cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
454
Views
0
Helpful
3
Replies

[2016] user-based rate limiting using MCQ

jump01414
Level 1
Level 1

Is there a more concise way of configuring per-source-ip rate limiting?

I am trying to limit bandwidth usage for each user on a specific subnet.

I've looked in other threads but they seem to be inactive already so I hope it's not bad to create this new one.

I'm trying to do this solely on an IOS router (version 12.x)

ip access-list extended ubrl-2
permit ip host 172.16.0.2 any
! Do this for n where n = [2-254]
ip access-list extended ubrl-n
permit ip host 172.16.0.n any
class-map ubrl-1
match access-group name ubrl-1
! Do the same for class-maps
class-map ubrl-n
match access-group name ubrl-n
policy-map ubrl
class ubrl-1
police rate 15000 conform-action transmit exceed-action drop
class ubrl-n
police rate 15000 conform-action transmit exceed-action drop
interface [interface pointing to subnet]
ip address 172.16.0.1 255.255.255.0
service-policy input ubrl
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

Hi

I don't know what is the final goal but on the wired side, I did 3 or 4 times for some customers for a specific use case (Internet connection shared between some users in same building, like a provider) and I had created a standard policy by setting a common rate usable as per session. The policy was pushed directly by a radius server (using Cisco av pair) because in my case every users had to authenticate.

Hope this helped.

You have some cisco documentation for that specific cases per-session QoS. Maybe look at them and you'll find a use case matching yours.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi supportlan,

Thank you for having the time to comment on this thread.

My goal is to limit maximum bandwidth usage to prevent WAN circuit congestion. I only have access to two devices: The CE and PE Cisco IOS 12 routers.

[Managed PE] <=congested interface=> [Managed CE] <=> LAN w/ 200+ users

Based on this 6500 UBRL Cisco document, you can simply match the subnet, and it will track the flows per session (from what I understood). I tried that syntax but instead of achieving the goal of limiting the ingress bandwidth per source IP, it limited the shared ingress bandwidth for the whole interface.

I also came across a thread here in supportforums about someone asking if this can also be applied on an ASR router and not just on the Cisco Cat 6500 but the answer found was no (posted 2012). There was someone who tried to ask for an update on that thread about a year ago, if the limitation has already been patched, but there had been no replies.

Hi

ok i see your concern.

UBRL isn't supported, as far as I know on asr1k platform:

Cisco Platforms supporting UBRL –

Catalyst 6500 (Supervisor Engine 720)
Catalyst 4900M (Supervisor Engine V-10GE)
ASR 9000

I've done something like that on asr1k but with a AAA server. I'm not sure that you could do that without a aaa server and personnaly never tested in that particular way before.

http://docwiki.cisco.com/wiki/Intelligent_Services_Gateway_(ISG)_--_Residential_Access_Using_DHCP_Sessions_Configuration_Example

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/isg/configuration/xe-3s/asr1000/isg-xe-3s-asr1000-book/isg-subscr-svcs.html#GUID-3BCEDA89-4A80-489E-8599-0389AD292757

I don't know if you're a Cisco partner but you can ask Cisco partner help-line (cas to be opened on website). Otherwise you may ask to your Cisco reseller.

I'm sorry to not give you a better answer.

thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Review Cisco Networking for a $25 gift card