed-action drop

use this because burst always in byrtes. Now the above list says the traffic can burst upto 2.5 Mb.

Also i want to add one thing you should use

access-list 103 permit tcp any any eq 443

regards

shivlu

Bronze

Re: Rate limiting ftp/www

HI,

You can use single acl 103

access-list 103 permit tcp any any eq www

access-list 103 permit tcp any any eq 443

access-list 103 permit tcp any any eq ftp

access-list 103 permit tcp any any eq ftp-data

you can reduce the burst size...like this.

rate-limit input access-group 103 2000000 24000 32000 conform-action transmit exceed-action drop

HTH....Pls. rate all helpful posts...

BR

*aijaz*

Community Member

Re: Rate limiting ftp/www

Okay, that consolidation looks good. And I see that the burst rates are in bytes.

However...

I have this -

rate-limit input access-group 103 2000000 2500 2500 conform-action transmit exceed-action drop

rate-limit output access-group 103 2000000 2500 2500 conform-action transmit exceed-action drop

And we are still able to peg out the ELA circuit (20mb/s) at 60% with downloads. Only saw 25 packets exceed and get dropped. What numbers should I be using to get a maximum rate of 2mb/s?

Thanks!

Rick

Community Member

Re: Rate limiting ftp/www

The inbound traffic resulting from downloading from webpages isn't boud to port 80, but is dynamic. If you want to rate-limit inbound ftp and www you need to expand the (inbound) ACL to

ip access-list 103 permit tcp any eq www any

ip access-list 103 permit tcp any eq ftp any

This is because the reply traffic (inbound) have a static source port (80 for http) but a dynamic inbount port

667
Views
0
Helpful
4
Replies
CreatePlease to create content