Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2804
  • Last Modified:

Bandwidth Limiting on per IP basis

Hi all,

I'm confused with the bandwidth limit that i did, maybe anyone can clear my mind to this. I tried to limit bandwith on a specific IP address and here's what i did.

access-list 101 permit ip host 10.10.10.5 any
access-list 101 permit ip any host 10.10.10.5

int E0/0  -> attached to switch
  traffic-shape group 101 512000

Now my question is, based on the traffic-shape statistics, I got alot of packets delayed and bytes delayed since bandwidth traffic in the router is very low.

5 minute input rate 231000 bits/sec and 5 minute output rate 158000 bits/sec.

router#sh traffic-shape statistics
              Access Queue   Packets   Bytes             Packets   Bytes             Shaping
I/F          List      Depth                                      Delayed   Delayed         Active
Et0/0      101      0          14440     13493717       4200   4759171            yes

Sometimes, Shaping Active turns to no, why?
How did this packets being delayed since input rate and output rate is very low.

Any recommendation for a good and stable bandwidth limiting, im running cisco 2611 with an IOS 12.1(6).

TIA

Sorry im new here so I could only give 100 points. :)
0
cwiggler
Asked:
cwiggler
  • 7
  • 6
  • 2
  • +2
1 Solution
 
chicagoanCommented:
The rate you see is an average, shaping prevents the actual rate from ever exceeding the limit, so while your average may be low, a few burst may have been throttled.
0
 
cwigglerAuthor Commented:
Is the bandwidth shaping on Ethernet interface is fine? how about my access-list, could it throttle the bandwith going out for that specific IP address or I am shaping the whole Interface?
0
 
chicagoanCommented:
You're limiting traffic from the one host only, assuming that address is not a firewall or router interface.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
cwigglerAuthor Commented:
Some more please. =)
0
 
cwigglerAuthor Commented:
Last question. what does access-list 101 do? is it filtering incoming, outgoing or both? im my idea, 101 is for incoming, am i filtering incoming only?

0
 
cwigglerAuthor Commented:
Last question. what does access-list 101 do? is it filtering incoming, outgoing or both? im my idea, 101 is for incoming, am i filtering incoming only?

0
 
sheahmedCommented:
cwiggler, traffic shaping works on outbound traffic only ... 101 is on your outgoing traffic ...

and it shows active=yes when the threshold is reached .... threshold is the max bytes u define ... and shaping is in progress ...

active= no when there isnt any shaping in progress ....

it directly affects your cpu load so be careful ...

Regards,
Sheeraz Ahmed
0
 
sheahmedCommented:

Try Rate-Limit ... It works both ways ... (i.e. inbound and outbound)
0
 
cwigglerAuthor Commented:
Sheahmed can you give me an example how to do the rate-limit on per IP basis?
0
 
sheahmedCommented:
cwiggle, rate-limit is more flexible and deeper then traffic shaping, here you can define actions to be taken on reaching the limit ...

router(config-if)# rate-limit input access-group 101 32000 8000 16000 conform-action transmit exceed-action drop

here ...
access-group 101 is the traffic which will be limited to 32k ...
8000 is normal burst size
16000 is excess burt size

i would like you to study topics of CAR (Committed Access Rate) supported by cisco on web to explore the features of rate-limit ...

Regards,
Sheeraz Ahmed
0
 
cwigglerAuthor Commented:
Hi Sheeraz,

What should be the access-list use for rate-limit? can i use my access-list sample?

Your example is for the input, can i use the rate-limit output access-group 101 32000 8000 16000 ?

can you compare the rate-limit and traffic-shape in terms of memory utilization?

Thanks

Cwiggler
0
 
sheahmedCommented:
Yes cwiggler, Rate-Limit works both ways ... and you can implement it for your output as well ...

i will recommend it to traffic shape or rate limit on two different interfaces ... like if you are implementing it on FastEth for inbound, then ...

access-list 101 permit ip host 10.10.10.5 any


and if you are implementing it on Serial for inbound,
then ...

access-list 109 permit ip any host 10.10.10.5


if 10.10.10.5 is your VoIP device? then access-list if fine ...
0
 
sheahmedCommented:
cwiggler, kindly skip this line
"if 10.10.10.5 is your VoIP device? then access-list if fine ... "

i merged another query with this one ... sorry

if your host is 10.10.10.5, then access-list is fine ... and as far as the cpu load is concerned ...  it increases only when the threshold is reached, and shaping or limiting is in progress ... traffic shaping is lighter than the rate-limit ... but u better monitor it ...
0
 
cwigglerAuthor Commented:
Hi sheadmed,

I tried to implement the rate-limit on my router E0 which is facing the Lan. I set a specific bandwith to a specific IP address. I monitored the input rate(5 minutes) of E0.

I have a question. Why is it that 5 minute input rate goes higher to 1MB since I set 512 to a specific IP address and that the only IP address is using the bandwidth. can you explain it to me further why?

Btw, 10.10.10.5 gateway of a seperate network. I also have an MRTG and I could see a high bandwidth consumption on the router E0.

Can i ask your yahoo id or msn id, so I could we talk on private?

thanks

Cwiggler
0
 
sheahmedCommented:
u implemented that rate-limit for both inbound and outbound traffic?
what was your excess and normal busrst size?

my id is <edited by AnnieMod for user privacy>
0
 
danaspCommented:
Hi!

I know I found your question a bit late but I just wanted to tell you this: Consider using traffic-shaping instead of rate-limit. Rate-limit is not designed to limit/shape traffic in the same nice way as traffic-shaping is.
0
 
selva123Commented:

Hi,

I have same problem below my config

interface FastEthernet0
 description $$$$ Lan $$$$
 ip address 192.168.2.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto

interface FastEthernet1
 description ######## Internet #########
 ip address 192.168.0.10 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 rate-limit input access-group 101 96000 24000 48000 conform-action transmit exc
eed-action drop
 rate-limit output access-group 101 96000 24000 480000 conform-action transmit e
xceed-action drop
 duplex auto
 speed auto

ip nat pool IP_NAT 192.168.0.11 192.168.0.11 netmask 255.255.255.0
ip nat inside source list 100 pool IP_NAT overload
!
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 permit ip  host 192.168.2.10 any

Above is my config but it's not working if any apply access-list 101 permit ip any any it appling for all host and it's working fine.

Kindly suggest which will be the right command
0
 
selva123Commented:

Hi,

I have same problem below my config

interface FastEthernet0
 description $$$$ Lan $$$$
 ip address 192.168.2.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto

interface FastEthernet1
 description ######## Internet #########
 ip address 192.168.0.10 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 rate-limit input access-group 101 96000 24000 48000 conform-action transmit exc
eed-action drop
 rate-limit output access-group 101 96000 24000 480000 conform-action transmit e
xceed-action drop
 duplex auto
 speed auto

ip nat pool IP_NAT 192.168.0.11 192.168.0.11 netmask 255.255.255.0
ip nat inside source list 100 pool IP_NAT overload
!
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 permit ip  host 192.168.2.10 any

Above is my config but it's not working if any apply access-list 101 permit ip any any it appling for all host and it's working fine.

Kindly suggest which will be the right command
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 6
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now