cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6602
Views
0
Helpful
25
Replies

Rate Limit traffic in Cisco 3560

Arshad Khan
Level 1
Level 1

Hey all,

I am using Cisco 3560 as distrubution switch and want to limit port 445 traffic on 1 MB and applied rate limit statment on Gi0/1 port but switch unable to limit said traffic.

Here bellow is my scanrio.

access-list 120 permit tcp any any eq 445 log

access-list 120 permit tcp any eq 445 any log

Gi0/1

rate-limit output access-group 120 1024000 128000 128000 conform-action transmit exceed-action drop

But its not working. Kindly guide me on this issue as it is very critical to me.

25 Replies 25

Latchum Naidu
VIP Alumni
VIP Alumni

Hi,

Why dont you apply rate-limit or policy map feature to the vlan which you want and to which the gi0/1 belongs to.


See the below two individual steps may help in your scenario.


STEP-1:

Apply rate-limit on each L3 vlan interface in your 2851
Example (for 1024kbits for vlan 2):

Router# conf t
Router(config)# int vlan 2
Router(config-if)#rate-limit input 1000000 187500 375000 conform-action transmit exceed-action drop
Router(config-if)#rate-limit output 1000000 187500 375000 conform-action transmit exceed-action drop


STEP-2:

Policy a specific VLAN number on VLAN interface.

class-map vlan5
match vlan 5
match class-map class-default

policy-map vlan5-limit
class vlan5
police 2000000 250000 exceed-action drop

int vlan5
service-policy input vlan5-limit


After you apply this configuration, the traffic with VLAN 5 coming from any will be policed at 2Mbps.


Hope this will help you.


Please rate the helpfull posts.
Regards,
Naidu.

Thanks for the reply ..

I have around 64 vlans on distribution switch and i also need to apply rate limit on core switch (3750) which not carry any vlan configered.

Kindly provide the way to control on 3560 and 3750 Gig ports (layer 3 ports).

Hi Arshad,

Why are you not using NBAR and MQC for the same ??

Regards,

Smitesh

Hi,

Try this:
police 90000000 11250000 exceed-action drop
police 30000000 3750000 exceed-action drop

Please rate the helpfull posts.
Regards,
Naidu.

Hey Naidu,

If i am apply

police 90000000 11250000 exceed-action drop

police 30000000 3750000 exceed-action drop

on Gi0/1 so how its control said access-list (access-list 120) to control port 445 traffic?

Regards,

Arshad Ahmed

Hi Smitesh,

Kindly guide me how i em implement NBAR or MQC in said scanerio.

Regards,

Arshad Ahmed

Hi Arshad,

Maek class-map and have match ip protocol .

Then make policy-map and call that class-map.

Set the action you need to perform ( in your case rate-limiting).

Apply the policy-map to the outgoing interface or incoming nterface; which ever is of your interest.

Skeleton should look like below:

class-map match-all

match ip protocol

exit

policy-map

class

set

exit

interface

service-policy

exit

HTH,

Smitesh

Hi all,

I have reconfigure switch with following configuration to control port 445 traffic.

access-list 140 permit tcp any any eq 445 log

access-list 140 permit tcp any eq 445 any log

class-map test

match access-group 140

policy-map test

class test

police 1024000 128000 exceed-action drop

int gi0/1

service-policy output test

and then getting following massage

"police command is not supported for this interface

The interface does not support the specified policy configuration and/or paramet

er values.

Warning: Assigning a policy map to the output side of an interface not supported"

Hi,

What is your IOS version and model of 3560?

Best regards,

Alex

EDIT: Maybe you will need to use SRR for egress traffic shaping.

Hi Alexander,

ISO Version : 12.2(50)SE3

Image : C3560-IPSERVICESK9-M

I dont know about SRR shaping so kindly let me know about it as i mention configuration in previous post.

Thanks and Regards,

Arshad Ahmed

Hi,

You can use your already created policy ingress. Give it a try. Just change from "output to "input". Add it to your  interface where this traffic originate and to the ingress of the returning interface if you need it. This should be working ingress.

The idea about SRR is to mark the packets with certain CoS or DSCP. Then when we determine using the selected marking which queue the marked traffic will use and give it shaping percent.

More information on SRR:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/swqos.html

Best regards,

Alex

Hi Alexander,

Thanks for your support, can you please provide alternate SRR queue configuration as comparitively to my provided above configuration.

Thanks and Regards,

Arshad Ahmed

LiWenbin2008
Level 1
Level 1

Hi Arshad Khan, your configration have some thing wrong. Please remove the log tag from you access-list!

Because access-list with log in switch ,it won't work . Log could only used for route-control logging.

Hi Wenbin,

I already remove log statement from ACL, i put here by mistake.

Regards,

Arshad Ahmed

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco