ICMP unreachable, rate-limit command

Hi !
I'm currently working on projet of network hardening.
Based on Cisco security best pratice, I see it's recommand to rate limit genaration of ICMP unreachable message to prevent DoS attack. (according to document : http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080825564.pdf page 74)
On Catalyst 6509 run IOS 12.2(17r)SX5 I see to possible way to rate-limit ICMP messages if mls QoS is running.
1- mls rate-limit unicast ip ICMP unreachable acl-drop 100 10 (enable by default, according to document : http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080825564.pdf page 74)
mls rate-limit unicast ip ICMP unreachable no-route 100 10
2- ip ICMP rate-limit unreachable <millisecond> (500 ms is default parameters, which permit 2 paquets per seconds, also enable by default if I'm base on : http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml, ACL for IOS section)
Which one of those command have precedence over the other one ?
Which one is better over the other one ?
With the mls rate-limit option, we have the possibility to check default parameter with : "show mls rate-limit" command is exist equivalent for : "ip ICMP rate-limit unreachable"
We have also Catalyst 3550 switches, on which we have to rate-limit genaration of ICMP unreachable message for same reason as 6509. I understand the :"ip ICMP rate-limit unreachable" command is my only option "under "mls " the only option I have is QoS or aclmerge. Under thoses parameter I have no way to rate-limit ICMP message generation....
I have check in running-configuration I did not find any reference to ICMP rate-limit command, I hope this is active like explain in document http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml, ACL for IOS section, (Version 12.2(44)SE3) but I would like to be able to confirm if any show command exist to confirm this.
thanks a lot !

This is now showing up with running ssh over this tunnel. I can get the initial connection, but certain commands are not going through.

Similar Messages

  • ICMP unreacheble, rate-limit

    Hi !
    I'm currently working on projet of network hardening.
    Based on Cisco security best pratice, I see it's recommand to rate limit genaration of ICMP unreachable message to prevent DoS attack. (according to document : http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080825564.pdf page 74)
    On Catalyst 6509 run IOS 12.2(17r)SX5 I see to possible way to rate-limit ICMP messages if mls QoS is running.
    1- mls rate-limit unicast ip ICMP unreachable acl-drop 100 10 (enable by default, according to document : http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080825564.pdf page 74)
    mls rate-limit unicast ip ICMP unreachable no-route 100 10
    2- ip ICMP rate-limit unreachable <millisecond> (500 ms is default parameters, which permit 2 paquets per seconds, also enable by default if I'm base on : http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml, ACL for IOS section)
    Which one of those command have precedence over the other one ?
    Which one is better over the other one ?
    With the mls rate-limit option, we have the possibility to check default parameter with : "show mls rate-limit" command is exist equivalent for : "ip ICMP rate-limit unreachable"
    We have also Catalyst 3550 switches, on which we have to rate-limit genaration of ICMP unreachable message for same reason as 6509. I understand the :"ip ICMP rate-limit unreachable" command is my only option "under "mls " the only option I have is QoS or aclmerge. Under thoses parameter I have no way to rate-limit ICMP message generation....
    I have check in running-configuration I did not find any reference to ICMP rate-limit command, I hope this is active like explain in document http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml, ACL for IOS section, (Version 12.2(44)SE3) but I would like to be able to confirm if any show command exist to confirm this.
    thanks a lot !

    Hello Marcus,
    On the ASA as you are already aware we only have the choice of modifying the ICMP unreachable rate,
    With the IOS the rate-limit for ICMP unreachable replies  will be rate limited to one every 500ms
    use:
    show ip icmp rate-limit
    Besides that I have not seen any other information that you could customize.
    Regards

  • Rate-limit command interpretation

    I am not sure this is in the right area or not but I hope it is.  I have the following rate-limit command on my cisco 7206 router Gi subinterface:
    rate-limit input 30000000 5625000 11250000 conform-action transmit exceed-action drop
    rate-limit output 30000000 5625000 11250000 conform-action transmit exceed-action drop
    Does this mean I am rate-limiting this interface at 3Mb or 30 Mb?
    Thank you

    I am not sure this is in the
    right area or not but I hope it is.  I have the following rate-limit
    command on my cisco 7206 router Gi subinterface: rate-limit input 30000000 5625000 11250000 conform-action transmit exceed-action drop
    rate-limit output 30000000 5625000 11250000 conform-action transmit exceed-action dropDoes this mean I am rate-limiting this interface at 3Mb or 30 Mb?Thank you
    This will presumably limit the interface to 30 Mbits/sec
    Hope to Help !!
    Ganesh.H
    Remember to rate the helpful post

  • Rate-limit command brief explanation

    Hi,
    There is this rate-limit command in our company's router.
    rate-limit input access-group 127 1000000 187500 187500 conform-action transmit exceed-action drop
    I know that the access-group part refers to an access list
    conform action transmit means that packets will be transmitted
    exceed-action drop means that if it exceed the values listed packets will be dropped.
    What i dont understand is the logic behind the numbers 1000000 187500 187500. It would be very helpful if someone could explain it briefly, i am having a hard time understanding the cisco docs regarding this command.
    thanks.

    Hi @seaweeds24,
    Those numbers are "average rate" "normal burts size" "excess burst size", respectively.
    Average rate determines the long-term average transmission rate. Traffic that falls into this rate will always conform
    Normal burst size determines how large traffic bursts can be before some traffic exceeds the rate limit
    Excess burst size determines how larget traffic bursts can be before ALL traffic exceeds the rate limit. 
    Traffic that falls between the Normal Burst size and the Exces Burst size exceeds the rate limit with a probability that increases as the burst size increases.
    HTH.
    Rgrds,
    Martin, IT Specialist

  • Rate-limit command 3560 does it exist?

    I have just come across a command in my router IOS which might be useful too me. I was wondering if the following command is available on a 3560 Switch. I don't see it on my 3550 but the IOS is quite old. I don't have a 3560 avaiable currently to check.
    Config t > int vlan x > rate-limit input/output
    does this exist on the 3560? I am also interest if it does in the Bits per second range and if available input/output.
    Thanks for any help

    Hello,
    what kind of feature are you looking for?
    CAR?
    http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a0080087f26.html#wp1037428
    For command list check the following link:
    Catalyst 3560 Switch Command Reference, Rel. 12.2(25)SEE
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/cr/index.htm
    For QOS configs:
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/swqos.htm
    If you need to rate limit traffic on an interface check:
    Limiting the Bandwidth on an Egress Interface
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/swqos.htm#wp1253412
    Hope this help a bit,
    if it does, please rate this post.
    Vlad

  • Can I rate-limit on the sub-interface in cisco asr 1013?

    Hi,
    I am looking for the command of rate-limit on a sub-interface in cisco asr 1013.
    Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.2(2)S, RELEASE SOFTWARE (fc1)
    IOS XE Version: 03.06.00.S
    Please let me know if it is possible in cisco asr 1013. If yes then what are the commands.
    Zobair

    The ASR no longer supports the rate-limit command, but it does support the same functionality in a QoS policy.
    Please find a sample configuration -
    ASR1004(config)#policy-map test
    ASR1004(config-pmap)#class class-default
    ASR1004(config-pmap-c)#shape average 10000
    Applying for both ingress and egress : -
    ASR1004(config)#int gig1/1/0
    ASR1004(config-if)#service-policy output test   
    or
    ASR1004(config-if)#service-policy input test

  • 3750X rate-limit (QoS)

    Hello,
    I'm trying to configure a rate-limit in a 3750X but I'm not seeing any result... 
    These are my configurations:
    RF#show run 
    Building configuration...
    Current configuration : 23410 bytes
    ! Last configuration change at 08:53:35 UTC Sun Mar 14 1993
    version 15.0
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname RF
    boot-start-marker
    boot-end-marker
    no aaa new-model
    switch 1 provision ws-c3750x-48p
    system mtu routing 1500
    ip routing
    ip domain-name erf.carco.com.mx
    rep admin vlan 100
    mls qos
    spanning-tree mode pvst
    spanning-tree extend system-id
    vlan internal allocation policy ascending
    vlan 2
    vlan 4 
    vlan 6
    vlan 8
    vlan 10
    vlan 20
    vlan 21   
    vlan 22
    vlan 23
    vlan 25 
    vlan 26
    vlan 30
    vlan 50
    vlan 53
    vlan 70
    vlan 81
    vlan 91
    vlan 92
    vlan 93
    vlan 95
    vlan 96
    vlan 99
    vlan 100
    vlan 102
    vlan 110
    vlan 122
    vlan 129
    vlan 200
    vlan 213
    vlan 227
    vlan 333
    vlan 357
    vlan 417
    vlan 444
    vlan 500
    vlan 502
    vlan 555
    vlan 700
    vlan 712
    vlan 910
    vlan 911
    vlan 951
    vlan 1105
    vlan 1508
    vlan 1830
    vlan 1870
    vlan 1890
    vlan 1891
    vlan 1892
    class-map match-any test
      match access-group 100
    policy-map test
     class test
      police 150000000 512000 exceed-action drop
    interface Loopback0
     ip address 10.20.40.106 255.255.255.0
    interface Port-channel22
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport mode trunk
     bandwidth 10000000
     rep segment 10
    interface Port-channel24
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport mode trunk
     bandwidth 10000000
     rep segment 10
    interface FastEthernet0
     no ip address
     no ip route-cache
     shutdown
    interface GigabitEthernet1/0/1
    interface GigabitEthernet1/0/2
    interface GigabitEthernet1/0/3
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport trunk allowed vlan 2,10,50,53,60,70,91-93,95,96,99,100,110,213,227
     switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
     switchport mode trunk
     no logging event link-status
     shutdown
     speed 1000
     duplex full
    interface GigabitEthernet1/0/4
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport trunk allowed vlan 2,8,10,20,50,53,70,91-93,95,96,99,100,110,213
     switchport trunk allowed vlan add 227,500,700,910,911,951,1830,1870,1890-1892
     switchport mode trunk
     shutdown
     speed 1000
     duplex full
    interface GigabitEthernet1/0/5
    interface GigabitEthernet1/0/6
    interface GigabitEthernet1/0/7
    interface GigabitEthernet1/0/8
    interface GigabitEthernet1/0/9
    interface GigabitEthernet1/0/10
     switchport access vlan 91
     switchport mode access
     logging event link-status
    interface GigabitEthernet1/0/11
    interface GigabitEthernet1/0/12
    interface GigabitEthernet1/0/13
    interface GigabitEthernet1/0/14
    interface GigabitEthernet1/0/15
     switchport access vlan 91
     switchport mode access
     logging event link-status
    interface GigabitEthernet1/0/16
    interface GigabitEthernet1/0/17
    interface GigabitEthernet1/0/18
    interface GigabitEthernet1/0/19
    interface GigabitEthernet1/0/20
     switchport access vlan 91
     switchport mode access
     logging event link-status
    interface GigabitEthernet1/0/21
    interface GigabitEthernet1/0/22
    interface GigabitEthernet1/0/23
    interface GigabitEthernet1/0/24
    interface GigabitEthernet1/0/25
     switchport access vlan 910
     switchport mode access
    interface GigabitEthernet1/0/26
    interface GigabitEthernet1/0/27
    interface GigabitEthernet1/0/28
    interface GigabitEthernet1/0/29
    interface GigabitEthernet1/0/30
    interface GigabitEthernet1/0/31
    interface GigabitEthernet1/0/32
    interface GigabitEthernet1/0/33
    interface GigabitEthernet1/0/34
    interface GigabitEthernet1/0/35
    interface GigabitEthernet1/0/36
    interface GigabitEthernet1/0/37
     no switchport
     bandwidth 150000
     ip address 10.20.103.13 255.255.255.252
     rate-limit output access-group 100 24000000 3000000 3000000 conform-action transmit exceed-action drop
     logging event link-status
    interface GigabitEthernet1/0/38
    interface GigabitEthernet1/0/39
    interface GigabitEthernet1/0/40
    interface GigabitEthernet1/0/41
    interface GigabitEthernet1/0/42
    interface GigabitEthernet1/0/43
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport mode trunk
     bandwidth 10000000
     channel-group 24 mode on
    interface GigabitEthernet1/0/44
    interface GigabitEthernet1/0/45
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport trunk allowed vlan 2,10,50,53,60,70,91-93,95,96,99,100,110,213,227
     switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
     switchport mode trunk
     shutdown
    interface GigabitEthernet1/0/46
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport trunk allowed vlan 2,10,50,53,60,70,91-93,95,96,99,100,110,213,227
     switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
     switchport mode trunk
     shutdown
    interface GigabitEthernet1/0/47
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport mode trunk
     bandwidth 10000000
     channel-group 22 mode on
    interface GigabitEthernet1/0/48
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 6
     switchport trunk allowed vlan 2,7,10,20,50,53,70,91-93,95,96,99,100,110,213
     switchport trunk allowed vlan add 227,700,910,911,951,1830,1870,1890-1892
     switchport mode trunk
     logging event link-status
     shutdown
    interface GigabitEthernet1/1/1
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport trunk allowed vlan 2,8,10,20,50,53,60,70,91-93,95,96,99,110,213,227
     switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
     switchport mode trunk
     shutdown
    interface GigabitEthernet1/1/2
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport trunk allowed vlan 2,8,10,20,50,53,60,70,91-93,95,96,99,110,213,227
     switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
     switchport mode trunk
     shutdown
    interface GigabitEthernet1/1/3
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 6
     switchport trunk allowed vlan 2,6,8,10,20,50,53,70,91-93,95,96,99,100,110,213
     switchport trunk allowed vlan add 227,700,910,911,951,1830,1870,1890-1892
     logging event link-status
     shutdown
    interface GigabitEthernet1/1/4
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 6
     switchport trunk allowed vlan 2,6,8,10,20,50,53,70,91-93,95,96,99,100,110,213
     switchport trunk allowed vlan add 227,700,910,911,951,1830,1870,1890-1892
     switchport mode trunk
     logging event link-status
     shutdown
    interface TenGigabitEthernet1/1/1
    interface TenGigabitEthernet1/1/2
    interface Vlan1
     no ip address
     shutdown
    interface Vlan6
     description ***LANERF**
     ip address 10.20.6.106 255.255.255.0
     no ip redirects
    interface Vlan23
     description < TRANSITO MUR >
     no ip address
     no ip redirects
    interface Vlan100
     description < VLAN MAN >
     ip address 10.20.100.106 255.255.255.0
     no ip redirects
     ip ospf authentication message-digest
     ip ospf message-digest-key 1 md5 7 032368342B2F0F
     ip ospf dead-interval minimal hello-multiplier 4
    router ospf 1
     router-id 10.20.40.106
     auto-cost reference-bandwidth 100000
     area 0.0.0.0 authentication message-digest
     area 1.80.1.1 authentication message-digest
     redistribute connected subnets
     redistribute static subnets
     passive-interface default
     no passive-interface Vlan23
     no passive-interface Vlan100
     no passive-interface GigabitEthernet1/0/37
     network 10.20.6.0 0.0.0.0 area 0.0.0.0
     network 10.20.40.106 0.0.0.0 area 0.0.0.0
     network 10.20.91.6 0.0.0.0 area 0.0.0.0
     network 10.20.100.106 0.0.0.0 area 0.0.0.0
     default-information originate
    ip http server
    ip http secure-server
    access-list 100 permit ip 10.50.80.0 0.0.0.255 10.80.80.0 0.0.0.255
    access-list 100 permit ip 10.80.80.0 0.0.0.255 10.50.80.0 0.0.0.255
    snmp-server community ASComRO RO
    line con 0
    line vty 0 4
     login
    line vty 5 15
     login
    event manager applet track_qos_down authorization bypass
     event syslog pattern "TRACKING-5-STATE: 15 ip sla 15 reachability Up->Down"
     action 1 cli command "enable"
     action 2 cli command "configure terminal"
     action 3 cli command "interface giga1/0/37"
     action 4 cli command "rate-limit output access-group 100 400000000 50000000 50000000 conform-action transmit exceed-action drop"
     action 5 cli command "end"
    event manager applet track_qos_up authorization bypass
     event syslog pattern "TRACKING-5-STATE: 15 ip sla 15 reachability Down->Up"
     action 1 cli command "enable"
     action 2 cli command "configure terminal"
     action 3 cli command "interface giga1/0/37"
     action 4 cli command "no rate-limit output access-group 100 400000000 50000000 50000000 conform-action transmit exceed-action drop"
     action 5 cli command "end"
    end
    ERF#     
    ERF#show mls qos 
    QoS is enabled 
    QoS ip packet dscp rewrite is enabled 
    ERF#show mls qos inter gigabitEthernet 1/0/37 
    GigabitEthernet1/0/37 
    trust state: not trusted 
    trust mode: not trusted 
    trust enabled flag: ena 
    COS override: dis 
    default COS: 0 
    DSCP Mutation Map: Default DSCP Mutation Map 
    Trust device: none 
    qos mode: port-based 
    When I apply the command I'm seeing a gauge using a 3rd party but I'm not seeing that the traffic will be truncated @ 50Mbps.
    Any thoughts??? 

    Hi
    Bandwidth commands allocates the particular amount of bandwidth you mention or configure over there.
    Basically you have the liberty to configure upto 75% of the available interface bandwidth to different classes.
    most widelys used with CBWFQ technique..
    so while configuring up the same better to watch out for the exact bandwidth value keyed in on the interface to have your alloocation work properly.
    policing basically used for limiting the traffic or to control the bursts by dropping them or marking them with different ip precedence or DSCP values.
    its very much similar to the rate-limit command applied on the interface level which again uses token bucket system either single or dual based on the configuration parameters.
    for more info on above mentioned clis do check these links..
    http://www.cisco.com/en/US/tech/tk543/tk545/tsd_technology_support_protocol_home.html
    http://www.cisco.com/en/US/tech/tk543/tk544/tsd_technology_support_protocol_home.html
    regds

  • Rate-limit for some MAC on aironet 1231

    Hello!
    I need to set rate-limit for some mac addresses on access point aironet 1231.Is it possible?
    If no, what ios or devices can do it?
    Thanks.

    No there is no option for rate-limit in Aironet but in controller, Rate-limiting is applicable to all traffic destined to the CPU from either direction (wireless or wired). Cisco recommends that you always run the controller with the default config advanced rate enable command in effect in order to rate-limit traffic to the controller and protect against denial-of-service (DoS) attacks. You can use the config advanced rate disable command to stop rate-limiting of Internet Control Message Protocol (ICMP) echo responses for testing purposes.

  • Per user bandwidth rate limit.

                       How to configure per user bandwidth rate limit for wireless guest client, authentication server is ISE 1.2 & wireless controller is 5760.

    The Cisco 5760 WLC supports better QoS than other c
    ontrollers, allowing prioritization of mission-crit
    ical
    applications:

    The Cisco 5760 WLC supports four wireless hardware
    queues and priority-based queuing compared to
    software-based queuing in existing controllers.

    The Cisco 5760 WLC follows MQC based commands, allo
    wing usage of exact commands for configuring
    QoS on different types of network devices.

    The Cisco 5760 WLC supports QoS policies to be appl
    ied in a hierarchical fashion with more granularity
    per SSID per radio, while on the current controller
    s granularity is per WLAN.

    The Cisco 5760 WLC supports approximate fair bandwi
    dth to make sure of fairness at client, SSID, and
    radio levels for Non-Real Time (NRT) traffic. There
    fore, if one user consumes excessive bandwidth, we
    can
    limit the amount of bandwidth that user receives an
    d thereby not deprive other users.

  • Prime Infrastructure 2 - API rate limit change?

    Good day -
    The Prime API is pretty sweet, and can give you JSON data back easily with a call like this:
    https://prime/webacs/api/v1/data/Clients.json?.full=true
    It is, however, limited to 100 results. We'd like to see more than that.
    How do I change this rate limit for the API?

    I have found that this command does work, but still limits to 1000. 
    https://prime/webacs/api/v1/data/Clients.json?.maxResults=9999&.full=true
    Now I get Tomcat a HTTP Status 503 error.  There's another setting I've not found yet.
    My json results say "@count":"6980", suggesting I have that many clients in the database.

