limiting Http traffic

fusahinkaya · ‎02-26-2003

Hi,

We want to limit the usage of hhtp type traffic in our branches( in any case).

I know CAr rate limiting and also policy based rate limiting can be a solution.

But When I implemented car rate limiting feature to router I didn't see any impact of it.

Configuration like that

int ser 0/0.1

rate-limit input access-group 103 16000 1500 2000 conform-action transmit excee

d-action drop

rate-limit output access-group 103 16000 1500 2000 conform-action transmit excee

d-action drop

access-list 103 permit tcp any any eq www

( I'm waiting to limit http traffic to 16kbps)

Is anyone have any idea?

Thanks

Funda

donewald · ‎02-26-2003

Funda,

At a glance this looks correct, so can you send the following information.

1. configuration of your serial interface and the .1 interface (out of your running config)

2. show interfaces rate-limit (want the Serial 0/0.1 output)

3. What code are you running and what router type is this?

Thank you,

Don

fusahinkaya · ‎02-26-2003

Hi Don,

Here is the outputs:

1)

!

interface Serial0/0

description IGX ankara

bandwidth 128

no ip address

rate-limit input access-group 103 8000 1500 2000 conform-action transmit exceed

-action drop

rate-limit output access-group 103 8000 1500 2000 conform-action transmit excee

d-action drop

encapsulation frame-relay

no ip mroute-cache

load-interval 30

no fair-queue

cdp enable

frame-relay traffic-shaping

!

interface Serial0/0.1 point-to-point

ip address 10.162.255.122 255.255.255.252

ip hello-interval eigrp 100 30

ip hold-time eigrp 100 60

rate-limit input access-group 103 16000 1500 2000 conform-action transmit exceed-action drop

rate-limit output access-group 103 16000 1500 2000 conform-action transmit exce

ed-action drop

no ip mroute-cache

frame-relay class YKB1

frame-relay interface-dlci 130

frame-relay ip rtp header-compression

!

map-class frame-relay YKB1

frame-relay adaptive-shaping becn

frame-relay cir 128000

frame-relay bc 1000

frame-relay be 0

frame-relay mincir 128000

frame-relay fair-queue

!

ethernet int.

!

interface Loopback0

ip address 10.162.252.30 255.255.255.255

h323-gateway voip interface

h323-gateway voip id GKGebze1 ipaddr 10.105.253.3 1719

h323-gateway voip h323-id ykytest_bed@ykb.com

!

interface Ethernet0/0

ip address 10.162.30.1 255.255.255.0

ip nat outside

load-interval 30

no keepalive

full-duplex

!

2)ykytest_bed#sh int se 0/0 rate-limit

Serial0/0 IGX ankara

Input

matches: access-group 103

params: 8000 bps, 1500 limit, 2000 extended limit

conformed 0 packets, 0 bytes; action: transmit

exceeded 0 packets, 0 bytes; action: drop

last packet: 1756185316ms ago, current burst: 0 bytes

last cleared 01:58:47 ago, conformed 0 bps, exceeded 0 bps

Output

matches: access-group 103

params: 8000 bps, 1500 limit, 2000 extended limit

conformed 0 packets, 0 bytes; action: transmit

exceeded 0 packets, 0 bytes; action: drop

last packet: 1756185320ms ago, current burst: 0 bytes

last cleared 01:58:54 ago, conformed 0 bps, exceeded 0 bps

ykytest_bed#

3) router is cisco3640

ios is very old ( i know)

ykytest_bed#sh ver

Cisco Internetwork Operating System Software

IOS (tm) 3600 Software (C3640-IS-M), Version 12.1(3a)XI1, EARLY DEPLOYMENT RELEA

SE SOFTWARE (fc2)

TAC:Home:SW:IOS:Specials for info

Thanks so much.

Funda

donewald · ‎02-26-2003

Funda,

1. Remove the rate-limit commands off of the primary interface. The subinterface rate-limit command should be sufficient.

2. Also on your "show interface rate-limit" command I was more interested in the .1 subinterface and you only have output for the primary interface in your show command. Since you are doing your IP traffic on your .1 subinterface we'll need to ensure your router knows about the rate-limit commands on the .1. Please send that "sh int se 0/0.1 rate-limit "

3. Your IOS is a bit dated but lets see about the above stuff first and go from there. It might be a code defect...

Hope this helps,

Don

fusahinkaya · ‎02-26-2003

hi Don,

I remove the ratelimit command from interface,

here is the show command for subinterface.

ykytest_bed#sh int se 0/0.1 rate-limit

Serial0/0.1

Input

matches: access-group 103

params: 16000 bps, 1500 limit, 2000 extended limit

conformed 84 packets, 3962 bytes; action: transmit

exceeded 0 packets, 0 bytes; action: drop

last packet: 1309468ms ago, current burst: 10 bytes

last cleared 03:18:05 ago, conformed 0 bps, exceeded 0 bps

Output

matches: access-group 103

params: 16000 bps, 1500 limit, 2000 extended limit

conformed 7901 packets, 384174 bytes; action: transmit

exceeded 0 packets, 0 bytes; action: drop

last packet: 29468ms ago, current burst: 0 bytes

last cleared 03:17:56 ago, conformed 0 bps, exceeded 0 bps

ykytest_bed#

I repeated the test but I max. 36kbps traffic as input in serial interface.

Thaks again

Funda

donewald · ‎02-26-2003

Funda,

I saw no glaring defects that would stop this from working. I would like you to try lessoning your burst sixe and extended burst. Burst size min has to be bbs divided by 2000 so you should be able to go with 800 vise 1500. Make the extended burst the minimum as well. Then re test.

burst-normal

Normal burst size in bytes. The minimum value is bps

divided by

2000.

burst-max

Excess burst size in bytes.

What are you using to test this 36kbps web stream?

Hope this does the trick.

fusahinkaya · ‎02-26-2003

Hi Don,

first of all thanks for interest.

I 'm not able to change burst and extended burst values. ( according to ios these are min values for them)

I'm using our internet banking application to test www traffic.( It seems bad ?:)))

My aim to change ios and try again and then may be I can open a TAC case.

Thanks so much

Funda