cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6263
Views
0
Helpful
4
Replies

rate-limit specific IP address

atrevido43
Level 1
Level 1

I want to rate limit a specific public ip address on a sub-interface (VLAN 100) to 500k of it so that the group of people in that VLAN 100 do not suck up all bandwidth with cloudsync.  So, couple questions.

Question 1:

CloudSync has one public IP address let's say 1.1.1.1   How do I limit traffic going out to my ISP to allowing only 500k on it?  It's only for a specific group of people.  Say VLAN 100.  Would I limit it on just that sub-interface?

Would this be what I need to put?

int gig 0/0.100

rate-limit input access-group 125 496000 20000 40000 conform-action transmit exceed-action drop

rate-limit output  access-group 125 496000 20000 40000 conform-action transmit exceed-action drop

access list 125 permit ip 1.1.1.1 0.0.0.0 any

2nd question:

Let's say the same scenario but I want to limit box.com, which has a multitude of ip addresses.

From box support site -- To enable Box.com and the Box Sync product, the new IP addresses that should be allowed are 173.236.154.8 and 209.249.140.0/24.

int gig 0/0.100

rate-limit input access-group 125 496000 20000 40000 conform-action transmit exceed-action drop

rate-limit output access-group 125 496000 20000 40000 conform-action transmit exceed-action drop

access list 125 permit ip 173.236.154.8 0.0.0.0 any

access list 125 permit ip 209.249.140.0 0.0.0.255 any

4 Replies 4

John Blakley
VIP Alumni
VIP Alumni

Dawn,


Would this be what I need to put?

int gig 0/0.100

rate-limit input access-group 125 496000 20000 40000 conform-action transmit exceed-action drop

rate-limit output  access-group 125 496000 20000 40000 conform-action transmit exceed-action drop

access list 125 permit ip 1.1.1.1 0.0.0.0 any

Your acl would be good for input, but for output, you'd want to have another acl matching anything going to 1.1.1.1/32.

access-list 126 permit ip any host 1.1.1.1

Same thing for question number 2.

HTH,

John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Like this?

access-list 125 permit ip any host 191.1.1.1

access-list 125 permit ip host 191.1.1.1 any

I only seem to be matching packets in one direction.

C2821#show interfaces rate-limit

GigabitEthernet0/0.250 connected to LA

  Input

    matches: access-group 125

      params:  496000 bps, 20000 limit, 40000 extended limit

      conformed 23567 packets, 1668671 bytes; action: transmit

      exceeded 0 packets, 0 bytes; action: drop

      last packet: 28ms ago, current burst: 0 bytes

      last cleared 00:14:29 ago, conformed 15000 bps, exceeded 0 bps

  Output

    matches: access-group 125

      params:  496000 bps, 20000 limit, 40000 extended limit

      conformed 36617 packets, 51847319 bytes; action: transmit

      exceeded 2882 packets, 4090875 bytes; action: drop

      last packet: 28ms ago, current burst: 18124 bytes

      last cleared 00:14:29 ago, conformed 477000 bps, exceeded 37000 bps

It looks like you're seeing traffic in both directions to me:

Input

matches: access-group 125

      params:  496000 bps, 20000 limit, 40000 extended limit

     conformed 23567 packets, 1668671 bytes; action: transmit

      exceeded 0 packets, 0 bytes; action: drop

      last packet: 28ms ago, current burst: 0 bytes

      last cleared 00:14:29 ago, conformed 15000 bps, exceeded 0 bps

Output

    matches: access-group 125

      params:  496000 bps, 20000 limit, 40000 extended limit

     conformed 36617 packets, 51847319 bytes; action: transmit

      exceeded 2882 packets, 4090875 bytes; action: drop

      last packet: 28ms ago, current burst: 18124 bytes

      last cleared 00:14:29 ago, conformed 477000 bps, exceeded 37000 bps

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco