Configuring rate-limit in switch 6500

Good morning gentlemen
Consider a 6509E (supervisor 720 3B) switch with many interface VLANs configured, one of each related to each customer. Each interface VLAN had configured a rate-limit input and output configured representing the maximum bandwidth permitted for the customer.
I could configured that way using the old IOS s72033-ipservicesk9_wan-mz.122-18.SXF7.
Last weekend I had to upgrade that IOS to s72033-ipservicesk9_wan-mz.122-33.SXJ7. All rate-limits in VLAN interfaces disappeared, probably not supported in this new version.
Now, what's you recommendation to perform the same in this IOS version?...I only found the policy-map/service-policy way.
Follow my questions:
1 - "mls qos" is globally disabled. Should I configure globally or by interface VLAN?... Expected any impact?
I believe that only need "police" for QOS. No need for any other kind of QOS.
2 - Should I enable "mls qos vlan-based" for each physical layer 2 port connected to that switch related to each interface vlan with police?
Expected only one physical port (or port-channel) for each customer (and each VLAN) connected to a switch.
Thank you and regards
Christian

Interesting that I have just upgraded the IOS to the last version 12 release.
I think that for the reason that we are facing high CPU usage for "IP Input" process, something related to mls/cef is not tunned.
Anyone has any idea regarding the configuration presented?
Regards
Christian

Similar Messages

High cpu - Rate-limit cisco 6500

Hello,
my device is cisco 6509.
Explanation of the case:
Received to interface vlan (L3) 600M traffic (configured with Rate limit - 50 M).
Result :
1. 100 % cpu
2. the traffic was limited to 50M
How can I prevent High Cpu in this situation ?
Thanks.

I would suggest opening a case, or asking in a different forum. This form is for discussion about existing bugs for which a bugid has been identified.

Cisco switch 6500 configuration to support the DCM

hi all
If I need to connect DCM to 6500 I think in two model of configuration:
The first model:
ip multicast-routing
vlan 16
name DCM
exit
interface Vlan16
description *** DCM ***
ip address 10.16.0.1 255.255.0.0
Inter gi 1/1/1
description "TO DCM”
ip address 10.16.0.2 255.255.0.0
ip igmp version 3
ip igmp join-group 239.10.10.10
ip pim sparse-mode
Inter gi 2/1/1
description "TO DCM”
ip address 10.16.0.4 255.255.0.0
ip igmp version 3
ip igmp join-group 239.10.10.10
ip pim sparse-mode
The second model
ip multicast-routing
vlan 16
name DCM
exit
interface Vlan16
description *** DCM ***
ip address 10.16.0.1 255.255.0.0
ip igmp version 3
ip igmp join-group 239.10.10.10
ip pim sparse-mode
Inter gi 1/1/1
description "TO DCM”
switchport
switchport mode access
switchport access vlan 16
Inter gi 2/1/1
description "TO DCM”
switchport
switchport mode access
switchport access vlan 16
which one is the correct and what is the required other than these configuration ?
please advice
thanks in advance

Hi
Are you taking about cisco digital content manager .
Configuring IP address by your first model on your catalyst switch 6500 is not possible , On your second model check on your DCM whether you are able to assign same subnet IP address on your Gi interface .
Even I dont see you can assign same IP subnet to multiple GI interface , you need to go with multiple IP subnets for connectivity between DCM and your catalyst switch .
http://www.cisco.com/c/dam/en/us/td/docs/video/headend/DNCS/78-4003867-01_B.pdf
http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/28745-44.html#qa15
Q. Can I configure two interfaces in the same subnet (t0 = 142.10.46.250/24 and t1 142.10.46.251/24)?
A. No. For the routing to work, each interface should be on a different subnet. However, if you are only bridging, and not doing IP routing, then you can configure the two interfaces on the same subnet.
HTH
Sandy

6500 hardware rate-limit drops

Hi,
I'm a bit new on 6509s - could anyone tell me how to show if any packets are dropped on a 6509 due to hardware rate-limiting such as
mls rate-limit layer2 pdu 1000 100
I've tried show mls rate-limit and sh mls rate-limit usage.
Hardware is sup720, software is 12.2(33)SXJ9
Thank you.

I've been doing some more digging and probably answered my own question in that I found a document which states:
"There are no counters associated with the special-cases hardware-based rate-limiters, and these mechanisms cannot be monitored."

WLC user rate limit on guest ssid anchor controller

Hi,
I have been looking through the forums & some cisco documents but not found a good example similar to what I am seeking to do so now I am turning to the expertise of my peers.
We have been deploying 3502 APs remotely to locations with full T1s that backhaul to where I sit at HQ.
Both the foreign and anchor controller are here at my location.
I am seeking to rate limit per user the bandwidth each client will get on the guest internet ssid.
As you know this traffic is encapsulated in capwap between the AP and the controller so I cant use a standard ACL on the switch or router.
We are trying to keep the guest internet access usage in check on the T1 at any given site so the other ssid's & local lan traffic is not overly competing for the bandwidth.
I found the place to edit the default profiles in the controller but the documentation really isnt clear on best practices.
So I put it to you my fellow wireless engineers to suggest how you are implementing bandwidth management on your wireless guest internet.
Thanks guys!
Oh and here is my hardware & software levels.
5508wlc - forgeign
4402wlc - anchor
Software Version
7.0.230.0

Amjad,
Thank you for taking the time to respond as well as the document link.
It was pretty clear on the steps and what it would impact.
Two things that push me for a different solution (assuming their is one).
Note The values that you configure for the per-user bandwidth contracts affect only the amount of bandwidth going downstream (from the access point to the wireless client). They do not affect the bandwidth for upstream traffic (from the client to the access point).
As you can see from the above note taken out of the linked document the roll based rate limit doesnt really rate limit the T1 traffic any guest user consumes it only limits usage from the AP down to the client.
#1 I am looking for a solution that limits the users up & down streams (if possible) & also before it leaves the AP for the T1.
The idea is to limit WAN utilization.
#2 I read in the forums here others asking about the "user role" and saw some comments saying it is not considered "best practice" to use user roles.
Let me clarify that our guest ssid's are using the http webpage pass through for authentication and it is really only the tic mark to indicate they understand the terms and conditions of using our internet as a guest service. No actual user accounts are used on the guest ssid's.
***One last question about this and any other changes***
Will any change I make be on the "Foreign, Anchor" or both Controllers?

Cisco SG300 VLAN rate-limit

I have a Cisco SG300 small business switch and 541 APs. There are 2 VLANs in our network. One must be limited by bandwidth. Does anyone have an idea for configure vlan rate-limiting on SG300? And please describe CIR & CBS for me. Thanks.

http://www.cisco.com/en/US/partner/products/ps10898/prod_command_reference_list.html
Cisco Small Business 300 Series Managed Switches Command Line Interface Guide Release 1.3
Select CIR and CBS according to your design. You can use a larger CBS when performance is not ideal.
49.23 rate-limit (VLAN)
Use the Layer 2 rate-limit (VLAN) Global Configuration mode command to limit the
incoming traffic rate for a VLAN. Use the no form of this command to disable the
rate limit.
Syntax
rate-limit vlan-id committed-rate committed-burst
no rate-limit vlan
Parameters
• vlan-id—Specifies the VLAN ID.
• committed-rate—Specifies the average traffic rate (CIR) in kbits per second
(kbps). (Range: 3-57982058)
• committed-burst—Specifies the maximum burst size (CBS) in bytes.
(Range: 3000-19173960)
Default Configuration
Rate limiting is disabled.
Committed-burst-bytes is 128K.
Command Mode
Global Configuration mode
User Guidelines
Traffic policing in a policy map takes precedence over VLAN rate limiting. If a
packet is subject to traffic policing in a policy map and is associated with a VLAN
that is rate limited, the packet is counted only in the traffic policing of the policy
map.
This command does not work in Layer 3 mode. It does not work in conjunction with
IP Source Guard.
Example
The following example limits the rate on VLAN 11 to 150000 kbps or the normal
burst size to 9600 bytes.
switchxxxxxx(config)# rate-limit 11 150000 9600

Wireless rate limit

Hi,
My network infrastructure as simple as following:
LAN(edge switches 3560).......>Aggregator switch(3750)........>Firewall(ASA 5510)........>Router.......>Internet
I define 3 wireless VLANs with 3 SSIDs on the Aggregator switch(3750):
1. one SSID for company employees.
2. one SSID for wireless IP phones.
3. one SSID for company guest which access only internet.
And the wireless APs connected to the LAN(edge switches) direct with trunks.
My question is how to apply a rate limit for SSID for company guest to access internet with B.W. of 128kbps only.
I tried policy map to be applied on the aggregator switch(3750) on the VLAN interface, but, it is not working.
So, any suggested help, please.

Hi Ahmed:
With autonomous APs, rate limiting isn't possible. All the autonomous APs support is QoS and that's pretty iffy. At the core of the issue, you're dealing with radio waves and which ones arrive at the radio first, and who was prevented from talking because someone else was talking. Dealing with these QoS and traffic shaping/policing issues are really tough with wireless because the transmission medium itself is unreliable.
The "Configuring QoS" chapter of the autonomous AP configuration guide
http://tools.cisco.com/squish/5aCf1
will show you how you can map priority tagging to an SSID so that in that path from radio receiver to outbound on the fastethernet interface toward the rest of the network, you can control which SSID's packets get up into the network first, but the reverse path is a different story. Because the wireless medium is half-duplex acknowledged, you can have a high priority packet out there on the radio interface trying to be beamed out to the client, and if the client isn't sending their ACK or what have you, it's going to sit and retry until its 63 retries are done before it gets out of the way to let the next high priority packet have a turn at getting transmitted out.
Once the traffic gets past the edge switch, the fact that it was at one time wireless is irrelevant. You should look at it as a general "rate limiting one VLAN's traffic over another" and check with the routing protocols or traffic shaping folks.
Sincerely,
Rollin Kibbe
Network Management Systems Team

Rate-Limit BRI

I was working with a co-worker who was seeing FTP choke the B channel when a remote router was on ISDN. Normally we use rate-limit on the frame-relay PVC's, which works great, but when I configured it on the BRI0/0/0 interface, I was not seeing hits on the ACL. Is rate-limit supported on BRI interfaces?

At this point we are back on the frame-relay connection, so show output wouldn't be helpful. Here's the interface config.
interface BRI0/0/0
description Circuit ID and Carrier
bandwidth 30
ip address x.x.x.x y.y.y.y
ip accounting output-packets
ip nat outside
ip virtual-reassembly
rate-limit output access-group 151 96000 12000 12000 conform-action transmit exceed-action drop
encapsulation ppp
no ip mroute-cache
dialer idle-timeout 300
dialer map ip x.x.x.x name name broadcast xxxxxxxxxxx
dialer map ip x.x.x.x name name broadcast xxxxxxxxxxxx
dialer load-threshold 4 outbound
dialer watch-group 8
dialer-group 1
isdn switch-type basic-ni
isdn point-to-point-setup
isdn spid1 xxxxxxxxxxxxxx xxxxxxx
isdn spid2 xxxxxxxxxxxxxx xxxxxxx
no cdp enable
ppp authentication chap
end

3750X rate-limit (QoS)

Hello,
I'm trying to configure a rate-limit in a 3750X but I'm not seeing any result...
These are my configurations:
RF#show run
Building configuration...
Current configuration : 23410 bytes
! Last configuration change at 08:53:35 UTC Sun Mar 14 1993
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname RF
boot-start-marker
boot-end-marker
no aaa new-model
switch 1 provision ws-c3750x-48p
system mtu routing 1500
ip routing
ip domain-name erf.carco.com.mx
rep admin vlan 100
mls qos
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
vlan 2
vlan 4
vlan 6
vlan 8
vlan 10
vlan 20
vlan 21
vlan 22
vlan 23
vlan 25
vlan 26
vlan 30
vlan 50
vlan 53
vlan 70
vlan 81
vlan 91
vlan 92
vlan 93
vlan 95
vlan 96
vlan 99
vlan 100
vlan 102
vlan 110
vlan 122
vlan 129
vlan 200
vlan 213
vlan 227
vlan 333
vlan 357
vlan 417
vlan 444
vlan 500
vlan 502
vlan 555
vlan 700
vlan 712
vlan 910
vlan 911
vlan 951
vlan 1105
vlan 1508
vlan 1830
vlan 1870
vlan 1890
vlan 1891
vlan 1892
class-map match-any test
match access-group 100
policy-map test
class test
police 150000000 512000 exceed-action drop
interface Loopback0
ip address 10.20.40.106 255.255.255.0
interface Port-channel22
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
bandwidth 10000000
rep segment 10
interface Port-channel24
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
bandwidth 10000000
rep segment 10
interface FastEthernet0
no ip address
no ip route-cache
shutdown
interface GigabitEthernet1/0/1
interface GigabitEthernet1/0/2
interface GigabitEthernet1/0/3
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport trunk allowed vlan 2,10,50,53,60,70,91-93,95,96,99,100,110,213,227
switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
switchport mode trunk
no logging event link-status
shutdown
speed 1000
duplex full
interface GigabitEthernet1/0/4
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport trunk allowed vlan 2,8,10,20,50,53,70,91-93,95,96,99,100,110,213
switchport trunk allowed vlan add 227,500,700,910,911,951,1830,1870,1890-1892
switchport mode trunk
shutdown
speed 1000
duplex full
interface GigabitEthernet1/0/5
interface GigabitEthernet1/0/6
interface GigabitEthernet1/0/7
interface GigabitEthernet1/0/8
interface GigabitEthernet1/0/9
interface GigabitEthernet1/0/10
switchport access vlan 91
switchport mode access
logging event link-status
interface GigabitEthernet1/0/11
interface GigabitEthernet1/0/12
interface GigabitEthernet1/0/13
interface GigabitEthernet1/0/14
interface GigabitEthernet1/0/15
switchport access vlan 91
switchport mode access
logging event link-status
interface GigabitEthernet1/0/16
interface GigabitEthernet1/0/17
interface GigabitEthernet1/0/18
interface GigabitEthernet1/0/19
interface GigabitEthernet1/0/20
switchport access vlan 91
switchport mode access
logging event link-status
interface GigabitEthernet1/0/21
interface GigabitEthernet1/0/22
interface GigabitEthernet1/0/23
interface GigabitEthernet1/0/24
interface GigabitEthernet1/0/25
switchport access vlan 910
switchport mode access
interface GigabitEthernet1/0/26
interface GigabitEthernet1/0/27
interface GigabitEthernet1/0/28
interface GigabitEthernet1/0/29
interface GigabitEthernet1/0/30
interface GigabitEthernet1/0/31
interface GigabitEthernet1/0/32
interface GigabitEthernet1/0/33
interface GigabitEthernet1/0/34
interface GigabitEthernet1/0/35
interface GigabitEthernet1/0/36
interface GigabitEthernet1/0/37
no switchport
bandwidth 150000
ip address 10.20.103.13 255.255.255.252
rate-limit output access-group 100 24000000 3000000 3000000 conform-action transmit exceed-action drop
logging event link-status
interface GigabitEthernet1/0/38
interface GigabitEthernet1/0/39
interface GigabitEthernet1/0/40
interface GigabitEthernet1/0/41
interface GigabitEthernet1/0/42
interface GigabitEthernet1/0/43
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
bandwidth 10000000
channel-group 24 mode on
interface GigabitEthernet1/0/44
interface GigabitEthernet1/0/45
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport trunk allowed vlan 2,10,50,53,60,70,91-93,95,96,99,100,110,213,227
switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
switchport mode trunk
shutdown
interface GigabitEthernet1/0/46
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport trunk allowed vlan 2,10,50,53,60,70,91-93,95,96,99,100,110,213,227
switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
switchport mode trunk
shutdown
interface GigabitEthernet1/0/47
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
bandwidth 10000000
channel-group 22 mode on
interface GigabitEthernet1/0/48
switchport trunk encapsulation dot1q
switchport trunk native vlan 6
switchport trunk allowed vlan 2,7,10,20,50,53,70,91-93,95,96,99,100,110,213
switchport trunk allowed vlan add 227,700,910,911,951,1830,1870,1890-1892
switchport mode trunk
logging event link-status
shutdown
interface GigabitEthernet1/1/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport trunk allowed vlan 2,8,10,20,50,53,60,70,91-93,95,96,99,110,213,227
switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
switchport mode trunk
shutdown
interface GigabitEthernet1/1/2
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport trunk allowed vlan 2,8,10,20,50,53,60,70,91-93,95,96,99,110,213,227
switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
switchport mode trunk
shutdown
interface GigabitEthernet1/1/3
switchport trunk encapsulation dot1q
switchport trunk native vlan 6
switchport trunk allowed vlan 2,6,8,10,20,50,53,70,91-93,95,96,99,100,110,213
switchport trunk allowed vlan add 227,700,910,911,951,1830,1870,1890-1892
logging event link-status
shutdown
interface GigabitEthernet1/1/4
switchport trunk encapsulation dot1q
switchport trunk native vlan 6
switchport trunk allowed vlan 2,6,8,10,20,50,53,70,91-93,95,96,99,100,110,213
switchport trunk allowed vlan add 227,700,910,911,951,1830,1870,1890-1892
switchport mode trunk
logging event link-status
shutdown
interface TenGigabitEthernet1/1/1
interface TenGigabitEthernet1/1/2
interface Vlan1
no ip address
shutdown
interface Vlan6
description ***LANERF**
ip address 10.20.6.106 255.255.255.0
no ip redirects
interface Vlan23
description < TRANSITO MUR >
no ip address
no ip redirects
interface Vlan100
description < VLAN MAN >
ip address 10.20.100.106 255.255.255.0
no ip redirects
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 032368342B2F0F
ip ospf dead-interval minimal hello-multiplier 4
router ospf 1
router-id 10.20.40.106
auto-cost reference-bandwidth 100000
area 0.0.0.0 authentication message-digest
area 1.80.1.1 authentication message-digest
redistribute connected subnets
redistribute static subnets
passive-interface default
no passive-interface Vlan23
no passive-interface Vlan100
no passive-interface GigabitEthernet1/0/37
network 10.20.6.0 0.0.0.0 area 0.0.0.0
network 10.20.40.106 0.0.0.0 area 0.0.0.0
network 10.20.91.6 0.0.0.0 area 0.0.0.0
network 10.20.100.106 0.0.0.0 area 0.0.0.0
default-information originate
ip http server
ip http secure-server
access-list 100 permit ip 10.50.80.0 0.0.0.255 10.80.80.0 0.0.0.255
access-list 100 permit ip 10.80.80.0 0.0.0.255 10.50.80.0 0.0.0.255
snmp-server community ASComRO RO
line con 0
line vty 0 4
login
line vty 5 15
login
event manager applet track_qos_down authorization bypass
event syslog pattern "TRACKING-5-STATE: 15 ip sla 15 reachability Up->Down"
action 1 cli command "enable"
action 2 cli command "configure terminal"
action 3 cli command "interface giga1/0/37"
action 4 cli command "rate-limit output access-group 100 400000000 50000000 50000000 conform-action transmit exceed-action drop"
action 5 cli command "end"
event manager applet track_qos_up authorization bypass
event syslog pattern "TRACKING-5-STATE: 15 ip sla 15 reachability Down->Up"
action 1 cli command "enable"
action 2 cli command "configure terminal"
action 3 cli command "interface giga1/0/37"
action 4 cli command "no rate-limit output access-group 100 400000000 50000000 50000000 conform-action transmit exceed-action drop"
action 5 cli command "end"
end
ERF#
ERF#show mls qos
QoS is enabled
QoS ip packet dscp rewrite is enabled
ERF#show mls qos inter gigabitEthernet 1/0/37
GigabitEthernet1/0/37
trust state: not trusted
trust mode: not trusted
trust enabled flag: ena
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based
When I apply the command I'm seeing a gauge using a 3rd party but I'm not seeing that the traffic will be truncated @ 50Mbps.
Any thoughts???

Hi
Bandwidth commands allocates the particular amount of bandwidth you mention or configure over there.
Basically you have the liberty to configure upto 75% of the available interface bandwidth to different classes.
most widelys used with CBWFQ technique..
so while configuring up the same better to watch out for the exact bandwidth value keyed in on the interface to have your alloocation work properly.
policing basically used for limiting the traffic or to control the bursts by dropping them or marking them with different ip precedence or DSCP values.
its very much similar to the rate-limit command applied on the interface level which again uses token bucket system either single or dual based on the configuration parameters.
for more info on above mentioned clis do check these links..
http://www.cisco.com/en/US/tech/tk543/tk545/tsd_technology_support_protocol_home.html
http://www.cisco.com/en/US/tech/tk543/tk544/tsd_technology_support_protocol_home.html
regds

ICMP unreacheble, rate-limit

Hi !
I'm currently working on projet of network hardening.
Based on Cisco security best pratice, I see it's recommand to rate limit genaration of ICMP unreachable message to prevent DoS attack. (according to document : http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080825564.pdf page 74)
On Catalyst 6509 run IOS 12.2(17r)SX5 I see to possible way to rate-limit ICMP messages if mls QoS is running.
1- mls rate-limit unicast ip ICMP unreachable acl-drop 100 10 (enable by default, according to document : http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080825564.pdf page 74)
mls rate-limit unicast ip ICMP unreachable no-route 100 10
2- ip ICMP rate-limit unreachable <millisecond> (500 ms is default parameters, which permit 2 paquets per seconds, also enable by default if I'm base on : http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml, ACL for IOS section)
Which one of those command have precedence over the other one ?
Which one is better over the other one ?
With the mls rate-limit option, we have the possibility to check default parameter with : "show mls rate-limit" command is exist equivalent for : "ip ICMP rate-limit unreachable"
We have also Catalyst 3550 switches, on which we have to rate-limit genaration of ICMP unreachable message for same reason as 6509. I understand the :"ip ICMP rate-limit unreachable" command is my only option "under "mls " the only option I have is QoS or aclmerge. Under thoses parameter I have no way to rate-limit ICMP message generation....
I have check in running-configuration I did not find any reference to ICMP rate-limit command, I hope this is active like explain in document http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml, ACL for IOS section, (Version 12.2(44)SE3) but I would like to be able to confirm if any show command exist to confirm this.
thanks a lot !

Hello Marcus,
On the ASA as you are already aware we only have the choice of modifying the ICMP unreachable rate,
With the IOS the rate-limit for ICMP unreachable replies will be rate limited to one every 500ms
use:
show ip icmp rate-limit
Besides that I have not seen any other information that you could customize.
Regards

ICMP unreachable, rate-limit command

Hi !
I'm currently working on projet of network hardening.
Based on Cisco security best pratice, I see it's recommand to rate limit genaration of ICMP unreachable message to prevent DoS attack. (according to document : http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080825564.pdf page 74)
On Catalyst 6509 run IOS 12.2(17r)SX5 I see to possible way to rate-limit ICMP messages if mls QoS is running.
1- mls rate-limit unicast ip ICMP unreachable acl-drop 100 10 (enable by default, according to document : http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080825564.pdf page 74)
mls rate-limit unicast ip ICMP unreachable no-route 100 10
2- ip ICMP rate-limit unreachable <millisecond> (500 ms is default parameters, which permit 2 paquets per seconds, also enable by default if I'm base on : http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml, ACL for IOS section)
Which one of those command have precedence over the other one ?
Which one is better over the other one ?
With the mls rate-limit option, we have the possibility to check default parameter with : "show mls rate-limit" command is exist equivalent for : "ip ICMP rate-limit unreachable"
We have also Catalyst 3550 switches, on which we have to rate-limit genaration of ICMP unreachable message for same reason as 6509. I understand the :"ip ICMP rate-limit unreachable" command is my only option "under "mls " the only option I have is QoS or aclmerge. Under thoses parameter I have no way to rate-limit ICMP message generation....
I have check in running-configuration I did not find any reference to ICMP rate-limit command, I hope this is active like explain in document http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml, ACL for IOS section, (Version 12.2(44)SE3) but I would like to be able to confirm if any show command exist to confirm this.
thanks a lot !

This is now showing up with running ssh over this tunnel. I can get the initial connection, but certain commands are not going through.

Rate Limit on the MPLS Tag interface

In MPLS Networks, we generally enable tag-switching IP and MTU (1526) configuration on the specific interface . Say if the above commands are applied in the 2 mb Lease Line Serial interface , How do i rate Limit to 64K ?
Can anyone provide me this info w.r.t the configuration?
Regards
Srikant

Generic rate-limiting should be possible. Here's a URL explaining how to configure this feature.
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_command_reference_chapter09186a00801a7ee1.html#1080850
Hope this helps,

Possible to rate limit console input?

I built a tool that allows us to input device information such as IP, VLAN, etc, etc and this tool builds the entire config file that can be pasted into a switch/router. The problem is that when I start getting down near the banner and motd sections, the console cannot keep up with the input and it drops lines of input.
Is there a way to rate limit the input when large configs are pasted into con 0?

I built a tool that allows us to input device information such as IP, VLAN, etc, etc and this tool builds the entire config file that can be pasted into a switch/router. The problem is that when I start getting down near the banner and motd sections, the console cannot keep up with the input and it drops lines of input.
Is there a way to rate limit the input when large configs are pasted into con 0?

Bandwidth Rate-Limit -w- WWR-Queue

How would one convert a layer-2 port's "switchport rate-limit" bandwidth statement, on a 6509 -w- WS-X6748-SFP ports, to a routed/layer-3 "wrr-queue" bandwidth statement policy? Basically trying to hard-core the port's speed to 20MB. Current/tested layer-2 port bandwidth setting:
rate-limit input 20000000 5000 5000 conform-action transmit exceed-action drop
rate-limit output 20000000 5000 5000 conform-action transmit exceed-action drop
Got lost in how to use/configure all WRR's four queues... just need to limit the port's bandwidth to 20MB. Any suggestions would be appreciated.
Thanks, Kevin

1) Enabled QoS globally...
2960(config)#mls qos
2) Configure an ACL to define the matched traffic...
2960(config)#access-list 111 permit ip any any
3) Configure a class map for the matched traffic...
2960(config)#class-map traffic
2960(config-cmap)#match access 111
4) Configure a policy-map to define action...
2960(config)#policy-map Control
2960(config-pmap)#class traffic
2960(config-pmap-c)#police 10000000 8000 exceed-action drop
5) Attached the policy-map to the interface.
a) Example
-In this case, I'll attach the policy map to port_1....
2960(config)#int fa0/1
2960(config-if)#service-policy input Control
>>>>>> This will rate-limit traffic coming from the PC

How to rate-limit different IP's entering/leaving an Interface?

