Rate-limit a subnet per ip by policmap !

hi all ,
i have subnet /24 with 250 ips and need each ip of the entire this subnet to has QOS/shaping or policing by 2 M.
is there a quick method on cisco to do it ??
i dont want to create 250 classp-maps !!!!!
i have cisco 3900 and asa 5520
not sure if wt i need supported or not.
plz advise
regards

Hi,
Let me start of by saying that I have not played around with these settings that many times myself. I have usually set connection timeout values for certain connections more than use connection limits
Wonder if something along these lines would work
access-list WEB-SERVER-CONNECTIONLIMIT extended permit tcp any host eq www
access-list WEB-SERVER-CONNECTIONLIMIT extended permit tcp any host https
class-map WEB-SERVER-CONNECTIONLIMIT
match access-list WEB-SERVER-CONNECTIONLIMIT
policy-map global_policy
class WEB-SERVER-CONNECTIONLIMIT
  set connection per-client-max per-client-embryonic-max
I am not sure but to my understanding the destination IP address you use in the ACL depends on your software. I am using 8.4(5) so I actually used the local IP address as the destination of the ACL even though the host was Static NATed to a public IP address
- Jouni

Similar Messages

  • Per user bandwidth rate limit.

                       How to configure per user bandwidth rate limit for wireless guest client, authentication server is ISE 1.2 & wireless controller is 5760.

    The Cisco 5760 WLC supports better QoS than other c
    ontrollers, allowing prioritization of mission-crit
    ical
    applications:

    The Cisco 5760 WLC supports four wireless hardware
    queues and priority-based queuing compared to
    software-based queuing in existing controllers.

    The Cisco 5760 WLC follows MQC based commands, allo
    wing usage of exact commands for configuring
    QoS on different types of network devices.

    The Cisco 5760 WLC supports QoS policies to be appl
    ied in a hierarchical fashion with more granularity
    per SSID per radio, while on the current controller
    s granularity is per WLAN.

    The Cisco 5760 WLC supports approximate fair bandwi
    dth to make sure of fairness at client, SSID, and
    radio levels for Non-Real Time (NRT) traffic. There
    fore, if one user consumes excessive bandwidth, we
    can
    limit the amount of bandwidth that user receives an
    d thereby not deprive other users.

  • Can CAR on router rate-limit per address?

    Hi, everyone
    I have a question about CAR on router. The router have a G703 E1 WAn interface and an ethernet interface. My goal is to rate-limiting access-rate of every ip address under ethernet, that is, for example, every PC under the ethernet interface cannot over 1Mb/s.
    Can CAR on the router achieve this goal? If be, how to achieve it?
    Very Thanks.
    Tao

    Farrukh
    Very thanks for your reply.
    My purpose is to put a maximum access-rate limit for every PC in a LAN. So if there are 100 PCs in the LAN, with the above CAR, I have to make 100 ACL, as below:
    access-list 101 permit ip host 192.168.1.1 any
    access-list 102 permit ip host 192.168.1.2 any
    If so, there will be too many acl items. And I don't know how many acl can we applied under FastEthernet0/0. So it maybe unreasonable.
    I know Huawei's Quidway router can support this feature, as below:
    qos carl 1 source-ip-address range 192.168.0.2 to 192.168.0.200 per-address
    I want to know Cisco can support this feature, or have some methods to achieve it.
    Very Thanks
    Tao

  • WLC user rate limit on guest ssid anchor controller

    Hi,
    I have been looking through the forums & some cisco documents but not found a good example similar to what I am seeking to do so now I am turning to the expertise of my peers.
    We have been deploying 3502 APs remotely to locations with full T1s that backhaul to where I sit at HQ.
    Both the foreign and anchor controller are here at my location.
    I am seeking to rate limit per user the bandwidth each client will get on the guest internet ssid.
    As you know this traffic is encapsulated in capwap between the AP and the controller so I cant use a standard ACL on the switch or router.
    We are trying to keep the guest internet access usage in check on the T1 at any given site so the other ssid's & local lan traffic is not overly competing for the bandwidth.
    I found the place to edit the default profiles in the controller but the documentation really isnt clear on best practices.
    So I put it to you my fellow wireless engineers to suggest how you are implementing bandwidth management on your wireless guest internet.
    Thanks guys!           
    Oh and here is my hardware & software levels.
    5508wlc - forgeign
    4402wlc - anchor
    Software Version
    7.0.230.0

    Amjad,
    Thank you for taking the time to respond as well as the document link.
    It was pretty clear on the steps and what it would impact.
    Two things that push me for a different solution (assuming their is one).
    Note The values that you configure for the per-user bandwidth contracts affect only the amount of bandwidth going downstream (from the access point to the wireless client). They do not affect the bandwidth for upstream traffic (from the client to the access point).
    As you can see from the above note taken out of the linked document the roll based rate limit doesnt really rate limit the T1 traffic any guest user consumes it only limits usage from the AP down to the client.
    #1 I am looking for a solution that limits the users up & down streams (if possible) & also before it leaves the AP for the T1.
    The idea is to limit WAN utilization.
    #2 I read in the forums here others asking about the "user role" and saw some comments saying it is not considered "best practice" to use user roles.
    Let me clarify that our guest ssid's are using the http webpage pass through for authentication and it is really only the tic mark to indicate they understand the terms and conditions of using our internet as a guest service. No actual user accounts are used on the guest ssid's.
    ***One last question about this and any other changes***
    Will any change I make be on the "Foreign, Anchor" or both Controllers?

  • Rate-limit command 3560 does it exist?

    I have just come across a command in my router IOS which might be useful too me. I was wondering if the following command is available on a 3560 Switch. I don't see it on my 3550 but the IOS is quite old. I don't have a 3560 avaiable currently to check.
    Config t > int vlan x > rate-limit input/output
    does this exist on the 3560? I am also interest if it does in the Bits per second range and if available input/output.
    Thanks for any help

    Hello,
    what kind of feature are you looking for?
    CAR?
    http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a0080087f26.html#wp1037428
    For command list check the following link:
    Catalyst 3560 Switch Command Reference, Rel. 12.2(25)SEE
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/cr/index.htm
    For QOS configs:
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/swqos.htm
    If you need to rate limit traffic on an interface check:
    Limiting the Bandwidth on an Egress Interface
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/swqos.htm#wp1253412
    Hope this help a bit,
    if it does, please rate this post.
    Vlad

  • Rate-limit on eompls VCs

    hello guys,
    is it possible to rate limit an eompls circuit between to PE (rate-limit per VC) ?

    Yes you can try with MQC. Have a class-map which matches any traffic and police the bandwidth
    policy-map l2test
    class l2test
    police 2048000 c t e d
    class l2test
    match any
    Let me know if it works

  • Rate limit on 4500

    hi everybody, i was wondering if is it possible to limit the bandwith per user on a catalyst 4500. i mean that i want to specify the bandwidth used by a source ip when it's connected to the switch and manage the bandwidth by interface.
    thanks

    Hi,
    I am attempting to do something similar on 2950 or 3550 without much luck.
    I have found a cisco has a feature called CAR - committed access rate which seems to be supported on the high end switches. He's a link I came across.
    http://www.cisco.com/univercd/cc/td/doc/product/software/ios111/cc111/car.htm#34571
    I've tried using policies but can get anythin which will work ingress and egress on the lower end switches.
    hope it helps.

  • Cisco SG300 VLAN rate-limit

    I have a Cisco SG300 small business switch and 541 APs. There are 2 VLANs in our network. One must be limited by bandwidth. Does anyone have an idea for configure vlan rate-limiting on SG300? And please describe CIR & CBS for me. Thanks.

    http://www.cisco.com/en/US/partner/products/ps10898/prod_command_reference_list.html
    Cisco Small Business 300 Series Managed Switches Command Line Interface Guide Release 1.3
    Select CIR and CBS according to your design. You can use a larger CBS when performance is not ideal.
    49.23 rate-limit (VLAN)
    Use the Layer 2 rate-limit (VLAN) Global Configuration mode command to limit the
    incoming traffic rate for a VLAN. Use the no form of this command to disable the
    rate limit.
    Syntax
    rate-limit vlan-id committed-rate committed-burst
    no rate-limit vlan
    Parameters
    • vlan-id—Specifies the VLAN ID.
    • committed-rate—Specifies the average traffic rate (CIR) in kbits per second
    (kbps). (Range: 3-57982058)
    • committed-burst—Specifies the maximum burst size (CBS) in bytes.
    (Range: 3000-19173960)
    Default Configuration
    Rate limiting is disabled.
    Committed-burst-bytes is 128K.
    Command Mode
    Global Configuration mode
    User Guidelines
    Traffic policing in a policy map takes precedence over VLAN rate limiting. If a
    packet is subject to traffic policing in a policy map and is associated with a VLAN
    that is rate limited, the packet is counted only in the traffic policing of the policy
    map.
    This command does not work in Layer 3 mode. It does not work in conjunction with
    IP Source Guard.
    Example
    The following example limits the rate on VLAN 11 to 150000 kbps or the normal
    burst size to 9600 bytes.
    switchxxxxxx(config)# rate-limit 11 150000 9600

  • Upstream traffic rate limit

    Hi all,
    Upstream traffic rate limit is not supported by WLC . It will be done by AP.
    We have setup of Auto anchor for both corporate and guest(but authentication mechanism is diffrent) . They wont access any internal resouce .Only interner traffic is permitted.
    So can we limit the internet traffic for guest users .? If we limiting the upstream traffic at the AP level what would be the concerns we may face?
    Kindly help on this.
    Thanks,
    Regards,
    Vijay

    Hello Vijay,
    As per your query i can suggest you the following solution-
    Please refer table 1 of the given link-
    http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bd3900.shtml
    Hope this will help you.

  • Rate-limit Burst explanation

    Hi All - I need your help to understand the Burst value in the Rate-Limit
    Example: rate-limit input access-group 101 20000000 24000 32000
    I understand the above configuration limit the traffic to 20Mbps. How to calculate the Burst-Normal (as per example above 24000 Bytes) and Burst-Max(as per above example 32000 Bytes). What is the logic for arriving the Burst-Normal & Burst-Max?
    Thanks in advance
    SAIRAM

    Hi Sairam,
    below are definitions of few terms which are involved here
    CIR : committed information rate, in bits per second, defines the rate defined in the traffic contract.
    Tc : Time interval,measured in miliseconds, over which the committed burst (Bc) can be sent.
    Bc : Committed burst size,measured in bits. This is the amount of traffic that can be sent over the interval Tc.
    Be : Excess burst size, in bits. This is number of bits beyond Bc that can sent after a period of inactivity.
    Formula to calculate Bc is 
    Bc = CIR*Tc
    Now to understand Bc and Tc, say suppose you have applied 20mbps rate-limit on a 100mbps fastethernet link. Now link can send data (bits) with clock-rate only which is 100mbps so to achieve 20mbps rate on that link router needs to send traffic for 1/5th of a sec and remain idle for 4/5th of a second. 1/5th of sec is 200 msec. If router will send traffic for 200msec and not sending traffic for next 800msec, it can achieve rate of 20mbps but a packet arrived at 199th sec will need to wait for 800msec and this will add unnecessary latency to the packet. To avoid this, router sends few bits for short duration and then does not send for some duration. For the period it sends traffic is called Tc value. and the number of bytes it can send during that interval is called Bc  value. So CIR = Bc/Tc (bits per interval).
    Now we dont have option to configure Tc but we can configure CIR and Bc, and Tc will automatically be calculated. If we do not configure Bc then router takes default Tc of 125ms and calculates the Bc. 
    What value to choose for Bc
    If we configure Bc too large then Tc will go high for same CIR and this may cause delay or jitter for delay sensitive traffic. For delay sensitive traffic cisco recommends to have Tc 10ms or less.
    If i calculate Tc in the given example, it is coming as 9.6ms which is close to 10ms that is why Bc is set as 24000.
    Tc = Bc/CIR
       = 24000(bytes)/20000000(bits/sec)
       = 192000(bits)/20000(bits/ms)
       = 192/20
       = 9.6 msec
    Now Be is to give extra bandwidth for small interval(Tc) to cater some bursty traffic. Assume there is a bucket which gets filled with Bc amount of token in every Tc interval and router can send traffic if there is sufficient  amount of token available in the bucket, equal to the packet size. After forwarding packet router reduces same amount of token from the bucket. Size of bucket is also equal to Bc which means if there is no traffic for Tc interval, bucket can not hold more token. Be is to increase the size of bucket to (Bc + Be). Now in every Tc interval bucket will be filled with Bc token and if there is a period of inactivity then in next interval bucket can be filled with extra Bc amount of token till it reaches to (Bc + Be) and if there is any bursty traffic (more than Bc) same can be adjusted. So for a very small period router may send traffic with more rate (higher than CIR, since sending Bc+Be in Tc interval) but over a period does not cross CIR.
    You can also use below "Ask the expert" event for QoS to further queries related to QoS.
    https://supportforums.cisco.com/discussion/12259571/ask-expert-quality-service-qos-cisco-ios-routers
    Please dont forget to rate post if it has been helpful.
    Regards,
    Akash

  • Ace Module logging rate limit

    Hi All,
    I have tried to configure the above parameter but it doesn't seem to be working.
    The version running on the ACE is 2.3.4 and I am running multiple contexts.
    The below configuration was tried on one of the contexts, not being Admin.
    The command I used was :
    logging rate-limit 42 60 message 251010
    What I am trying to achieve here is receive notification that a rserver has failed its connectivity check, therefore alerting the relevant people.
    The issue I am encountering is that every second I receive all the alerts again.
    I am only wanting to receive the alert once if possible and gain once the rserver has come back online.
    Is this possible, if so please explain how I can do it?
    TIA.
    Jack.

    your rate limit should be giving you 42 of those messages per 60 seconds. But this is health probe failure which depending on how many does not necessarily mean server is down. (depends on fail count). also it is level 6 message. the message you really want is:
    Error Message    %ACE-4-442001:  Health probe probe name detected real_server_name
    (interface interface_name) in serverfarm sfarm_name changed state to UP
    Explanation    The state of a  real server changed from down to up.
    Recommended Action    None  required.
    442002
    Error Message    %ACE-4-442002:  Health probe probe name detected real_server_name
    (interface interface_name) in serverfarm sfarm_name changed state to DOWN
    suggest you do logging at level 4  and you will only see the message when server state changes

  • 3750X rate-limit (QoS)

    Hello,
    I'm trying to configure a rate-limit in a 3750X but I'm not seeing any result... 
    These are my configurations:
    RF#show run 
    Building configuration...
    Current configuration : 23410 bytes
    ! Last configuration change at 08:53:35 UTC Sun Mar 14 1993
    version 15.0
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname RF
    boot-start-marker
    boot-end-marker
    no aaa new-model
    switch 1 provision ws-c3750x-48p
    system mtu routing 1500
    ip routing
    ip domain-name erf.carco.com.mx
    rep admin vlan 100
    mls qos
    spanning-tree mode pvst
    spanning-tree extend system-id
    vlan internal allocation policy ascending
    vlan 2
    vlan 4 
    vlan 6
    vlan 8
    vlan 10
    vlan 20
    vlan 21   
    vlan 22
    vlan 23
    vlan 25 
    vlan 26
    vlan 30
    vlan 50
    vlan 53
    vlan 70
    vlan 81
    vlan 91
    vlan 92
    vlan 93
    vlan 95
    vlan 96
    vlan 99
    vlan 100
    vlan 102
    vlan 110
    vlan 122
    vlan 129
    vlan 200
    vlan 213
    vlan 227
    vlan 333
    vlan 357
    vlan 417
    vlan 444
    vlan 500
    vlan 502
    vlan 555
    vlan 700
    vlan 712
    vlan 910
    vlan 911
    vlan 951
    vlan 1105
    vlan 1508
    vlan 1830
    vlan 1870
    vlan 1890
    vlan 1891
    vlan 1892
    class-map match-any test
      match access-group 100
    policy-map test
     class test
      police 150000000 512000 exceed-action drop
    interface Loopback0
     ip address 10.20.40.106 255.255.255.0
    interface Port-channel22
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport mode trunk
     bandwidth 10000000
     rep segment 10
    interface Port-channel24
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport mode trunk
     bandwidth 10000000
     rep segment 10
    interface FastEthernet0
     no ip address
     no ip route-cache
     shutdown
    interface GigabitEthernet1/0/1
    interface GigabitEthernet1/0/2
    interface GigabitEthernet1/0/3
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport trunk allowed vlan 2,10,50,53,60,70,91-93,95,96,99,100,110,213,227
     switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
     switchport mode trunk
     no logging event link-status
     shutdown
     speed 1000
     duplex full
    interface GigabitEthernet1/0/4
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport trunk allowed vlan 2,8,10,20,50,53,70,91-93,95,96,99,100,110,213
     switchport trunk allowed vlan add 227,500,700,910,911,951,1830,1870,1890-1892
     switchport mode trunk
     shutdown
     speed 1000
     duplex full
    interface GigabitEthernet1/0/5
    interface GigabitEthernet1/0/6
    interface GigabitEthernet1/0/7
    interface GigabitEthernet1/0/8
    interface GigabitEthernet1/0/9
    interface GigabitEthernet1/0/10
     switchport access vlan 91
     switchport mode access
     logging event link-status
    interface GigabitEthernet1/0/11
    interface GigabitEthernet1/0/12
    interface GigabitEthernet1/0/13
    interface GigabitEthernet1/0/14
    interface GigabitEthernet1/0/15
     switchport access vlan 91
     switchport mode access
     logging event link-status
    interface GigabitEthernet1/0/16
    interface GigabitEthernet1/0/17
    interface GigabitEthernet1/0/18
    interface GigabitEthernet1/0/19
    interface GigabitEthernet1/0/20
     switchport access vlan 91
     switchport mode access
     logging event link-status
    interface GigabitEthernet1/0/21
    interface GigabitEthernet1/0/22
    interface GigabitEthernet1/0/23
    interface GigabitEthernet1/0/24
    interface GigabitEthernet1/0/25
     switchport access vlan 910
     switchport mode access
    interface GigabitEthernet1/0/26
    interface GigabitEthernet1/0/27
    interface GigabitEthernet1/0/28
    interface GigabitEthernet1/0/29
    interface GigabitEthernet1/0/30
    interface GigabitEthernet1/0/31
    interface GigabitEthernet1/0/32
    interface GigabitEthernet1/0/33
    interface GigabitEthernet1/0/34
    interface GigabitEthernet1/0/35
    interface GigabitEthernet1/0/36
    interface GigabitEthernet1/0/37
     no switchport
     bandwidth 150000
     ip address 10.20.103.13 255.255.255.252
     rate-limit output access-group 100 24000000 3000000 3000000 conform-action transmit exceed-action drop
     logging event link-status
    interface GigabitEthernet1/0/38
    interface GigabitEthernet1/0/39
    interface GigabitEthernet1/0/40
    interface GigabitEthernet1/0/41
    interface GigabitEthernet1/0/42
    interface GigabitEthernet1/0/43
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport mode trunk
     bandwidth 10000000
     channel-group 24 mode on
    interface GigabitEthernet1/0/44
    interface GigabitEthernet1/0/45
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport trunk allowed vlan 2,10,50,53,60,70,91-93,95,96,99,100,110,213,227
     switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
     switchport mode trunk
     shutdown
    interface GigabitEthernet1/0/46
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport trunk allowed vlan 2,10,50,53,60,70,91-93,95,96,99,100,110,213,227
     switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
     switchport mode trunk
     shutdown
    interface GigabitEthernet1/0/47
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport mode trunk
     bandwidth 10000000
     channel-group 22 mode on
    interface GigabitEthernet1/0/48
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 6
     switchport trunk allowed vlan 2,7,10,20,50,53,70,91-93,95,96,99,100,110,213
     switchport trunk allowed vlan add 227,700,910,911,951,1830,1870,1890-1892
     switchport mode trunk
     logging event link-status
     shutdown
    interface GigabitEthernet1/1/1
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport trunk allowed vlan 2,8,10,20,50,53,60,70,91-93,95,96,99,110,213,227
     switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
     switchport mode trunk
     shutdown
    interface GigabitEthernet1/1/2
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 100
     switchport trunk allowed vlan 2,8,10,20,50,53,60,70,91-93,95,96,99,110,213,227
     switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
     switchport mode trunk
     shutdown
    interface GigabitEthernet1/1/3
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 6
     switchport trunk allowed vlan 2,6,8,10,20,50,53,70,91-93,95,96,99,100,110,213
     switchport trunk allowed vlan add 227,700,910,911,951,1830,1870,1890-1892
     logging event link-status
     shutdown
    interface GigabitEthernet1/1/4
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 6
     switchport trunk allowed vlan 2,6,8,10,20,50,53,70,91-93,95,96,99,100,110,213
     switchport trunk allowed vlan add 227,700,910,911,951,1830,1870,1890-1892
     switchport mode trunk
     logging event link-status
     shutdown
    interface TenGigabitEthernet1/1/1
    interface TenGigabitEthernet1/1/2
    interface Vlan1
     no ip address
     shutdown
    interface Vlan6
     description ***LANERF**
     ip address 10.20.6.106 255.255.255.0
     no ip redirects
    interface Vlan23
     description < TRANSITO MUR >
     no ip address
     no ip redirects
    interface Vlan100
     description < VLAN MAN >
     ip address 10.20.100.106 255.255.255.0
     no ip redirects
     ip ospf authentication message-digest
     ip ospf message-digest-key 1 md5 7 032368342B2F0F
     ip ospf dead-interval minimal hello-multiplier 4
    router ospf 1
     router-id 10.20.40.106
     auto-cost reference-bandwidth 100000
     area 0.0.0.0 authentication message-digest
     area 1.80.1.1 authentication message-digest
     redistribute connected subnets
     redistribute static subnets
     passive-interface default
     no passive-interface Vlan23
     no passive-interface Vlan100
     no passive-interface GigabitEthernet1/0/37
     network 10.20.6.0 0.0.0.0 area 0.0.0.0
     network 10.20.40.106 0.0.0.0 area 0.0.0.0
     network 10.20.91.6 0.0.0.0 area 0.0.0.0
     network 10.20.100.106 0.0.0.0 area 0.0.0.0
     default-information originate
    ip http server
    ip http secure-server
    access-list 100 permit ip 10.50.80.0 0.0.0.255 10.80.80.0 0.0.0.255
    access-list 100 permit ip 10.80.80.0 0.0.0.255 10.50.80.0 0.0.0.255
    snmp-server community ASComRO RO
    line con 0
    line vty 0 4
     login
    line vty 5 15
     login
    event manager applet track_qos_down authorization bypass
     event syslog pattern "TRACKING-5-STATE: 15 ip sla 15 reachability Up->Down"
     action 1 cli command "enable"
     action 2 cli command "configure terminal"
     action 3 cli command "interface giga1/0/37"
     action 4 cli command "rate-limit output access-group 100 400000000 50000000 50000000 conform-action transmit exceed-action drop"
     action 5 cli command "end"
    event manager applet track_qos_up authorization bypass
     event syslog pattern "TRACKING-5-STATE: 15 ip sla 15 reachability Down->Up"
     action 1 cli command "enable"
     action 2 cli command "configure terminal"
     action 3 cli command "interface giga1/0/37"
     action 4 cli command "no rate-limit output access-group 100 400000000 50000000 50000000 conform-action transmit exceed-action drop"
     action 5 cli command "end"
    end
    ERF#     
    ERF#show mls qos 
    QoS is enabled 
    QoS ip packet dscp rewrite is enabled 
    ERF#show mls qos inter gigabitEthernet 1/0/37 
    GigabitEthernet1/0/37 
    trust state: not trusted 
    trust mode: not trusted 
    trust enabled flag: ena 
    COS override: dis 
    default COS: 0 
    DSCP Mutation Map: Default DSCP Mutation Map 
    Trust device: none 
    qos mode: port-based 
    When I apply the command I'm seeing a gauge using a 3rd party but I'm not seeing that the traffic will be truncated @ 50Mbps.
    Any thoughts??? 

    Hi
    Bandwidth commands allocates the particular amount of bandwidth you mention or configure over there.
    Basically you have the liberty to configure upto 75% of the available interface bandwidth to different classes.
    most widelys used with CBWFQ technique..
    so while configuring up the same better to watch out for the exact bandwidth value keyed in on the interface to have your alloocation work properly.
    policing basically used for limiting the traffic or to control the bursts by dropping them or marking them with different ip precedence or DSCP values.
    its very much similar to the rate-limit command applied on the interface level which again uses token bucket system either single or dual based on the configuration parameters.
    for more info on above mentioned clis do check these links..
    http://www.cisco.com/en/US/tech/tk543/tk545/tsd_technology_support_protocol_home.html
    http://www.cisco.com/en/US/tech/tk543/tk544/tsd_technology_support_protocol_home.html
    regds

  • Nexus 5548 rate limit

    Hello,
    I am trying to setup a rate limit on fex ports (modl is N2K-C2248TP-1GE ) of a 5548UP (non L3)  -  Software version is : version 6.0(2)N2(2)
    I have tried the following setup without success  :
    ip access-list ACL_CUST
      10 permit ip 10.100.100.1/32 10.100.100.2/32
      20 permit ip 10.100.100.2/32 10.100.100.1/32
    class-map type qos match-all CMQOS_CUST
      match access-group name ACL_CUST
    policy-map type qos PMQOS_CUST
    class CMQOS_CUST
        police cir percent 1 bc 200 ms conform transmit violate drop
    interface Ethernet161/1/11 - 12
      service-policy type qos input PMQOS_CUST
    And also tried to use this confioguration :
    class-map type qos match-all CMQOS_LIMIT_BP_CUST
      match cos 0-7
    policy-map type qos PMQOS_LIMIT_BP_CUST
      class CMQOS_LIMIT_BP_CUST
        police cir percent 1 bc 200 ms conform transmit violate drop
    interface Ethernet161/1/11 - 12
      service-policy type qos input PMQOS_LIMIT_BP_CUST
    The problem is that the bandwith restriction (1 percent of 1Gbit/s shoud be 10Mbit/s) is not working and apparently no restriction is applied
    If someone could help me to resolve this issue it would be greatly appreciated
    I do have followed this guide
    http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/qos/503_n1_1/cisco_nexus_5000_qos_config_gd_503_chapter3.html
    Thanks !

    http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5600/sw/verified_scalability/702N11/b_N5600_Verified_Scalability_702N11/b_N6000_Verified_Scalability_700N11_chapter_01.html
    Maximum FEXs per Switch
    24
    24
    Maximum FEXs dual-homed to a vPC Switch Pair
    24
    24

  • ICMP unreacheble, rate-limit

    Hi !
    I'm currently working on projet of network hardening.
    Based on Cisco security best pratice, I see it's recommand to rate limit genaration of ICMP unreachable message to prevent DoS attack. (according to document : http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080825564.pdf page 74)
    On Catalyst 6509 run IOS 12.2(17r)SX5 I see to possible way to rate-limit ICMP messages if mls QoS is running.
    1- mls rate-limit unicast ip ICMP unreachable acl-drop 100 10 (enable by default, according to document : http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080825564.pdf page 74)
    mls rate-limit unicast ip ICMP unreachable no-route 100 10
    2- ip ICMP rate-limit unreachable <millisecond> (500 ms is default parameters, which permit 2 paquets per seconds, also enable by default if I'm base on : http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml, ACL for IOS section)
    Which one of those command have precedence over the other one ?
    Which one is better over the other one ?
    With the mls rate-limit option, we have the possibility to check default parameter with : "show mls rate-limit" command is exist equivalent for : "ip ICMP rate-limit unreachable"
    We have also Catalyst 3550 switches, on which we have to rate-limit genaration of ICMP unreachable message for same reason as 6509. I understand the :"ip ICMP rate-limit unreachable" command is my only option "under "mls " the only option I have is QoS or aclmerge. Under thoses parameter I have no way to rate-limit ICMP message generation....
    I have check in running-configuration I did not find any reference to ICMP rate-limit command, I hope this is active like explain in document http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml, ACL for IOS section, (Version 12.2(44)SE3) but I would like to be able to confirm if any show command exist to confirm this.
    thanks a lot !

    Hello Marcus,
    On the ASA as you are already aware we only have the choice of modifying the ICMP unreachable rate,
    With the IOS the rate-limit for ICMP unreachable replies  will be rate limited to one every 500ms
    use:
    show ip icmp rate-limit
    Besides that I have not seen any other information that you could customize.
    Regards

  • ICMP unreachable, rate-limit command

    Hi !
    I'm currently working on projet of network hardening.
    Based on Cisco security best pratice, I see it's recommand to rate limit genaration of ICMP unreachable message to prevent DoS attack. (according to document : http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080825564.pdf page 74)
    On Catalyst 6509 run IOS 12.2(17r)SX5 I see to possible way to rate-limit ICMP messages if mls QoS is running.
    1- mls rate-limit unicast ip ICMP unreachable acl-drop 100 10 (enable by default, according to document : http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080825564.pdf page 74)
    mls rate-limit unicast ip ICMP unreachable no-route 100 10
    2- ip ICMP rate-limit unreachable <millisecond> (500 ms is default parameters, which permit 2 paquets per seconds, also enable by default if I'm base on : http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml, ACL for IOS section)
    Which one of those command have precedence over the other one ?
    Which one is better over the other one ?
    With the mls rate-limit option, we have the possibility to check default parameter with : "show mls rate-limit" command is exist equivalent for : "ip ICMP rate-limit unreachable"
    We have also Catalyst 3550 switches, on which we have to rate-limit genaration of ICMP unreachable message for same reason as 6509. I understand the :"ip ICMP rate-limit unreachable" command is my only option "under "mls " the only option I have is QoS or aclmerge. Under thoses parameter I have no way to rate-limit ICMP message generation....
    I have check in running-configuration I did not find any reference to ICMP rate-limit command, I hope this is active like explain in document http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml, ACL for IOS section, (Version 12.2(44)SE3) but I would like to be able to confirm if any show command exist to confirm this.
    thanks a lot !

    This is now showing up with running ssh over this tunnel. I can get the initial connection, but certain commands are not going through.

Maybe you are looking for

  • Iphone 4s unable to send mms over gprs, is there a fix for this?

    OK so after much hunting around the net and many calls to both my network provider and apple i found this link myself http://www.nowsms.com/iphone-mms-message-send-failure-on-gprs-and-edge that answered my problem. The answer being there is no soluti

  • N:1 Message Bundling

    Hello, what I'm trying to do is bundle multiple ORDERS05 into one ORDERS05. For instance I have two ORDERS which are identically. Merging them into one message would imply that the WMENG fields, which contain the amount, are added together. How do I

  • Attaching smartforms and print prog to invoice

    hi ive developed a smartform and a print program. da program has a selection screen dat asks user for doc number(vbeln). it den displays data in da smartform. now ive to attach it to va02. wen i attach it using v/40 output type(RD000) program name :

  • HT6147 is there going to be a Security patch for 1st Generation iPads?

    Is theis there going to be a Security patch for 1st Generation iPads? one has been released for all of the other devices.

  • WRVS4400N - MAC OS X LEOPARD VPN

    i've called linksys on different issue, but i also mention i had some problems connecting from my mac os x leopard to my linksys wrvs4400n, and they said i shouldn't have any problem doing so i was wondering if anyone had a successful connection betw