Rate-limit a subnet per ip by policmap !
hi all ,
i have subnet /24 with 250 ips and need each ip of the entire this subnet to has QOS/shaping or policing by 2 M.
is there a quick method on cisco to do it ??
i dont want to create 250 classp-maps !!!!!
i have cisco 3900 and asa 5520
not sure if wt i need supported or not.
plz advise
regards
Hi,
Let me start of by saying that I have not played around with these settings that many times myself. I have usually set connection timeout values for certain connections more than use connection limits
Wonder if something along these lines would work
access-list WEB-SERVER-CONNECTIONLIMIT extended permit tcp any host eq www
access-list WEB-SERVER-CONNECTIONLIMIT extended permit tcp any host https
class-map WEB-SERVER-CONNECTIONLIMIT
match access-list WEB-SERVER-CONNECTIONLIMIT
policy-map global_policy
class WEB-SERVER-CONNECTIONLIMIT
set connection per-client-max per-client-embryonic-max
I am not sure but to my understanding the destination IP address you use in the ACL depends on your software. I am using 8.4(5) so I actually used the local IP address as the destination of the ACL even though the host was Static NATed to a public IP address
- Jouni
Similar Messages
-
Per user bandwidth rate limit.
How to configure per user bandwidth rate limit for wireless guest client, authentication server is ISE 1.2 & wireless controller is 5760.
The Cisco 5760 WLC supports better QoS than other c
ontrollers, allowing prioritization of mission-crit
ical
applications:
●
The Cisco 5760 WLC supports four wireless hardware
queues and priority-based queuing compared to
software-based queuing in existing controllers.
●
The Cisco 5760 WLC follows MQC based commands, allo
wing usage of exact commands for configuring
QoS on different types of network devices.
●
The Cisco 5760 WLC supports QoS policies to be appl
ied in a hierarchical fashion with more granularity
per SSID per radio, while on the current controller
s granularity is per WLAN.
●
The Cisco 5760 WLC supports approximate fair bandwi
dth to make sure of fairness at client, SSID, and
radio levels for Non-Real Time (NRT) traffic. There
fore, if one user consumes excessive bandwidth, we
can
limit the amount of bandwidth that user receives an
d thereby not deprive other users. -
Can CAR on router rate-limit per address?
Hi, everyone
I have a question about CAR on router. The router have a G703 E1 WAn interface and an ethernet interface. My goal is to rate-limiting access-rate of every ip address under ethernet, that is, for example, every PC under the ethernet interface cannot over 1Mb/s.
Can CAR on the router achieve this goal? If be, how to achieve it?
Very Thanks.
TaoFarrukh
Very thanks for your reply.
My purpose is to put a maximum access-rate limit for every PC in a LAN. So if there are 100 PCs in the LAN, with the above CAR, I have to make 100 ACL, as below:
access-list 101 permit ip host 192.168.1.1 any
access-list 102 permit ip host 192.168.1.2 any
If so, there will be too many acl items. And I don't know how many acl can we applied under FastEthernet0/0. So it maybe unreasonable.
I know Huawei's Quidway router can support this feature, as below:
qos carl 1 source-ip-address range 192.168.0.2 to 192.168.0.200 per-address
I want to know Cisco can support this feature, or have some methods to achieve it.
Very Thanks
Tao -
WLC user rate limit on guest ssid anchor controller
Hi,
I have been looking through the forums & some cisco documents but not found a good example similar to what I am seeking to do so now I am turning to the expertise of my peers.
We have been deploying 3502 APs remotely to locations with full T1s that backhaul to where I sit at HQ.
Both the foreign and anchor controller are here at my location.
I am seeking to rate limit per user the bandwidth each client will get on the guest internet ssid.
As you know this traffic is encapsulated in capwap between the AP and the controller so I cant use a standard ACL on the switch or router.
We are trying to keep the guest internet access usage in check on the T1 at any given site so the other ssid's & local lan traffic is not overly competing for the bandwidth.
I found the place to edit the default profiles in the controller but the documentation really isnt clear on best practices.
So I put it to you my fellow wireless engineers to suggest how you are implementing bandwidth management on your wireless guest internet.
Thanks guys!
Oh and here is my hardware & software levels.
5508wlc - forgeign
4402wlc - anchor
Software Version
7.0.230.0Amjad,
Thank you for taking the time to respond as well as the document link.
It was pretty clear on the steps and what it would impact.
Two things that push me for a different solution (assuming their is one).
Note The values that you configure for the per-user bandwidth contracts affect only the amount of bandwidth going downstream (from the access point to the wireless client). They do not affect the bandwidth for upstream traffic (from the client to the access point).
As you can see from the above note taken out of the linked document the roll based rate limit doesnt really rate limit the T1 traffic any guest user consumes it only limits usage from the AP down to the client.
#1 I am looking for a solution that limits the users up & down streams (if possible) & also before it leaves the AP for the T1.
The idea is to limit WAN utilization.
#2 I read in the forums here others asking about the "user role" and saw some comments saying it is not considered "best practice" to use user roles.
Let me clarify that our guest ssid's are using the http webpage pass through for authentication and it is really only the tic mark to indicate they understand the terms and conditions of using our internet as a guest service. No actual user accounts are used on the guest ssid's.
***One last question about this and any other changes***
Will any change I make be on the "Foreign, Anchor" or both Controllers? -
Rate-limit command 3560 does it exist?
I have just come across a command in my router IOS which might be useful too me. I was wondering if the following command is available on a 3560 Switch. I don't see it on my 3550 but the IOS is quite old. I don't have a 3560 avaiable currently to check.
Config t > int vlan x > rate-limit input/output
does this exist on the 3560? I am also interest if it does in the Bits per second range and if available input/output.
Thanks for any helpHello,
what kind of feature are you looking for?
CAR?
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a0080087f26.html#wp1037428
For command list check the following link:
Catalyst 3560 Switch Command Reference, Rel. 12.2(25)SEE
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/cr/index.htm
For QOS configs:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/swqos.htm
If you need to rate limit traffic on an interface check:
Limiting the Bandwidth on an Egress Interface
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/swqos.htm#wp1253412
Hope this help a bit,
if it does, please rate this post.
Vlad -
hello guys,
is it possible to rate limit an eompls circuit between to PE (rate-limit per VC) ?Yes you can try with MQC. Have a class-map which matches any traffic and police the bandwidth
policy-map l2test
class l2test
police 2048000 c t e d
class l2test
match any
Let me know if it works -
hi everybody, i was wondering if is it possible to limit the bandwith per user on a catalyst 4500. i mean that i want to specify the bandwidth used by a source ip when it's connected to the switch and manage the bandwidth by interface.
thanksHi,
I am attempting to do something similar on 2950 or 3550 without much luck.
I have found a cisco has a feature called CAR - committed access rate which seems to be supported on the high end switches. He's a link I came across.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios111/cc111/car.htm#34571
I've tried using policies but can get anythin which will work ingress and egress on the lower end switches.
hope it helps. -
I have a Cisco SG300 small business switch and 541 APs. There are 2 VLANs in our network. One must be limited by bandwidth. Does anyone have an idea for configure vlan rate-limiting on SG300? And please describe CIR & CBS for me. Thanks.
http://www.cisco.com/en/US/partner/products/ps10898/prod_command_reference_list.html
Cisco Small Business 300 Series Managed Switches Command Line Interface Guide Release 1.3
Select CIR and CBS according to your design. You can use a larger CBS when performance is not ideal.
49.23 rate-limit (VLAN)
Use the Layer 2 rate-limit (VLAN) Global Configuration mode command to limit the
incoming traffic rate for a VLAN. Use the no form of this command to disable the
rate limit.
Syntax
rate-limit vlan-id committed-rate committed-burst
no rate-limit vlan
Parameters
• vlan-id—Specifies the VLAN ID.
• committed-rate—Specifies the average traffic rate (CIR) in kbits per second
(kbps). (Range: 3-57982058)
• committed-burst—Specifies the maximum burst size (CBS) in bytes.
(Range: 3000-19173960)
Default Configuration
Rate limiting is disabled.
Committed-burst-bytes is 128K.
Command Mode
Global Configuration mode
User Guidelines
Traffic policing in a policy map takes precedence over VLAN rate limiting. If a
packet is subject to traffic policing in a policy map and is associated with a VLAN
that is rate limited, the packet is counted only in the traffic policing of the policy
map.
This command does not work in Layer 3 mode. It does not work in conjunction with
IP Source Guard.
Example
The following example limits the rate on VLAN 11 to 150000 kbps or the normal
burst size to 9600 bytes.
switchxxxxxx(config)# rate-limit 11 150000 9600 -
Hi all,
Upstream traffic rate limit is not supported by WLC . It will be done by AP.
We have setup of Auto anchor for both corporate and guest(but authentication mechanism is diffrent) . They wont access any internal resouce .Only interner traffic is permitted.
So can we limit the internet traffic for guest users .? If we limiting the upstream traffic at the AP level what would be the concerns we may face?
Kindly help on this.
Thanks,
Regards,
VijayHello Vijay,
As per your query i can suggest you the following solution-
Please refer table 1 of the given link-
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bd3900.shtml
Hope this will help you. -
Hi All - I need your help to understand the Burst value in the Rate-Limit
Example: rate-limit input access-group 101 20000000 24000 32000
I understand the above configuration limit the traffic to 20Mbps. How to calculate the Burst-Normal (as per example above 24000 Bytes) and Burst-Max(as per above example 32000 Bytes). What is the logic for arriving the Burst-Normal & Burst-Max?
Thanks in advance
SAIRAMHi Sairam,
below are definitions of few terms which are involved here
CIR : committed information rate, in bits per second, defines the rate defined in the traffic contract.
Tc : Time interval,measured in miliseconds, over which the committed burst (Bc) can be sent.
Bc : Committed burst size,measured in bits. This is the amount of traffic that can be sent over the interval Tc.
Be : Excess burst size, in bits. This is number of bits beyond Bc that can sent after a period of inactivity.
Formula to calculate Bc is
Bc = CIR*Tc
Now to understand Bc and Tc, say suppose you have applied 20mbps rate-limit on a 100mbps fastethernet link. Now link can send data (bits) with clock-rate only which is 100mbps so to achieve 20mbps rate on that link router needs to send traffic for 1/5th of a sec and remain idle for 4/5th of a second. 1/5th of sec is 200 msec. If router will send traffic for 200msec and not sending traffic for next 800msec, it can achieve rate of 20mbps but a packet arrived at 199th sec will need to wait for 800msec and this will add unnecessary latency to the packet. To avoid this, router sends few bits for short duration and then does not send for some duration. For the period it sends traffic is called Tc value. and the number of bytes it can send during that interval is called Bc value. So CIR = Bc/Tc (bits per interval).
Now we dont have option to configure Tc but we can configure CIR and Bc, and Tc will automatically be calculated. If we do not configure Bc then router takes default Tc of 125ms and calculates the Bc.
What value to choose for Bc
If we configure Bc too large then Tc will go high for same CIR and this may cause delay or jitter for delay sensitive traffic. For delay sensitive traffic cisco recommends to have Tc 10ms or less.
If i calculate Tc in the given example, it is coming as 9.6ms which is close to 10ms that is why Bc is set as 24000.
Tc = Bc/CIR
= 24000(bytes)/20000000(bits/sec)
= 192000(bits)/20000(bits/ms)
= 192/20
= 9.6 msec
Now Be is to give extra bandwidth for small interval(Tc) to cater some bursty traffic. Assume there is a bucket which gets filled with Bc amount of token in every Tc interval and router can send traffic if there is sufficient amount of token available in the bucket, equal to the packet size. After forwarding packet router reduces same amount of token from the bucket. Size of bucket is also equal to Bc which means if there is no traffic for Tc interval, bucket can not hold more token. Be is to increase the size of bucket to (Bc + Be). Now in every Tc interval bucket will be filled with Bc token and if there is a period of inactivity then in next interval bucket can be filled with extra Bc amount of token till it reaches to (Bc + Be) and if there is any bursty traffic (more than Bc) same can be adjusted. So for a very small period router may send traffic with more rate (higher than CIR, since sending Bc+Be in Tc interval) but over a period does not cross CIR.
You can also use below "Ask the expert" event for QoS to further queries related to QoS.
https://supportforums.cisco.com/discussion/12259571/ask-expert-quality-service-qos-cisco-ios-routers
Please dont forget to rate post if it has been helpful.
Regards,
Akash -
Hi All,
I have tried to configure the above parameter but it doesn't seem to be working.
The version running on the ACE is 2.3.4 and I am running multiple contexts.
The below configuration was tried on one of the contexts, not being Admin.
The command I used was :
logging rate-limit 42 60 message 251010
What I am trying to achieve here is receive notification that a rserver has failed its connectivity check, therefore alerting the relevant people.
The issue I am encountering is that every second I receive all the alerts again.
I am only wanting to receive the alert once if possible and gain once the rserver has come back online.
Is this possible, if so please explain how I can do it?
TIA.
Jack.your rate limit should be giving you 42 of those messages per 60 seconds. But this is health probe failure which depending on how many does not necessarily mean server is down. (depends on fail count). also it is level 6 message. the message you really want is:
Error Message %ACE-4-442001: Health probe probe name detected real_server_name
(interface interface_name) in serverfarm sfarm_name changed state to UP
Explanation The state of a real server changed from down to up.
Recommended Action None required.
442002
Error Message %ACE-4-442002: Health probe probe name detected real_server_name
(interface interface_name) in serverfarm sfarm_name changed state to DOWN
suggest you do logging at level 4 and you will only see the message when server state changes -
3750X rate-limit (QoS)
Hello,
I'm trying to configure a rate-limit in a 3750X but I'm not seeing any result...
These are my configurations:
RF#show run
Building configuration...
Current configuration : 23410 bytes
! Last configuration change at 08:53:35 UTC Sun Mar 14 1993
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname RF
boot-start-marker
boot-end-marker
no aaa new-model
switch 1 provision ws-c3750x-48p
system mtu routing 1500
ip routing
ip domain-name erf.carco.com.mx
rep admin vlan 100
mls qos
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
vlan 2
vlan 4
vlan 6
vlan 8
vlan 10
vlan 20
vlan 21
vlan 22
vlan 23
vlan 25
vlan 26
vlan 30
vlan 50
vlan 53
vlan 70
vlan 81
vlan 91
vlan 92
vlan 93
vlan 95
vlan 96
vlan 99
vlan 100
vlan 102
vlan 110
vlan 122
vlan 129
vlan 200
vlan 213
vlan 227
vlan 333
vlan 357
vlan 417
vlan 444
vlan 500
vlan 502
vlan 555
vlan 700
vlan 712
vlan 910
vlan 911
vlan 951
vlan 1105
vlan 1508
vlan 1830
vlan 1870
vlan 1890
vlan 1891
vlan 1892
class-map match-any test
match access-group 100
policy-map test
class test
police 150000000 512000 exceed-action drop
interface Loopback0
ip address 10.20.40.106 255.255.255.0
interface Port-channel22
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
bandwidth 10000000
rep segment 10
interface Port-channel24
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
bandwidth 10000000
rep segment 10
interface FastEthernet0
no ip address
no ip route-cache
shutdown
interface GigabitEthernet1/0/1
interface GigabitEthernet1/0/2
interface GigabitEthernet1/0/3
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport trunk allowed vlan 2,10,50,53,60,70,91-93,95,96,99,100,110,213,227
switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
switchport mode trunk
no logging event link-status
shutdown
speed 1000
duplex full
interface GigabitEthernet1/0/4
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport trunk allowed vlan 2,8,10,20,50,53,70,91-93,95,96,99,100,110,213
switchport trunk allowed vlan add 227,500,700,910,911,951,1830,1870,1890-1892
switchport mode trunk
shutdown
speed 1000
duplex full
interface GigabitEthernet1/0/5
interface GigabitEthernet1/0/6
interface GigabitEthernet1/0/7
interface GigabitEthernet1/0/8
interface GigabitEthernet1/0/9
interface GigabitEthernet1/0/10
switchport access vlan 91
switchport mode access
logging event link-status
interface GigabitEthernet1/0/11
interface GigabitEthernet1/0/12
interface GigabitEthernet1/0/13
interface GigabitEthernet1/0/14
interface GigabitEthernet1/0/15
switchport access vlan 91
switchport mode access
logging event link-status
interface GigabitEthernet1/0/16
interface GigabitEthernet1/0/17
interface GigabitEthernet1/0/18
interface GigabitEthernet1/0/19
interface GigabitEthernet1/0/20
switchport access vlan 91
switchport mode access
logging event link-status
interface GigabitEthernet1/0/21
interface GigabitEthernet1/0/22
interface GigabitEthernet1/0/23
interface GigabitEthernet1/0/24
interface GigabitEthernet1/0/25
switchport access vlan 910
switchport mode access
interface GigabitEthernet1/0/26
interface GigabitEthernet1/0/27
interface GigabitEthernet1/0/28
interface GigabitEthernet1/0/29
interface GigabitEthernet1/0/30
interface GigabitEthernet1/0/31
interface GigabitEthernet1/0/32
interface GigabitEthernet1/0/33
interface GigabitEthernet1/0/34
interface GigabitEthernet1/0/35
interface GigabitEthernet1/0/36
interface GigabitEthernet1/0/37
no switchport
bandwidth 150000
ip address 10.20.103.13 255.255.255.252
rate-limit output access-group 100 24000000 3000000 3000000 conform-action transmit exceed-action drop
logging event link-status
interface GigabitEthernet1/0/38
interface GigabitEthernet1/0/39
interface GigabitEthernet1/0/40
interface GigabitEthernet1/0/41
interface GigabitEthernet1/0/42
interface GigabitEthernet1/0/43
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
bandwidth 10000000
channel-group 24 mode on
interface GigabitEthernet1/0/44
interface GigabitEthernet1/0/45
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport trunk allowed vlan 2,10,50,53,60,70,91-93,95,96,99,100,110,213,227
switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
switchport mode trunk
shutdown
interface GigabitEthernet1/0/46
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport trunk allowed vlan 2,10,50,53,60,70,91-93,95,96,99,100,110,213,227
switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
switchport mode trunk
shutdown
interface GigabitEthernet1/0/47
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
bandwidth 10000000
channel-group 22 mode on
interface GigabitEthernet1/0/48
switchport trunk encapsulation dot1q
switchport trunk native vlan 6
switchport trunk allowed vlan 2,7,10,20,50,53,70,91-93,95,96,99,100,110,213
switchport trunk allowed vlan add 227,700,910,911,951,1830,1870,1890-1892
switchport mode trunk
logging event link-status
shutdown
interface GigabitEthernet1/1/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport trunk allowed vlan 2,8,10,20,50,53,60,70,91-93,95,96,99,110,213,227
switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
switchport mode trunk
shutdown
interface GigabitEthernet1/1/2
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport trunk allowed vlan 2,8,10,20,50,53,60,70,91-93,95,96,99,110,213,227
switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
switchport mode trunk
shutdown
interface GigabitEthernet1/1/3
switchport trunk encapsulation dot1q
switchport trunk native vlan 6
switchport trunk allowed vlan 2,6,8,10,20,50,53,70,91-93,95,96,99,100,110,213
switchport trunk allowed vlan add 227,700,910,911,951,1830,1870,1890-1892
logging event link-status
shutdown
interface GigabitEthernet1/1/4
switchport trunk encapsulation dot1q
switchport trunk native vlan 6
switchport trunk allowed vlan 2,6,8,10,20,50,53,70,91-93,95,96,99,100,110,213
switchport trunk allowed vlan add 227,700,910,911,951,1830,1870,1890-1892
switchport mode trunk
logging event link-status
shutdown
interface TenGigabitEthernet1/1/1
interface TenGigabitEthernet1/1/2
interface Vlan1
no ip address
shutdown
interface Vlan6
description ***LANERF**
ip address 10.20.6.106 255.255.255.0
no ip redirects
interface Vlan23
description < TRANSITO MUR >
no ip address
no ip redirects
interface Vlan100
description < VLAN MAN >
ip address 10.20.100.106 255.255.255.0
no ip redirects
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 032368342B2F0F
ip ospf dead-interval minimal hello-multiplier 4
router ospf 1
router-id 10.20.40.106
auto-cost reference-bandwidth 100000
area 0.0.0.0 authentication message-digest
area 1.80.1.1 authentication message-digest
redistribute connected subnets
redistribute static subnets
passive-interface default
no passive-interface Vlan23
no passive-interface Vlan100
no passive-interface GigabitEthernet1/0/37
network 10.20.6.0 0.0.0.0 area 0.0.0.0
network 10.20.40.106 0.0.0.0 area 0.0.0.0
network 10.20.91.6 0.0.0.0 area 0.0.0.0
network 10.20.100.106 0.0.0.0 area 0.0.0.0
default-information originate
ip http server
ip http secure-server
access-list 100 permit ip 10.50.80.0 0.0.0.255 10.80.80.0 0.0.0.255
access-list 100 permit ip 10.80.80.0 0.0.0.255 10.50.80.0 0.0.0.255
snmp-server community ASComRO RO
line con 0
line vty 0 4
login
line vty 5 15
login
event manager applet track_qos_down authorization bypass
event syslog pattern "TRACKING-5-STATE: 15 ip sla 15 reachability Up->Down"
action 1 cli command "enable"
action 2 cli command "configure terminal"
action 3 cli command "interface giga1/0/37"
action 4 cli command "rate-limit output access-group 100 400000000 50000000 50000000 conform-action transmit exceed-action drop"
action 5 cli command "end"
event manager applet track_qos_up authorization bypass
event syslog pattern "TRACKING-5-STATE: 15 ip sla 15 reachability Down->Up"
action 1 cli command "enable"
action 2 cli command "configure terminal"
action 3 cli command "interface giga1/0/37"
action 4 cli command "no rate-limit output access-group 100 400000000 50000000 50000000 conform-action transmit exceed-action drop"
action 5 cli command "end"
end
ERF#
ERF#show mls qos
QoS is enabled
QoS ip packet dscp rewrite is enabled
ERF#show mls qos inter gigabitEthernet 1/0/37
GigabitEthernet1/0/37
trust state: not trusted
trust mode: not trusted
trust enabled flag: ena
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based
When I apply the command I'm seeing a gauge using a 3rd party but I'm not seeing that the traffic will be truncated @ 50Mbps.
Any thoughts???Hi
Bandwidth commands allocates the particular amount of bandwidth you mention or configure over there.
Basically you have the liberty to configure upto 75% of the available interface bandwidth to different classes.
most widelys used with CBWFQ technique..
so while configuring up the same better to watch out for the exact bandwidth value keyed in on the interface to have your alloocation work properly.
policing basically used for limiting the traffic or to control the bursts by dropping them or marking them with different ip precedence or DSCP values.
its very much similar to the rate-limit command applied on the interface level which again uses token bucket system either single or dual based on the configuration parameters.
for more info on above mentioned clis do check these links..
http://www.cisco.com/en/US/tech/tk543/tk545/tsd_technology_support_protocol_home.html
http://www.cisco.com/en/US/tech/tk543/tk544/tsd_technology_support_protocol_home.html
regds -
Hello,
I am trying to setup a rate limit on fex ports (modl is N2K-C2248TP-1GE ) of a 5548UP (non L3) - Software version is : version 6.0(2)N2(2)
I have tried the following setup without success :
ip access-list ACL_CUST
10 permit ip 10.100.100.1/32 10.100.100.2/32
20 permit ip 10.100.100.2/32 10.100.100.1/32
class-map type qos match-all CMQOS_CUST
match access-group name ACL_CUST
policy-map type qos PMQOS_CUST
class CMQOS_CUST
police cir percent 1 bc 200 ms conform transmit violate drop
interface Ethernet161/1/11 - 12
service-policy type qos input PMQOS_CUST
And also tried to use this confioguration :
class-map type qos match-all CMQOS_LIMIT_BP_CUST
match cos 0-7
policy-map type qos PMQOS_LIMIT_BP_CUST
class CMQOS_LIMIT_BP_CUST
police cir percent 1 bc 200 ms conform transmit violate drop
interface Ethernet161/1/11 - 12
service-policy type qos input PMQOS_LIMIT_BP_CUST
The problem is that the bandwith restriction (1 percent of 1Gbit/s shoud be 10Mbit/s) is not working and apparently no restriction is applied
If someone could help me to resolve this issue it would be greatly appreciated
I do have followed this guide
http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/qos/503_n1_1/cisco_nexus_5000_qos_config_gd_503_chapter3.html
Thanks !http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5600/sw/verified_scalability/702N11/b_N5600_Verified_Scalability_702N11/b_N6000_Verified_Scalability_700N11_chapter_01.html
Maximum FEXs per Switch
24
24
Maximum FEXs dual-homed to a vPC Switch Pair
24
24 -
ICMP unreacheble, rate-limit
Hi !
I'm currently working on projet of network hardening.
Based on Cisco security best pratice, I see it's recommand to rate limit genaration of ICMP unreachable message to prevent DoS attack. (according to document : http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080825564.pdf page 74)
On Catalyst 6509 run IOS 12.2(17r)SX5 I see to possible way to rate-limit ICMP messages if mls QoS is running.
1- mls rate-limit unicast ip ICMP unreachable acl-drop 100 10 (enable by default, according to document : http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080825564.pdf page 74)
mls rate-limit unicast ip ICMP unreachable no-route 100 10
2- ip ICMP rate-limit unreachable <millisecond> (500 ms is default parameters, which permit 2 paquets per seconds, also enable by default if I'm base on : http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml, ACL for IOS section)
Which one of those command have precedence over the other one ?
Which one is better over the other one ?
With the mls rate-limit option, we have the possibility to check default parameter with : "show mls rate-limit" command is exist equivalent for : "ip ICMP rate-limit unreachable"
We have also Catalyst 3550 switches, on which we have to rate-limit genaration of ICMP unreachable message for same reason as 6509. I understand the :"ip ICMP rate-limit unreachable" command is my only option "under "mls " the only option I have is QoS or aclmerge. Under thoses parameter I have no way to rate-limit ICMP message generation....
I have check in running-configuration I did not find any reference to ICMP rate-limit command, I hope this is active like explain in document http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml, ACL for IOS section, (Version 12.2(44)SE3) but I would like to be able to confirm if any show command exist to confirm this.
thanks a lot !Hello Marcus,
On the ASA as you are already aware we only have the choice of modifying the ICMP unreachable rate,
With the IOS the rate-limit for ICMP unreachable replies will be rate limited to one every 500ms
use:
show ip icmp rate-limit
Besides that I have not seen any other information that you could customize.
Regards -
ICMP unreachable, rate-limit command
Hi !
I'm currently working on projet of network hardening.
Based on Cisco security best pratice, I see it's recommand to rate limit genaration of ICMP unreachable message to prevent DoS attack. (according to document : http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080825564.pdf page 74)
On Catalyst 6509 run IOS 12.2(17r)SX5 I see to possible way to rate-limit ICMP messages if mls QoS is running.
1- mls rate-limit unicast ip ICMP unreachable acl-drop 100 10 (enable by default, according to document : http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080825564.pdf page 74)
mls rate-limit unicast ip ICMP unreachable no-route 100 10
2- ip ICMP rate-limit unreachable <millisecond> (500 ms is default parameters, which permit 2 paquets per seconds, also enable by default if I'm base on : http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml, ACL for IOS section)
Which one of those command have precedence over the other one ?
Which one is better over the other one ?
With the mls rate-limit option, we have the possibility to check default parameter with : "show mls rate-limit" command is exist equivalent for : "ip ICMP rate-limit unreachable"
We have also Catalyst 3550 switches, on which we have to rate-limit genaration of ICMP unreachable message for same reason as 6509. I understand the :"ip ICMP rate-limit unreachable" command is my only option "under "mls " the only option I have is QoS or aclmerge. Under thoses parameter I have no way to rate-limit ICMP message generation....
I have check in running-configuration I did not find any reference to ICMP rate-limit command, I hope this is active like explain in document http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml, ACL for IOS section, (Version 12.2(44)SE3) but I would like to be able to confirm if any show command exist to confirm this.
thanks a lot !This is now showing up with running ssh over this tunnel. I can get the initial connection, but certain commands are not going through.
Maybe you are looking for
-
Iphone 4s unable to send mms over gprs, is there a fix for this?
OK so after much hunting around the net and many calls to both my network provider and apple i found this link myself http://www.nowsms.com/iphone-mms-message-send-failure-on-gprs-and-edge that answered my problem. The answer being there is no soluti
-
Hello, what I'm trying to do is bundle multiple ORDERS05 into one ORDERS05. For instance I have two ORDERS which are identically. Merging them into one message would imply that the WMENG fields, which contain the amount, are added together. How do I
-
Attaching smartforms and print prog to invoice
hi ive developed a smartform and a print program. da program has a selection screen dat asks user for doc number(vbeln). it den displays data in da smartform. now ive to attach it to va02. wen i attach it using v/40 output type(RD000) program name :
-
HT6147 is there going to be a Security patch for 1st Generation iPads?
Is theis there going to be a Security patch for 1st Generation iPads? one has been released for all of the other devices.
-
WRVS4400N - MAC OS X LEOPARD VPN
i've called linksys on different issue, but i also mention i had some problems connecting from my mac os x leopard to my linksys wrvs4400n, and they said i shouldn't have any problem doing so i was wondering if anyone had a successful connection betw