Hi There,
We are an ISP and have an interconnect with say Provider A. Customers of ours use Provider A for layer 2 and us for Layer 3 (IP/Internet).
Customer #1 to #100 --- (10Mb) --> Provider A ---> ISP ---> Internet
We'd like to rate limit some customers to 2mb/sec (in/out) on our end because at present they have a 10mb/sec connection coming from Provider A.
The config we use to peer with Provider A is this:
interface GigabitEthernet0/1.120
description Interconnect with Provider A
bandwidth 400000
encapsulation dot1Q 120
ip address A.B.C.1 255.255.255.252
Customers of ours are simply routed out through this interface like so:
Customer #1:
ip route W.X.Y.Z. 255.255.255.255 A.B.C.2
Customer #2:
ip route J.K.L.M 255.255.255.255 A.B.C.2
Is there a way to rate limit both these customers without needing to create a separate class map for each like so:
class-map match-all CUSTOMER-1-2MB
match access-group name ACL-CUSTOMER-1
class-map match-all CUSTOMER-2-2MB
match access-group name ACL-CUSTOMER-2
policy-map POLICY-RATE-LIMIT
class CUSTOMER-1-2MB
police 2000000 375000 750000
class CUSTOMER-2-2MB
police 2000000 375000 750000
interface GigabitEthernet0/1.120
service-policy input POLICY-RATE-LIMIT
service-policy output POLICY-RATE-LIMIT
I've done this in the lab and I know it works, so Customer #1 ends up with 2mb/sec and Customer #2 gets 2mb/sec too.
But in production, I'm talking about 100's of customers which we simply route out of this interface. I can't imagine having to configure 100's of class maps and policy maps for each customer to rate limit them to 2mb/sec like in the config above.
Is there a better way to do this on the router???
Thanks.
Andy

Hi All,
Doing what Laurent suggested works great. We are able to rate-limit the desired customers by having a separate class-map for each customer that needs to be rate limited under the single policy-map.
But now we're finding that the CPU utilization has increased by 20% because of this.
We're pushing about 400M through this interface and rate limiting 7 customers on it.
Given the large traffic flow through this interface (400M), is it common to see an increase in CPU utilisation by 20%???
When we take the service-policy off the interface, sure enough the CPU drops by 20%.
Here's the MQC applied:
interface GigabitEthernet0/1.120
bandwidth 400000
encapsulation dot1Q 120
ip address 203.17.x.x 255.255.255.252
ip flow ingress
service-policy input RATE-LIMIT
service-policy output RATE-LIMIT
class-map match-all CLASS-TCS-200338
description Customer #1 rate limited to 4mb/sec
match access-group name ACL-TCS-200338
class-map match-all CLASS-TCS-200208
description Customer #2 rate limited to 2mb/sec
match access-group name ACL-TCS-200208
class-map match-all CLASS-TCS-205593
description Customer #3 rate limited to 3mb/sec
match access-group name ACL-TCS-205593
class-map match-all CLASS-TCS-205679
description Customer #4 rate limited to 4mb/sec
match access-group name ACL-TCS-205679
class-map match-all CLASS-TCS-200441
description Customer #5 rate limited to 4mb/sec
match access-group name ACL-TCS-200441
class-map match-all CLASS-TCS-200005
description Customer #6 rate limited to 2mb/sec
match access-group name ACL-TCS-200005
class-map match-all CLASS-TCS-205560
description Customer #7 rate limited to 4mb/sec
match access-group name ACL-TCS-205560
policy-map RATE-LIMIT
class CLASS-TCS-200005
police 2000000 375000 750000 conform-action transmit exceed-action transmit violate-action drop
class CLASS-TCS-200208
police 2000000 375000 750000 conform-action transmit exceed-action transmit violate-action drop
class CLASS-TCS-200441
police 4000000 750000 1500000 conform-action transmit exceed-action transmit violate-action drop
class CLASS-TCS-200338
police 4000000 750000 1500000 conform-action transmit exceed-action transmit violate-action drop
class CLASS-TCS-205679
police 4000000 750000 1500000 conform-action transmit exceed-action transmit violate-action drop
class CLASS-TCS-205560
police 4000000 750000 1500000 conform-action transmit exceed-action transmit violate-action drop
class CLASS-TCS-205593
police 3000000 562500 1125000 conform-action transmit exceed-action transmit violate-action drop
Is this the correct behaviour of applying the service-policy to the interface whereby the CPU increases by 20% or can the MQC be fine tuned to have less of an impact on the CPU?
Is the router just overloaded, taking into account it's only pushing about 400M? Should it be able to do more than this??
Thanks.
Andy

Configuring rate-limit in switch 6500

Similar Messages

Maybe you are looking for