Cisco 2600 VLAN Rate Limiting

Jason Caron · ‎07-15-2009

I have a Cisco 2600 with multiple inside VLANs. How would I limit the usage on a specific VLAN?

Using 4250 out of 29688 bytes

!

version 12.1

no service single-slot-reload-enable

service nagle

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime

service timestamps log datetime msec localtime

service password-encryption

!

hostname Router

!

logging buffered 10000 notifications

logging rate-limit console 10 except errors

aaa new-model

aaa authentication login default local

enable secret 5 $1$xHlK$oMSqYq4aCPiNjCW1hD1gq.

!

username all

username W3stRivr password 7 132203475A5E55736A

username admin privilege 15 password 7 141E1C1F09167C78717A

clock timezone EST -5

clock summer-time EDT recurring

ip subnet-zero

no ip source-route

!

no ip finger

ip tcp selective-ack

ip tcp timestamp

ip tcp path-mtu-discovery

no ip domain-lookup

ip dhcp excluded-address 12.106.128.1 12.106.128.11

ip dhcp excluded-address 12.106.128.129

ip dhcp excluded-address 12.106.128.12 12.106.128.21

!

ip dhcp pool ChicagoRiverNorth_Apple

network 12.106.128.128 255.255.255.128

default-router 12.106.128.129

domain-name ChicagoRiverNorth_AP.com

dns-server 12.127.16.68 12.127.17.72

lease 0 12

!

ip dhcp pool ChicagoRiverNorth_EXHIBITION

network 12.106.128.0 255.255.255.128

default-router 12.106.128.1

domain-name ChicagoRiverNorth_EX.com

dns-server 12.127.16.68 12.127.17.72

lease 0 1

!

no ip bootp server

ip cef

ip audit notify log

ip audit po max-events 100

!

class-map match-any http_hack

match protocol http url "*.ida*"

match protocol http url "*cmd.exe*"

match protocol http url "*root.exe*"

match protocol http url "*readme.eml*"

match protocol http url "*SAMPLE*.exe*"

match protocol http url "*sample*.exe*"

match protocol http url "*admin.dll*"

match protocol http url "*readme2.eml*"

match protocol http url "*httpodbc.dll*"

match protocol http url "*sample.eml*"

match protocol http url "*cool.dll*"

match protocol http url "*riched20.dll*"

!

policy-map mark_http_hacks

description policy map that marks inbound http hacks

class http_hack

set ip dscp 1

!

call rsvp-sync

cns event-service server

!

interface FastEthernet0/0

no ip address

no ip redirects

no ip unreachables

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/0.10

description ***** For Exhibition Subet ******

encapsulation dot1Q 10

ip address 12.106.128.1 255.255.255.128

no ip redirects

no ip unreachables

!

interface FastEthernet0/0.15

description ***** For Apple Subnet *****

encapsulation dot1Q 15

ip address 12.106.128.129 255.255.255.128

no ip redirects

!

interface FastEthernet0/0.30

encapsulation dot1Q 30

ip address 12.39.22.178 255.255.255.240

!

interface Serial0/0

description REMOVED DHEC108729.801..ATI - AT & T - (888-613-6330 Option's 211) - T1

ip address 12.125.174.142 255.255.255.252

ip verify unicast reverse-path

no ip redirects

no ip unreachables

encapsulation ppp

shutdown

service-policy input mark_http_hacks

no fair-queue

Giuseppe Larosa · ‎07-16-2009

Hello Jason,

you can do it by applying a service policy inbound to physical interface f0/0

access-list 121 permit ip vlan-source mask any

class-map vlanx_traffic

match ip address 121

policy-map limit_vlan_x

class vlanx_traffic

police 5000

int f0/0

service-policy input vlanx_traffic

Hope to help

Giuseppe

Joseph W. Doherty · ‎07-16-2009

Are you unable to use a service-policy under your FastE subinterfaces?

What kind of usage limitation did you want to implement? i.e. To, from or both to/from the VLANs; shaping or policing?

Jason Caron · ‎07-16-2009

There is currently a 4.5 megabyte pipe coming into the router. I would like to limit one VLAN so that it can only use up to 3 MBPS of that circuit.

Joseph W. Doherty · ‎07-16-2009

Would need much more in detail for suggesting what you might do.

However, in general, you often have a lot of control over bandwidth utilization when upstream of the circuit (outbound), but much, much less when downstream of the circuit (inbound). It's often easy to police inbound, but this often doesn't really guarantee inbound bandwidth utilization (again this is downsteam, not the same thing as 1st hop inbound).