06-17-2016 03:39 AM - edited 03-08-2019 06:15 AM
Is there a more concise way of configuring per-source-ip rate limiting?
I am trying to limit bandwidth usage for each user on a specific subnet.
I've looked in other threads but they seem to be inactive already so I hope it's not bad to create this new one.
I'm trying to do this solely on an IOS router (version 12.x)
ip access-list extended ubrl-2
permit ip host 172.16.0.2 any
! Do this for n where n = [2-254]
ip access-list extended ubrl-n
permit ip host 172.16.0.n any
class-map ubrl-1
match access-group name ubrl-1
! Do the same for class-maps
class-map ubrl-n
match access-group name ubrl-n
policy-map ubrl
class ubrl-1
police rate 15000 conform-action transmit exceed-action drop
class ubrl-n
police rate 15000 conform-action transmit exceed-action drop
interface [interface pointing to subnet]
ip address 172.16.0.1 255.255.255.0
service-policy input ubrl
06-17-2016 06:41 AM
Hi
I don't know what is the final goal but on the wired side, I did 3 or 4 times for some customers for a specific use case (Internet connection shared between some users in same building, like a provider) and I had created a standard policy by setting a common rate usable as per session. The policy was pushed directly by a radius server (using Cisco av pair) because in my case every users had to authenticate.
Hope this helped.
You have some cisco documentation for that specific cases per-session QoS. Maybe look at them and you'll find a use case matching yours.
06-17-2016 06:34 PM
Hi supportlan,
Thank you for having the time to comment on this thread.
My goal is to limit maximum bandwidth usage to prevent WAN circuit congestion. I only have access to two devices: The CE and PE Cisco IOS 12 routers.
[Managed PE] <=congested interface=> [Managed CE] <=> LAN w/ 200+ users
Based on this 6500 UBRL Cisco document, you can simply match the subnet, and it will track the flows per session (from what I understood). I tried that syntax but instead of achieving the goal of limiting the ingress bandwidth per source IP, it limited the shared ingress bandwidth for the whole interface.
I also came across a thread here in supportforums about someone asking if this can also be applied on an ASR router and not just on the Cisco Cat 6500 but the answer found was no (posted 2012). There was someone who tried to ask for an update on that thread about a year ago, if the limitation has already been patched, but there had been no replies.
06-17-2016 07:15 PM
Hi
ok i see your concern.
UBRL isn't supported, as far as I know on asr1k platform:
Cisco Platforms supporting UBRL –
Catalyst 6500 (Supervisor Engine 720)
Catalyst 4900M (Supervisor Engine V-10GE)
ASR 9000
I've done something like that on asr1k but with a AAA server. I'm not sure that you could do that without a aaa server and personnaly never tested in that particular way before.
http://docwiki.cisco.com/wiki/Intelligent_Services_Gateway_(ISG)_--_Residential_Access_Using_DHCP_Sessions_Configuration_Example
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/isg/configuration/xe-3s/asr1000/isg-xe-3s-asr1000-book/isg-subscr-svcs.html#GUID-3BCEDA89-4A80-489E-8599-0389AD292757
I don't know if you're a Cisco partner but you can ask Cisco partner help-line (cas to be opened on website). Otherwise you may ask to your Cisco reseller.
I'm sorry to not give you a better answer.
thanks
PS: Please don't forget to rate and mark as correct answer if this solved your issue
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide