Committed Access Rate Limiting


Scenario:

A host on your network has been surfing the web and transfers files far too much. Your boss is old school and does not like class-based QoS nor MQC. You have to find a way to police traffic from that host before it cripples your network!

Goal:

  • Nothing has been preconfigured for you!
  • Make the proper physical connections as outlined in the diagram.
  • The bandwidth between R1 and R2 is 496 kbps. Configure this.
  • Add a static default route onto both R1 and R3 as they represent hosts.
  • Ensure you have IP connectivity from R1 to R3 before continuing.
  • Without using MQC or CB Policing, police traffic from R1, configured on R2 as follows. Bc should be equal to the CIRs:
  • Police all traffic to 496 kbps, dropping all exceeding traffic. Before this traffic is forwarded, apply the additional policing …
  • Police web traffic at 400 kbps, dropping all exceeding traffic.
  • Police FTP traffic at 160 kbps, dropping all exceeding traffic.
  • Police ICMP traffic at 200 kbps, dropping all exceeding traffic.

IOS:

c3725-adventerprisek9-mz.124-7.image

Topology:

car rate limit

Opt In Image
Do you want your CCNA or CCNP Certificate?

The How to Master series helps you to understand complex topics like spanning-tree, VLANs, trunks, OSPF, EIGRP, BGP and more.

Written by René Molenaar - CCIE #41726

You May Also Like

About the Author: Nicholas Russo

11 Comments

    1. In order to solve this lab without using MQC and Class-based QoS (still wondering why anyone will do that:) ) I’ve used a combination of interface rate-limit subcommand in combination with extended access-list, find below part of my configuration on R2,

      Rate-limit config:

      interface FastEthernet0/0
      bandwidth 496
      ip address 192.168.12.2 255.255.255.0
      rate-limit input access-group 100 496000 496000 496000 conform-action continue exceed-action drop
      rate-limit input access-group 101 400000 400000 400000 conform-action continue exceed-action drop
      rate-limit input access-group 102 160000 160000 160000 conform-action continue exceed-action drop
      rate-limit input access-group 103 200000 200000 200000 conform-action continue exceed-action drop
      rate-limit output access-group 100 496000 496000 496000 conform-action continue exceed-action drop
      rate-limit output access-group 101 400000 400000 400000 conform-action continue exceed-action drop
      rate-limit output access-group 102 160000 160000 160000 conform-action continue exceed-action drop
      rate-limit output access-group 103 200000 200000 200000 conform-action continue exceed-action drop

      Access-list config:

      access-list 100 permit ip any any
      access-list 101 permit tcp any any eq www
      access-list 102 permit tcp any any range ftp-data ftp
      access-list 103 permit icmp any any

      I was only able to test the ICMP portion by pinging from R1 to R3 with a 15000 byte size repeated 100 times, then observing the show interface rate-limit ( you can filter it down with | sec access-list 103).

      It works but I don’t know if that was the intended solution, so I’m also looking forward for the video solution.

      Thank.

  1. Hi Rene,

    I don’t have any prior knowledge of QoS. Can you please tell me what should be the starting point to learn this topic.

    Thank you

    Taslim

  2. R2#sh run int fa0/1
    Building configuration…

    Current configuration : 480 bytes
    !
    interface FastEthernet0/1
    ip address 192.168.23.2 255.255.255.0
    rate-limit output access-group 101 400000 400000 400000 conform-action transmit exceed-action drop
    rate-limit output access-group 102 160000 160000 160000 conform-action transmit exceed-action drop
    rate-limit output access-group 103 200000 200000 200000 conform-action transmit exceed-action drop
    rate-limit output 496000 496000 496000 conform-action transmit exceed-action drop
    duplex auto
    speed auto
    end

    R2#sh run | i access-list
    access-list 101 permit tcp any any eq www
    access-list 102 permit tcp any any eq ftp
    access-list 103 permit icmp any any

    Verification for icmp packet:

    R2#sh int rate-limit | s 103
    matches: access-group 103
    params: 200000 bps, 200000 limit, 200000 extended limit
    conformed 2134 packets, 1266712 bytes; action: transmit
    exceeded 38 packets, 56296 bytes; action: drop
    last packet: 904ms ago, current burst: 199076 bytes
    last cleared 00:14:17 ago, conformed 11000 bps, exceeded 0 bps

  3. My config is as follows:

    R2#sho run | s access-l
    access-list 100 permit tcp any any eq www
    access-list 100 permit tcp any any eq 443
    access-list 110 permit tcp any any eq ftp
    access-list 120 permit icmp any any
    R2#sho run int fa0/0
    Building configuration…

    Current configuration : 485 bytes
    !
    interface FastEthernet0/0
    bandwidth 496
    ip address 12.12.12.2 255.255.255.0
    rate-limit output access-group 100 400000 50000 50000 conform-action transmit exceed-action drop
    rate-limit output access-group 110 400000 50000 50000 conform-action transmit exceed-action drop
    rate-limit output access-group 120 200000 25000 25000 conform-action transmit exceed-action drop
    rate-limit output 496000 62000 62000 conform-action transmit exceed-action drop
    duplex auto
    speed auto
    end

    R2#sho int fa0/0 rate-limit
    FastEthernet0/0
    Output
    matches: access-group 100
    params: 400000 bps, 50000 limit, 50000 extended limit
    conformed 0 packets, 0 bytes; action: transmit
    exceeded 0 packets, 0 bytes; action: drop
    last packet: 1939428ms ago, current burst: 0 bytes
    last cleared 00:03:37 ago, conformed 0 bps, exceeded 0 bps
    matches: access-group 110
    params: 400000 bps, 50000 limit, 50000 extended limit
    conformed 0 packets, 0 bytes; action: transmit
    exceeded 0 packets, 0 bytes; action: drop
    last packet: 1939436ms ago, current burst: 0 bytes
    last cleared 00:03:37 ago, conformed 0 bps, exceeded 0 bps
    matches: access-group 120
    params: 200000 bps, 25000 limit, 25000 extended limit
    conformed 1594 packets, 2232860 bytes; action: transmit
    exceeded 317 packets, 478702 bytes; action: drop
    last packet: 88284ms ago, current burst: 24226 bytes
    last cleared 00:03:36 ago, conformed 82000 bps, exceeded 17000 bps
    matches: all traffic
    params: 496000 bps, 62000 limit, 62000 extended limit
    conformed 7 packets, 504 bytes; action: transmit
    exceeded 0 packets, 0 bytes; action: drop
    last packet: 33264ms ago, current burst: 0 bytes
    last cleared 00:04:04 ago, conformed 0 bps, exceeded 0 bps

  4. don’t forget the burst values are in bytes and the rate-limit (police) value is in bits. You have to device your burst in kbs by 8 in order to convert bits to byte values.

Comments are closed.