01-04-2016 09:14 PM
Hello,
We have ESR10008 router.
We have 4 /24s which we need to apply rate limiting for each IP addresses to UPLink interface.
No limiting will be applied to other interfaces.
Creating and managing a huge number of ACL would be difficult and it is not possible to set more than 64 class per service-policy.
Can anyone suggest what we could do to achieve such setup?
Please, advise and thank you!
Best Regards
Solved! Go to Solution.
01-06-2016 07:07 PM
Does Ge0/1 going to the global internet have a full BGP feed attached to it (so markings could be applied), or just a small feed like a default route?
If it has a full BGP feed are there any existing communities of attributes that could be used to identify those routes?
01-06-2016 12:11 AM
Thanks it does rate-limit individually. I must ask:
1. Does it apply to only one interface?
This is the current configuration
interface Virtual-Template1
mtu 1492
ip unnumbered GigabitEthernet0/1
rate-limit input 496000 64500 64500 conform-action transmit exceed-action drop
rate-limit output 496000 64500 64500 conform-action transmit exceed-action drop
2. What if I want to apply different rate limiting to two different computer?
01-06-2016 12:58 AM
Lets explain it a different way.
User 1 attaches. Virtual-Template1 is cloned to Virtual-Access1.
User 2 attaches. Virtual-Template1 is cloned to Virtual-Access2.
User 3 attaches. Virtual-Template1 is cloned to Virtual-Access3.
Virtual-Template1 is not an interface, it is a template. Virtual-Access(x) is a real interface, as far as the router is concerned. Hence there is a 1:1 mapping between users and Virtual-Access(x). Hence you can create a rate-limit that scales.
The second question is tougher to answer. What method do you currently use to assign users to Virtual-Template1?
01-06-2016 01:12 AM
Tell me if my understanding is not correct.
1. Users once connected will clone settings from Virtual-Template1 (Per user rate limit is achieved)
2. I want apply this very rate limiting only on the UP-Link interface and have unlimited access to every other interface.
Currently we have created separate BBA groups in which are all associated with separate Virtual-Templates which are associated to each interface we have.
Example:
BBA group 1 - Virtual-Template 1 - GE0/1
BBA group 2 - Virtual-Template 2 - GE0/2
01-06-2016 01:55 AM
(1) Correct.
(2). Without an access list, it applies to everything going in and out the Virtual-Access, regardless of the uplink used. However, a potential fix, create an access-list for un-restricted traffic. Something like:
interface Virtual-Template 1
rate-limit output access-group 100 496000 64500 64500 conform-action transmit exceed-action drop
...
access-list 100 deny ip a.b.c.d 0.0.0.255 any
access-list 100 permit ip any any
Repeat for the other direction (input).
If that is too tricky, you can use qos-groups. On specific interfaces use the "set ip qos-group ..." command. The qos group is only specific to the local router. It does not set any qos markings or change any packets.
So you could make Ge0/1 one qos group, and ge0/2 another qos group. Then you can do something like:
interface Virtual-Template 1
rate-limit output qos-group 100 496000 64500 64500 conform-action transmit exceed-action drop
rate-limit input qos-group 100 496000 64500 64500 conform-action transmit exceed-action drop
01-14-2016 09:43 PM
Hi,
I followed your guide, but when I display the route information I get the following:
Router#show ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "bgp 100", distance 20, metric 0, candidate default path
01-15-2016 12:39 AM
Did you do a soft reset on the BGP peer to make it tag the routes as they are learned?
01-06-2016 01:04 AM
With regard to (2), using RADIUS attributes is an easy way to set per user speed limits. Check out:
http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/sbsbpssq.html#wp1050969
You can use an attribute something like:
lcp:interface-config=rate-limit input 496000 64500 64500 conform-action transmit exceed-action drop
01-06-2016 12:01 AM
pps. Don't attempt to do per-IP rate limiting on the uplink. You'll crash and burn as you run into platform limits.
Now if you have a 6500 you could do something like this ...
06-07-2016 11:46 AM
Hello,
Thank you for the help. I had to give it another try since I have free time to try it again.
Virtual-Access2.1
Input
matches: qos-group 1
params: 496000 bps, 64500 limit, 64500 extended limit
conformed 17203 packets, 1671755 bytes; action: transmit
exceeded 10627 packets, 1018617 bytes; action: drop
last packet: 0ms ago, current burst: 43196 bytes
last cleared 00:00:39 ago, conformed 335000 bps, exceeded 204000 bps
Output
matches: qos-group 1
params: 496000 bps, 64500 limit, 64500 extended limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 4132960032ms ago, current burst: 0 bytes
last cleared 00:00:39 ago, conformed 0 bps, exceeded 0 bps
7206VXR#show ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "bgp 100", distance 20, metric 0, candidate default path
Tag 4850, qos-group 1, type external
interface Virtual-Template1
mtu 1492
ip unnumbered Loopback1
ip virtual-reassembly
rate-limit input qos-group 1 496000 64500 64500 conform-action transmit exceed-action drop
rate-limit output qos-group 1 496000 64500 64500 conform-action transmit exceed-action drop
peer default ip address pool pool
ppp authentication pap chap ms-chap
ppp ipcp dns 203.XXX.XX.X
bgp-policy source ip-qos-map
bgp-policy destination ip-qos-map
But it seems to only rate-limit upload speed.
Please, help
Thanks!
06-07-2016 12:26 PM
It looks like you'll only be able to use the qos-group for traffic coming in, and will need to use a standard rate limit for traffic going out the Virtual-Access interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide