Bandwidth rate-limiting on 3550-12T, G and 48 switches

Similar Messages

• Pull DPs and rate limiting.

  Hi,
  I have a 2012 SP1 environment and 77 sites globally. These sites vary from 34Mb to 1Mb links, and use rate limiting. I want to implement Pull DPs to help distribution issues but am up against the rate limiting issue. I cant configure these remote sites to
  use a more local site and keep their control over how much bandwidth they use, and so wondered how other people got around this issue?
  I currently have a star network, but want to make 5 of the larger bandwidth sites be source locations for content too.
  Thanks
  Kim 

  Hi,
  For Pull DP's you can restrict the bandwidth that is used by BITS on the Pull DP. It is covered here as well:http://blogs.technet.com/b/configmgrteam/archive/2013/06/06/introducing-the-pull-distribution-points.aspx
  You can use either the admin console or a group policy for instance.
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• We got a new Apple TV for Christmas and it works wonderful. However, my question is this. We are on a satelitte internet system and our bandwidth is limited. Can anyone tell me what effect it will have on using up my 10 megs of bandwidth?

  We got a new Apple TV for Christmas and it works wonderful. However, my question is this. We are on a satelitte internet system and our bandwidth is limited. Can anyone tell me what effect it will have on using up my 10 megs of bandwidth? If I run over the 10 mgs, the service either slows way down until it is reset on the first of the next month or I have to purchase additional bandwidth and it can get expensive.
  Any information would be greatly appreciated.

  If you only have a 10MB limit on the Internet connection you might as well not have Internet access and certainly should not attempt to stream anything.
  If the limit is 10GB, then you will need to be careful with streaming as most video is 1-3GB for a one hour show.

• Cisco firewall rate limited syslogs and MARS

  We're getting a ton of informational packets (tcp build / teardown) from firewalls here.  I can kill this at the source (drop to "notification" level, filter out the build / teardown events, etc.) but would rather not throw this stuff away (good clues in an investigation).
  I can filter this on the MARS side so rules don't fire, but that doesn't address the performance hit at the firewall, or the traffic on the network.
  I can rate limit at the firewall - if I do will MARS be able to parse this out properly - i.e if there's a rule that fires on a 100 count for example, and a firewall that's set to rate limit a certain event to, say, every 200 instances of the event, and single syslog shows up at MARS with rate limited information in the packet, will the MARS rule fire?
  hope this makes sense - thanks

  What kind of firewall are you running?  ASA?  FWSM?  Something else?
  If you're running an ASA, the ideal solution would be to implement Netflow Secure Event Logging (NSEL).  This feature uses Netflow v9 to handle security event logging along with traffic flow data.  Using NSEL can provide performance improvements over syslog, both on the ASA, and on your network. 
  Part of the configuration process includes a command to disable the redundant syslog types already handled by NSEL.  Many of those are the same types of logs you mentioned (buildups/teardowns, etc).  It's very simple to configure - you can read more about it here, in the ASA 8.2 CLI Configuration Guide:
  Configuring Network Secure Event Logging (NSEL)
  If you're running a FWSM, the same option isn't available.  Instead, you might want to reconsider disabling some of the log types that aren't really providing much benefit relative to the load.  In fact, Cisco themselves recommend disabling some of the more unimportant (but frequent) log types.
  From the "Cisco SIEM Deployment Guide", one of the "Smart Business Architecture" design guides (emphasis mine):
  At logging level Informational, Cisco recommends disabling the following messages, as they are of little interest for SIEM analysis:     305010: The address translation slot was deleted     305011: A TCP, UDP, or ICMP address translation slot was created     305012: The address translation slot was deletedTo disable these messages, use the following configuration commands:     no logging message 305010     no logging message 305011     no logging message 305012For more aggressive tuning, you may also consider disabling the following messages:     302014: A TCP connection between two hosts was deleted     302016: A UDP connection slot between two hosts was deletedIf dynamic Network Address Translation (NAT) is not configured on the appliance, message 302013 (for TCP connection slot creation) can also be disabled.
  So, that's at least 6 possible log types that can be disabled with no impact: 302013, 302014, 302016, 305010, 305011, and 305012.  And that's straight from Cisco's own documentation.
  Now, to expand on that ...
  - if 302016 (UDP teardown) can be disabled, why not 302015 (UDP create)?
  - similarly, what about 302020 and 302021 (ICMP)? Disable those as well?
  Final list:
  302013
  302014
  302015
  302016
  302020
  302021
  305010
  305011
  305012
  In the end, though, only you can determine which options are acceptable for your environment.
  Note: all 3020xx log types listed are disabled automatically during the NSEL configuration process.

• 702W Access Point and Bi-Directional Rate Limiting

  Has anyone checked whether BDRL (Bi-Directional Rate Limiting) is supported on relatively new 702W APs.
  I need it to work in FlexConnect mode.
  Thanks,
  Nick

  It is not supported,
  http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113682-bdr-limit-guide-00.html

• 7609 RSP vlan based internet bandwidth rate limit

  Hi,
  I have a requirements to restrict the bandwidth for CORP internet users in our metro network, Could you check this template is good to go for to restrict the download and upload speed in Users WAN interface which is VLAN, my bandwidth limitations is 5  Mbps downlink and 5 Mbps uplink.
  class-map match-all corp_traffic1
    match access-group name corp_traffic
  policy-map CORP_ingress
    class corp_traffic1
      police 5000000 500000 conform-action transmit exceed-action drop
  ip access-list extended corp_traffic
  permit ip 172.25.5.0 0.0.0.255 any
  permit ip any 172.25.5.0 0.0.0.255
  Interface vl 351
  service-policy input CORP_ingress
  service-policy output CORP_ingress
  Thanks&Regards
  -Saji

  Riccardo,
  Thank you for your response..
  I have RSP as SUP and ES20 as uplink card..
  but I have clarfication...Is service policy input is realy required...
  It seems input position is not working from this below logs..It is not matching the same
  ABR#sh policy-map interface vlan 3xx
    Service-policy input: CORP_ingress
      class-map: corp_traffic1 (match-all)
        Match: access-group name corp_traffic
        police :
          5000000 bps 156000 limit 156000 extended limit
        Earl in slot 1 :
          0 bytes
          5 minute offered rate 0 bps
          aggregate-forwarded 0 bytes action: transmit
          exceeded 0 bytes action: drop
          aggregate-forward 0 bps exceed 0 bps
        Earl in slot 2 :
          0 bytes
          5 minute offered rate 0 bps
          aggregate-forwarded 0 bytes action: transmit
          exceeded 0 bytes action: drop
          aggregate-forward 0 bps exceed 0 bps
        Earl in slot 3 :
          0 bytes
          5 minute offered rate 0 bps
          aggregate-forwarded 0 bytes action: transmit
          exceeded 0 bytes action: drop
          aggregate-forward 0 bps exceed 0 bps
        Earl in slot 5 :
          0 bytes
          5 minute offered rate 0 bps
          aggregate-forwarded 0 bytes action: transmit
          exceeded 0 bytes action: drop
          aggregate-forward 0 bps exceed 0 bps
      Class-map: class-default (match-any)
        0 packets, 0 bytes
        5 minute offered rate 0000 bps, drop rate 0000 bps
        Match: any
          0 packets, 0 bytes
          5 minute rate 0 bps
    Service-policy output: CORP_ingress
      class-map: corp_traffic1 (match-all)
        Match: access-group name corp_traffic
        police :
          5000000 bps 156000 limit 156000 extended limit
        Earl in slot 1 :
          3739884 bytes
          5 minute offered rate 20576 bps
          aggregate-forwarded 3739884 bytes action: transmit
          exceeded 0 bytes action: drop
          aggregate-forward 17464 bps exceed 0 bps
        Earl in slot 2 :
          0 bytes
          5 minute offered rate 0 bps
          aggregate-forwarded 0 bytes action: transmit
          exceeded 0 bytes action: drop
          aggregate-forward 0 bps exceed 0 bps
        Earl in slot 3 :
          105048931 bytes
          5 minute offered rate 539032 bps
          aggregate-forwarded 105048931 bytes action: transmit
          exceeded 0 bytes action: drop
          aggregate-forward 545760 bps exceed 0 bps
        Earl in slot 5 :
          0 bytes
          5 minute offered rate 0 bps
          aggregate-forwarded 0 bytes action: transmit
          exceeded 0 bytes action: drop
          aggregate-forward 0 bps exceed 0 bps
  I will post more update on this...as I am waiting for the clients to test the same..

• WLC - Rate-limiting with QoS Roles

  We have a large number of locations that we would like to deploy the 2100 series wireless controllers. Among other things, we would like to provide generic rate-limiting to all users(per-user bandwidth limits). This is a hospitality guest access environment and content filtering is really not a concern. We would, however, like to prevent one or a few users from saturating the circuit at the expense of other users. It looks like the WLCs can handle this with a QoS Profile assigned to the guest wlan and bandwidth-limiting QoS Roles applied to each user. The issue we may run into is web-authentication needs to be disabled. There is another device on these locations that will be providing those services.
  Is it possible to apply a QoS Role by default to all users who associate to a controller without authentication? Also, if anyone has attempted this design model I would greatly appreciate some input on any unexpected or undesirable results you may have noticed.
  I appreciate everyones help.

  Thanks so much for such a quick response. I may be misunderstanding some of the documentation and would really appreciate some clarity. I am understanding a QoS Profile to be applied to one or more WLANs and all user traffic from clients of those WLANs will fall under the qos policy as a group(bandwidth limitations would be applied to all of the user traffic combined). For example, a profile capping downstream bandwidth at 1544kbps would limit all user traffic from all of the clients associated to that ssid at 1544kbps. If we were to assume some degree of fair bandwidth distribution and there are 10 users receiving traffic at a given time, then each user would receive no more than 154.4kbps. Or, are QoS Profiles actual templates that are applied to each user that associates to that ssid? For instance, if we consider a profile capping 1544kbps downstream applied to a WLAN with 10 users associated. Each user would be able to download up to 1544kbps and the full bandwidth usage for that WLAN would be 15440kbps.
  Thanks again for your help.

• Rate Limiting - Will Content Engine 590 solve my problem?

  We have a Cache Engine 550 deployed in our network which is great for reducing traffic on the Link to the Internet, however I have now run into a little problem with the device as we are now trying to implement Bandwidth Shaping using the existing Cisco infrastructure and thus the Cisco IOS.
  One of the IOS features concerned is Committed Access Rate (CAR).
  We would like to do some traffic shaping according to certain IP Protocols such as FTP, HTTP as well as rate limiting certain of our customers (IP Blocks) so that they don’t saturate the Serial link to our ISP.
  The problem we have is that the Cache Engine 550 replaces the original requestors IP with its own as it (the CE) now takes over as the requestor to the Internet – thus we have all HTTP traffic via our ISP having the source as that of the Cache Engine.
  Due to this we cannot “Rate-Limit” a particular customer (IP range).
  Question-------
  Does the Content Engine 590 (ACNS, ICDN) enable me to complete my task and control the Serial connection the way I would like to?
  Can I do a sort of “IP Spoofing” so that the original IP is still in place, but the Content Engine still does its job of Caching?
  I have already looked at the Packeteer – unfortunately it only has Ethernet ports.
  The WiseWan 401 with HSSI port looked promising, but I feel that even though it will do great shaping and graphs it will still not solve the problem of a saturated link upstream to the ISP (from the boxes point of view), I will still sit with packets being dropped and thus bandwidth wasted.
  Anyone out there with any other solution?
  Thanks in advance.
  Lutz.

  Hi,
  We have just implemented IP spoofing in version 4.2 of ACNS code. (Caching) which will only run on a 590/560/507/7320 cache.
  Version 4.2 sould be available at the end of July early August. This will slove you problem with identifing traffic to rate limit.
  Cheers
  Phil

• Wireless Rate Limiting via Radius

  We have a setup as 1 SSID in air , authentication via LDAP
  One user login as aaa  to VLAN 51
  other user login as bbb to VLAN 52
  I want to setup different rate limiters for those users.As i know thera are 2 methods of rate limiting available in WLC
  a)per User in the same SSID
  b)per SSID for any user
  In this case there is only one WLAN so we cant use b , as i dont want all users to get same bandwidth contract rate limiting method a isnt useful for us.Because i want to seperate employee / guest / admin bandwidth limits.
  How can i overcome of this case ?

  For the first question  ;
  What do you mean with "maybe depends on your equipment" ?
  For the second question ;
  Sorry it has to be "VLAN" assignment , and i have found the solution.
  As i read
  IETF 64 (Tunnel Type)—Set this to VLAN.
  IETF 65 (Tunnel Medium Type)—Set this to 802
  IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID.
  Three types of attribute has to be returned from ldap server.All three of these has to be returned or just Private group id is enough ?

• Creating a Ring with Ethernet?? Rate Limiting

  This is a two question topic. I am in an office building and I want to provide ISP services to people throughout the building. I have 5 2900XL switches with fiber gigabit ports for uplinking to each other. I will put one switch in each floor for clients to plug into, and run fiber from floor to floor.
  Using the equiptment I have (i.e. -- not special SONET equiptment or anything), how can I create a redudant ring so that if the fiber is broken traffic will flow in the other direction? I know SONET will do this, but I don't want to buy special equiptment for that.
  Also, please remember this will need to be at layer-2 since these are only layer-2 switches, so using dynamic routing to handle the redudancy is not an option.
  Finally, each client will be put in their own VLAN. How can I rate limit the outbound traffic? For example, I may want to sell a 6Mbps service and charge more for it than a 3Mbps service.
  Is there any way I can use what I have to do what I need? If not, what additional equiptment do I need to buy?

  Hi,
  You can certainly daisy chain them into a ring type topology, and Spanning Tree Protocol will block one of the redundant links to prevent a loop.
  A better, (but more costly design) would be to have two additional switches and dual home all of the 2900xl switches to the "core switches." That will give you redundancy as well as keeping traffic flow such that the 2900 switches aren't used as "transit" switches for devices communicating between non-contiguous switches. However, for 5 switches, this may be overkill :-)
  As for rate limiting, the 2900XL series switches do not provide rate-limiting or policing features. They are fairly dumb Layer 2 devices and will not give you the option to limit the bandwidth on any port. The lowest-end switch that we currently sell that can do rate-limiting is the 2960.
  HTH,
  Bobby
  *Please rate helpful posts.

• Per user bandwidth rate limit.

                     How to configure per user bandwidth rate limit for wireless guest client, authentication server is ISE 1.2 & wireless controller is 5760.

  The Cisco 5760 WLC supports better QoS than other c
  ontrollers, allowing prioritization of mission-crit
  ical
  applications:
  ●
  The Cisco 5760 WLC supports four wireless hardware
  queues and priority-based queuing compared to
  software-based queuing in existing controllers.
  ●
  The Cisco 5760 WLC follows MQC based commands, allo
  wing usage of exact commands for configuring
  QoS on different types of network devices.
  ●
  The Cisco 5760 WLC supports QoS policies to be appl
  ied in a hierarchical fashion with more granularity
  per SSID per radio, while on the current controller
  s granularity is per WLAN.
  ●
  The Cisco 5760 WLC supports approximate fair bandwi
  dth to make sure of fairness at client, SSID, and
  radio levels for Non-Real Time (NRT) traffic. There
  fore, if one user consumes excessive bandwidth, we
  can
  limit the amount of bandwidth that user receives an
  d thereby not deprive other users.

• Rate limiting on Catalyst 2950T switches

  Hi,
  I would like to allow some users full access to internal servers, but only provide them with 2 Mbps access to the Internet. As far as I understand I cannot use the deny statement when defining the access-list for the class-map and therefore I am asking for your help. (The config below work well for rate-limiting all traffic, but I would need full access for traffic matching access-list 111):
  access-list 111 remark [ Traffic not to be rate limited ]
  access-list 111 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
  access-list 112 remark [ Traffic to be rate limited ]
  access-list 112 permit ip 10.0.0.0 0.255.255.255 any
  class-map match-all Internet-Class
  match access-group 112
  policy-map Internet
  description [ Rate limit Internet access ]
  class Internet-Class
  police 2000000 65536 exceed-action drop
  interface FastEthernet0/1
  service-policy input Internet
  interface FastEthernet0/24
  service-policy input Internet
  Any help would be very appreciated!
  Regards,
  Harald

  Thanks again for the reply!
  My "working" configuration is as follows:
  access-list 111 remark [ Traffic not to be rate limited ]
  access-list 111 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
  access-list 112 remark [ Traffic to be rate limited ]
  access-list 112 permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.255.255
  class-map match-all Local-Class
  match access-group 111
  class-map match-all Internet-Class
  match access-group 112
  policy-map Internet-Policy
  description [ Rate limit Internet access ]
  class Internet-Class
  police 2000000 65536 exceed-action drop
  class Local-Class
  police 98000000 65536
  interface FastEthernet0/1
  description [ Local LAN facing interface ]
  service-policy input Internet-Policy
  interface FastEthernet0/24
  description [ Internet facing interface ]
  service-policy input Internet-Policy
  However, I would like to change "172.16.0.0 0.0.255.255" in access-list 112 to "any" since it should apply to all Internet traffic. If I try to do that I get the mask error I previously mentioned.
  Regards,
  Harald

• Policy-map based rate-limiting per vlan

  Hi
  I was thinking if someone could help me to come up with solution to a problem. Scenario as follow:
  I have a trunk interface with multiple vlans on:
  interface GigabitEthernet2/0/3
  description TRUNK-to-*********
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 415,416,610,1191-1193,1195
  switchport mode trunk
  duplex full
  storm-control broadcast level pps 1k
  storm-control multicast level pps 3k
  storm-control unicast level pps 250k
  storm-control action trap
  spanning-tree portfast trunk
  spanning-tree bpdufilter enable
  I'm trying to rate limit two of the vlans that are present on this trunk interface - vlan 415 and vlan 1192.
  So I'm putting the class-map (to be later applied under the policy-map which is not significant here):
  (config)#class-map match-any 120-mbps-class
  (config-cmap)#match input-interface vlan 415
  (config-cmap)#match input-interface vlan 1192
  Now, when you show the class-map I created, I can see this:
  sh class-map 120-mbps-class
  Class Map match-any 120-mbps-class (id 1)
     Match input-interface  Vlan415
     Match input-interface  FastEthernet0
  For some bizzare reason class-map is matching the Fa0. I have researched this, and this is most probably because you can only match 1 vlan instance under the class-map.
  And here's my problem - I can't police whole interface as the other vlans should not be policed - how can I police those two vlans ?
  Any thoughts ? All help appreciated as always.
  Rob.

