Solved: Rate limiting and Nat

ashley_dew · ‎08-19-2011

Hi,

I have a router 3845 connected to a LAN and other routers and providing internet through a link on an ethernet interface

Gi0/0

LAN connection

GI0/1

WAN connection

fa0/0

Internet connection

NAT is used on fa0/0 for internet trafic

int gi0/0

ip nat inside

int gi0/1

ip nat inside

int fa0/0

ip nat outside

I would like to apply rate limit per user on fa0/0 as such

int fa0/0

rate-limit input rate-limit access-group 101 20000000 3750000 7500000

 conform-action transmit exceed-action drop

 rate-limit input access-group 102 10000000 1875000 3750000

 conform-action transmit exceed-action drop

 rate-limit input 8000000 1500000 3000000 conform-action transmit exceed-action drop

 ip address 200.x.x.1 255.255.255.252

 access-list 101 permit ip 192.168.1.0 255.255.255.0 any

 access-list 102 permit ip 192.168.2.0 255.255.255.0 any

Where 192.168.1.0 and 192.168.2.0 are internal LAN

Will rate limit apply before NAT and so work on the LAN ip addresses?

My second question is how the limiter applies to the ACL 101 for example. Is it each and every host/trafic that matches the ACL will be limited to the bandwidth of 20 Mbps or is it the overall trafic matching ACL is restricted to the 20 Mbps.

Thanks for your advise,

Ashley

Nagendra Kumar Nainar · ‎08-19-2011

Hi Ashley,

Regarding NAT order of operation, below link will help you,

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Regarding your second question, all traffic that matches the ACL will be limited to specified rate limit value.

HTH,

Nagendra

View solution in original post

Marwan ALshawi · ‎08-19-2011

Hi Ashley

ACL 101 matches any rource IP in the subnet 10.100.10.0/24 going to any destination IP

Which means if you have a calss match this ACL it will limit all the ip traffic coming form this subnet going anywhere including 10.100.10.1 to 10.10.10.10

However if you want to separate them for example

Traffic form host 10.100.10.1 to server 10.10.10.10 to be limited to 1000000

And traffic from 10.100.10.0/24 subnet going anywhere else including ( 10.100.10.1 going anywhere other than 10.10.10.10 ) to 2000000

Then use the bellow config example

Access-list 100 permit ip host 10.100.10.1 host 10.10.10.10

Access-list 101 permit ip 10.100.10.0 0.0.0.255 any

Class-map ACL100

Match access-group 100

Class-map ACL101

Match access-group 101

Policy-map P1

Class ACL100

Police cir 1000000

Class ACL101

Police cir 2000000

Please not that the most specific ACL/class map must be applied first top down processing

HTH

Pls rate the helpful posts

View solution in original post

Marwan ALshawi · ‎08-19-2011

Hope u got the answer u want

Sent from Cisco Technical Support iPhone App

View solution in original post

Marwan ALshawi · ‎08-19-2011

Hi Ashley

i would recomnd you to use policing with policy maps and class maps rather than rate-limit as rate limit is considered now old school and the modern and scalable way is using MQC with policing

lets say you have ACL 101 and 102

create two class maps

class-map map101

match access-group 101

class-map map102

match access-group 102

then create a policy map

policy-map P1

class map101

police cir 1000000

class map102

police cir 1000000

then apply to the output interface in the in outbound direction

int fa0/0

service-policy outbound P!

you can confirm that if the policing ( limiting happen after that nat in terms of matching the ACL ) after you apply the policy map use the bellow command and see if there is any matching against the class map

show policy-map interface fa0/0

for more details pls refer to the bellow link

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpoli_ps1835_TSD_Products_Configuration_Guide_Chapter.html

HTH

if helpful Rate

ashley_dew · ‎08-19-2011

Hi Marwanshawi,

Thanks for your help, MQC is the best solution.

I have a query concerning the mechanism of class based

Suppose I have with an ACL 101

access-list 101 permit ip 10.100.10.0 255.255.255.0 any

So , if i have 2 connections matching the ACL, 10.100.10.1 accessing a web site and another pc 10.100.10.10 accessing another site.

Will the policing work policing each and every connection 10.100.10.1 and 10.100.10.10 for example

1000000 ?

Or is it all connections will police to 1000000, that is the sum of bandwidth utilisation of all connections matching the ACL will be 1000000 ?

Thanks,

Ashley

Nagendra Kumar Nainar · ‎08-19-2011

Hi Ashley,

Regarding NAT order of operation, below link will help you,

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Regarding your second question, all traffic that matches the ACL will be limited to specified rate limit value.

HTH,

Nagendra

ashley_dew · ‎08-19-2011

Hi Nagendra,

Thanks very much for you answer, so rate-limiting is before NAT, so no issue with using my ACL with my internal IP.

MQC works after NAT, so my ACL with my internal IP will not work. I would have got my configuration wrong.

Thanks,

Ashley

Marwan ALshawi · ‎08-19-2011

Hi Ashley

have you tested it or you just relying on the link ? i dont think the link is mentioning about output rate limiting and ACL matching outbound !

have a look at the bellow router processing order where i believe it is more realstic as the router dose routing lookup then translate from inside to out side then process other things

HTH

ashley_dew · ‎08-19-2011

Hi,

You are right, the queuing is not been after the NAT on the outbound interface where I would like to apply the QoS policy. Thanks.

Do you have an idea of my query about the bandwidth policing parameters applying to each traffic of the ACL, our the sum of all connections in the ACL.

I have not tested it, production environment. I am just planning the configuration.

Thanks,

Ashley

Marwan ALshawi · ‎08-19-2011

Hi Ashley

ACL 101 matches any rource IP in the subnet 10.100.10.0/24 going to any destination IP

Which means if you have a calss match this ACL it will limit all the ip traffic coming form this subnet going anywhere including 10.100.10.1 to 10.10.10.10

However if you want to separate them for example

Traffic form host 10.100.10.1 to server 10.10.10.10 to be limited to 1000000

And traffic from 10.100.10.0/24 subnet going anywhere else including ( 10.100.10.1 going anywhere other than 10.10.10.10 ) to 2000000

Then use the bellow config example

Access-list 100 permit ip host 10.100.10.1 host 10.10.10.10

Access-list 101 permit ip 10.100.10.0 0.0.0.255 any

Class-map ACL100

Match access-group 100

Class-map ACL101

Match access-group 101

Policy-map P1

Class ACL100

Police cir 1000000

Class ACL101

Police cir 2000000

Please not that the most specific ACL/class map must be applied first top down processing

HTH

Pls rate the helpful posts

Marwan ALshawi · ‎08-19-2011

Hope u got the answer u want

Sent from Cisco Technical Support iPhone App

ashley_dew · ‎08-21-2011

Thanks Marwanshawi,

Excellent that is very clear.

Thanks for your help, now I understand and I can work on it.

Fantastic