Solved: Hi, - Page 2

Anar Boldbaatar · ‎01-04-2016

Hello,

We have ESR10008 router.

We have 4 /24s which we need to apply rate limiting for each IP addresses to UPLink interface.

No limiting will be applied to other interfaces.

Creating and managing a huge number of ACL would be difficult and it is not possible to set more than 64 class per service-policy.

Can anyone suggest what we could do to achieve such setup?

Please, advise and thank you!

Best Regards

Philip D'Ath · ‎01-06-2016

Does Ge0/1 going to the global internet have a full BGP feed attached to it (so markings could be applied), or just a small feed like a default route?

If it has a full BGP feed are there any existing communities of attributes that could be used to identify those routes?

Anar Boldbaatar · ‎01-06-2016

Thanks it does rate-limit individually. I must ask:

1. Does it apply to only one interface?

This is the current configuration

interface Virtual-Template1

mtu 1492

ip unnumbered GigabitEthernet0/1

rate-limit input 496000 64500 64500 conform-action transmit exceed-action drop

rate-limit output 496000 64500 64500 conform-action transmit exceed-action drop

2. What if I want to apply different rate limiting to two different computer?

Philip D'Ath · ‎01-06-2016

Lets explain it a different way.

User 1 attaches. Virtual-Template1 is cloned to Virtual-Access1.

User 2 attaches. Virtual-Template1 is cloned to Virtual-Access2.

User 3 attaches. Virtual-Template1 is cloned to Virtual-Access3.

Virtual-Template1 is not an interface, it is a template. Virtual-Access(x) is a real interface, as far as the router is concerned. Hence there is a 1:1 mapping between users and Virtual-Access(x). Hence you can create a rate-limit that scales.

The second question is tougher to answer. What method do you currently use to assign users to Virtual-Template1?

Anar Boldbaatar · ‎01-06-2016

Tell me if my understanding is not correct.

1. Users once connected will clone settings from Virtual-Template1 (Per user rate limit is achieved)

2. I want apply this very rate limiting only on the UP-Link interface and have unlimited access to every other interface.

Currently we have created separate BBA groups in which are all associated with separate Virtual-Templates which are associated to each interface we have.

Example:

BBA group 1 - Virtual-Template 1 - GE0/1

BBA group 2 - Virtual-Template 2 - GE0/2

Philip D'Ath · ‎01-06-2016

(1) Correct.

(2). Without an access list, it applies to everything going in and out the Virtual-Access, regardless of the uplink used. However, a potential fix, create an access-list for un-restricted traffic. Something like:

interface Virtual-Template 1

rate-limit output access-group 100 496000 64500 64500 conform-action transmit exceed-action drop

...

access-list 100 deny ip a.b.c.d 0.0.0.255 any

access-list 100 permit ip any any

Repeat for the other direction (input).

If that is too tricky, you can use qos-groups. On specific interfaces use the "set ip qos-group ..." command. The qos group is only specific to the local router. It does not set any qos markings or change any packets.

So you could make Ge0/1 one qos group, and ge0/2 another qos group. Then you can do something like:

interface Virtual-Template 1

rate-limit output qos-group 100 496000 64500 64500 conform-action transmit exceed-action drop

rate-limit input qos-group 100 496000 64500 64500 conform-action transmit exceed-action drop

Anar Boldbaatar · ‎01-14-2016

Hi,

I followed your guide, but when I display the route information I get the following:

Router#show ip route 0.0.0.0

Routing entry for 0.0.0.0/0, supernet

Known via "bgp 100", distance 20, metric 0, candidate default path

Philip D'Ath · ‎01-15-2016

Did you do a soft reset on the BGP peer to make it tag the routes as they are learned?

Philip D'Ath · ‎01-06-2016

With regard to (2), using RADIUS attributes is an easy way to set per user speed limits. Check out:

http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/sbsbpssq.html#wp1050969

You can use an attribute something like:

lcp:interface-config=rate-limit input 496000 64500 64500 conform-action transmit exceed-action drop

Philip D'Ath · ‎01-06-2016

pps. Don't attempt to do per-IP rate limiting on the uplink. You'll crash and burn as you run into platform limits.

Now if you have a 6500 you could do something like this ...

Anar Boldbaatar · ‎06-07-2016

Hello,

Thank you for the help. I had to give it another try since I have free time to try it again.

Virtual-Access2.1

Input

matches: qos-group 1

params: 496000 bps, 64500 limit, 64500 extended limit

conformed 17203 packets, 1671755 bytes; action: transmit

exceeded 10627 packets, 1018617 bytes; action: drop

last packet: 0ms ago, current burst: 43196 bytes

last cleared 00:00:39 ago, conformed 335000 bps, exceeded 204000 bps

Output

matches: qos-group 1

params: 496000 bps, 64500 limit, 64500 extended limit

conformed 0 packets, 0 bytes; action: transmit

exceeded 0 packets, 0 bytes; action: drop

last packet: 4132960032ms ago, current burst: 0 bytes

last cleared 00:00:39 ago, conformed 0 bps, exceeded 0 bps

7206VXR#show ip route 0.0.0.0

Routing entry for 0.0.0.0/0, supernet

Known via "bgp 100", distance 20, metric 0, candidate default path

Tag 4850, qos-group 1, type external

interface Virtual-Template1

mtu 1492

ip unnumbered Loopback1

ip virtual-reassembly

rate-limit input qos-group 1 496000 64500 64500 conform-action transmit exceed-action drop

rate-limit output qos-group 1 496000 64500 64500 conform-action transmit exceed-action drop

peer default ip address pool pool

ppp authentication pap chap ms-chap

ppp ipcp dns 203.XXX.XX.X

bgp-policy source ip-qos-map

bgp-policy destination ip-qos-map

But it seems to only rate-limit upload speed.

Please, help

Thanks!

Philip D'Ath · ‎06-07-2016

It looks like you'll only be able to use the qos-group for traffic coming in, and will need to use a standard rate limit for traffic going out the Virtual-Access interface.

Rate-limit a large number of IP addresses