  • Cisco SG300 VLAN rate-limit

    I have a Cisco SG300 small business switch and 541 APs. There are 2 VLANs in our network. One must be limited by bandwidth. Does anyone have an idea for configure vlan rate-limiting on SG300? And please describe CIR & CBS for me. Thanks.

    http://www.cisco.com/en/US/partner/products/ps10898/prod_command_reference_list.html
    Cisco Small Business 300 Series Managed Switches Command Line Interface Guide Release 1.3
    Select CIR and CBS according to your design. You can use a larger CBS when performance is not ideal.
    49.23 rate-limit (VLAN)
    Use the Layer 2 rate-limit (VLAN) Global Configuration mode command to limit the
    incoming traffic rate for a VLAN. Use the no form of this command to disable the
    rate limit.
    Syntax
    rate-limit vlan-id committed-rate committed-burst
    no rate-limit vlan
    Parameters
    • vlan-id—Specifies the VLAN ID.
    • committed-rate—Specifies the average traffic rate (CIR) in kbits per second
    (kbps). (Range: 3-57982058)
    • committed-burst—Specifies the maximum burst size (CBS) in bytes.
    (Range: 3000-19173960)
    Default Configuration
    Rate limiting is disabled.
    Committed-burst-bytes is 128K.
    Command Mode
    Global Configuration mode
    User Guidelines
    Traffic policing in a policy map takes precedence over VLAN rate limiting. If a
    packet is subject to traffic policing in a policy map and is associated with a VLAN
    that is rate limited, the packet is counted only in the traffic policing of the policy
    map.
    This command does not work in Layer 3 mode. It does not work in conjunction with
    IP Source Guard.
    Example
    The following example limits the rate on VLAN 11 to 150000 kbps or the normal
    burst size to 9600 bytes.
    switchxxxxxx(config)# rate-limit 11 150000 9600

  • RATE limit RATE limit RATE limit RATE limit

    Dear,
    I have tried using RADIUS server to apply rate-limit to my ADSL coustomers using :
    rate-limit output access-group 101 1024000 6000 512000 conform-action transmit exceed-action drop
    i applied this at raduis server at my output interface but i does not work.
    there is no output for sh interface rate limit.
    the configuration and settings for rate limit are applied at raduis server....ok
    when i do sh interface rate limit on router....i dont have any results.
    i have configured (VPDN interface-Virtual and interface-access ) for my ADSL coustomers.
    i need to make bills for this customrs.
    please if the points not clear let me know

    Try this configuration in your interface , or write the access list depend upon your requirement and implement it.
    access-list 152 permit tcp any host eq www
    access-list 153 permit tcp any host eq www established
    interface {int}
    rate-limit output access-group 153 1024000 6000 512000
    conform-action transmit exceed-action drop
    rate-limit output access-group 152 1024000 6000 512000
    conform-action transmit exceed-action drop
    finally verifies this configuration through the following commands.
    show access-lists rate-limit
    Displays information about rate-limit access lists.
    show interfaces rate-limit
    Displays information about CAR for a specified interface

  • Ace Module logging rate limit

    Hi All,
    I have tried to configure the above parameter but it doesn't seem to be working.
    The version running on the ACE is 2.3.4 and I am running multiple contexts.
    The below configuration was tried on one of the contexts, not being Admin.
    The command I used was :
    logging rate-limit 42 60 message 251010
    What I am trying to achieve here is receive notification that a rserver has failed its connectivity check, therefore alerting the relevant people.
    The issue I am encountering is that every second I receive all the alerts again.
    I am only wanting to receive the alert once if possible and gain once the rserver has come back online.
    Is this possible, if so please explain how I can do it?
    TIA.
    Jack.

    your rate limit should be giving you 42 of those messages per 60 seconds. But this is health probe failure which depending on how many does not necessarily mean server is down. (depends on fail count). also it is level 6 message. the message you really want is:
    Error Message    %ACE-4-442001:  Health probe probe name detected real_server_name
    (interface interface_name) in serverfarm sfarm_name changed state to UP
    Explanation    The state of a  real server changed from down to up.
    Recommended Action    None  required.
    442002
    Error Message    %ACE-4-442002:  Health probe probe name detected real_server_name
    (interface interface_name) in serverfarm sfarm_name changed state to DOWN
    suggest you do logging at level 4  and you will only see the message when server state changes