  Hi Daniel,
  I have labed it and unfortuantely it does not work as expected. I have put 1x 3750 and 1x 2960 trunk between them, each box had an access port for laptop to create some traffic across. All vlan-based qos has been applied on 3750G.
  3750G config
  Interface g1/0/20
  descriprion trunk
  swicthport trunk encapsulation dot1q
  switchport mode trunk
  switchport trunk allowed vlan 100,120
  Interface g1/0/1
  description access
  switchport mode access
  switchport access vlan 100
  Interface vlan 100
  ip address 192.168.100.254
  service-policy input PARENT-POLICER
  Interface vlan 120
  ip address 10.10.10.1
  Policy-map PARENT-POLICER
  class PERMIT-ANY-CLASS
  trust COS
  service-policy CHILD-POLICER
  class-map match-any PERMIT-ANY-CLASS
  match access-group name POLICY-LIST
  Extended IP access list POLICY-LIST
      10 permit ip any any
  Policy-map CHILD-POLICER
  class INTERFACE-POLICE-CLASS
    police 100000 8000 exceed-action drop
  Class Map match-any INTERFACE-POLICE-CLASS
  Match input-interface  GigabitEthernet1/0/20
  2960 config:
  interface g0/20
  switchport mode trunk
  switchport trunk allowed vlan 100,120
  interface g0/1
  switchport mode access
  switchport access vlan 100
  interface vlan 100
  ip address 192.168.100.253
  interface vlan 120
  ip address 10.10.10.2
  So as you can see vlan 100 is the one it need to be rate limited (I have only rate limited to 100kbps just to see if it's working) and vlan 120 is only on the trunk ports to confirm if the traffic  for this one is not affected.
  Unfortunately when the policing is applied on 3750 vlan 100 (and policing is working fine) then I can see the packet loss while pinging between switches on vlan 120 suggesting that the policy is affecting the other vlan as well. When I take the policy out of the vlan 100 I cannot observe the packet loss on vlan 120 meaning is no longer affected.
  Not sure if I have explained this clear enough so far, if not let me know.
  Do you have any suggestions ?
  Thanks!

• EMAIL RATE LIMITATION error msg

  I sent an email to my sis [whom I email on a regular basis] and 3 days later it came back undelivered with the following message:
  Temporary error returned by SMTP partner.
  smtp;421 RP-001 The mail server IP connecting to Windows Live Hotmail server has exceeded the rate limit allowed.
  Reason for rate limitation is related to IP/domain reputation problems.
  Does this mean I might have a virus that's using my email client to spam other people? What does it mean?

  A valid email address should have the form "[email protected]" with only one "@" character and no spaces.

• Major bug in SMTP rate-limiting implementation

  I use my home computer to, among other things, host a mailing-list for a fan-club of a contemporary Russian poet. The total list of subscribers is about 40 people and messages are, on average, rare.
  However, when a discussion picks up, the number of e-mails can briefly spike easily exceeding Verizon's "you must be spamming" threshold. Imagine: one person asks a question and two others respond. Both the question and the responses get sent to the list, so that's 3x40=120 e-mails. If the discussion gets any longer, the e-mail account gets suspended for several days for exceeding the quota...
  I understand, why Verizon rate-limits the outgoing e-mail sending and don't object to it in principle. However, the current implementation has a major flaw. When the threshold is exceeded, instead of blocking all subsequent messages with a permanent error (5xx in SMTP-speak), the server ought to issue a temporary failure (4xx in SMTP-speak).
  This would block any spam-bots just as effectively, but allow legitimate messages to be properly queued by the sender's computers for resending. The 5xx code signals a permanent error so instead of being queued, the innocent message is suddenly bounced.
  A friend of mine is an RCN-subscriber and we know, that RCN implements rate-limiting exactly this way: if you are sending "too much", your messages will start being temporarily rejected for a while.
  Solved!
  Go to Solution.

  Anthony, this is not a "disagreement" -- I'm pointing out a bug. The bug manifested itself with the following two problems:
  Although none of the e-mails sent by my computer were spam, I was "identified" as a spammer and my access to SMTP was suspended for days. For no good reason.
  Even if it were possible to appeal such automatic verdict (and I did try to talk to a customer support representative), permanent rejections in the case of a temporary error are wrong -- and in violation of SMTP specifications.
  I did post the same text under the "New Ideas", but I don't think, "new idea" is the good place for this. I'm not suggesting a new service, but demanding a fix to the existing one.