  • Rate limit in Cisco ISR 4451X

    Hello friends,
    I have a problem; now i'm changing the router that have at work of Cisco 3925 to Cisco ISR 4451X but in the new router i can't put the command that have in my old router:
    rate-limit input access-group 110 16384000 3072000 6144000 conform-action transmit exceed-action drop
    Can someone help me telling what command replace it or which is the equivalent?
    Atte.
    Percy

    Edison,
    Thanks for helping with this it is greatly appreciated.  I have been playing around with this and have managed to get the policing working successfully on the SVI. 
    The problem was basically the direction the policing was being applied.  Initially I was applying the service policies to the customer SVIs in an inbound direction.  This would only be traffic coming into the VLAN interface from within the VLAN; therefore, in terms of internet traffic this would be upload and NOT the required download.
    In order to resolve this, I have applied the service policy to the Internet facing VLAN.  Please see below -
    Class Maps and Policy Maps
    class-map match-all CUST-A-VL10-CMAP1
    match input-interface  FastEthernet1/0/24
    class-map match-all CUST-A-VL10-CMAP2
    match access-group name CUST-A-VL10-ACL-POL
    policy-map CUST-A-VL10-PMAP1
    class CUST-A-VL10-CMAP1
    police 100000 18750 exceed-action drop
    policy-map CUST-A-VL10-PARENT-PMAP1
    class CUST-A-VL10-CMAP2
    set ip precedence 1
    service-policy CUST-A-VL10-PMAP1
    VLAN Confguration
    interface Vlan300
    ip address ************
    service-policy input CUST-A-VL10-PARENT-PMAP1
    This works successfully and polices the traffic as expected.  However, I have now run into the problem with assigning multiple service policies to the VLAN interface.  As this is the internet facing VLAN for the routing of traffic to and from the internet, all customer service policies need to be applied to this interface.  When I attempt to apply more than one service policy to this VLAN i receive the following error -
    (config-if)#service-policy input CUST-B-VL20-PARENT-PMAP1
    Policy map CUST-A-VL10-PARENT-PMAP1 is already attached
    Looks like another couple of hours needed working around this problem!!
    Thanks
    Nick

  • Rate Limit on the MPLS Tag interface

    In MPLS Networks, we generally enable tag-switching IP and MTU (1526) configuration on the specific interface . Say if the above commands are applied in the 2 mb Lease Line Serial interface , How do i rate Limit to 64K ?
    Can anyone provide me this info w.r.t the configuration?
    Regards
    Srikant

    Generic rate-limiting should be possible. Here's a URL explaining how to configure this feature.
    http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_command_reference_chapter09186a00801a7ee1.html#1080850
    Hope this helps,

Maybe you are looking for

  • Keith Gilabert "HP Laserjet Pro 200 MFP will not connect wirelessly"

    Hi. Laserjet HP Pro 200 will not allow me to have a wireless connection direct to the printer when I have the network cable plugged in.  Please advise. Thank you, Keith Gilabert Keith Gilabert

  • I have an iPhone 3 8gig with iOS 4.2.1 can i upgrade it to iOS 4 or 5

    Hi there, I have an iPhone 3 8gig with an operating system of 4.2.1 but want to up grade it.  When I'm connected to iTunes it gives me the option to upgrade but it always says that it's up to date.  I rang apple supprot and they advised me that it wa

  • Lacie won't unmount

    Greetings Gurus, I took part of my system home to do some work over the holidays and am now having trouble unmounting my Lacie BigDiskExtremeTriple. This drive has always been connected to my Dual G5 desktop (profile listed below), but I'd hoped to g

  • About Refresh Error In Materialized view

    hi i have Oracle 9.2.0.1 at the windows server 2003 i have created some materialized view to use in my one web application running on tomcat i have scheduling for refresh it using refresh utility available in oracle materialized view snapshot refresh

  • How do you use two scripts for a button?

    Hi all! I'm referring to my earlier question posted in this topic: Object not found with myContext.getParamIdForComponent In short: when I had the attribute 'jsObjectNeeded="true"'  on a button and that was for a script that would start a function va