Solved

Bandwidth Limiting on per IP basis

Posted on 2003-10-25
19
2,796 Views
Last Modified: 2010-07-25
Hi all,

I'm confused with the bandwidth limit that i did, maybe anyone can clear my mind to this. I tried to limit bandwith on a specific IP address and here's what i did.

access-list 101 permit ip host 10.10.10.5 any
access-list 101 permit ip any host 10.10.10.5

int E0/0  -> attached to switch
  traffic-shape group 101 512000

Now my question is, based on the traffic-shape statistics, I got alot of packets delayed and bytes delayed since bandwidth traffic in the router is very low.

5 minute input rate 231000 bits/sec and 5 minute output rate 158000 bits/sec.

router#sh traffic-shape statistics
              Access Queue   Packets   Bytes             Packets   Bytes             Shaping
I/F          List      Depth                                      Delayed   Delayed         Active
Et0/0      101      0          14440     13493717       4200   4759171            yes

Sometimes, Shaping Active turns to no, why?
How did this packets being delayed since input rate and output rate is very low.

Any recommendation for a good and stable bandwidth limiting, im running cisco 2611 with an IOS 12.1(6).

TIA

Sorry im new here so I could only give 100 points. :)
0
Comment
Question by:cwiggler
  • 7
  • 6
  • 2
  • +2
19 Comments
 
LVL 18

Expert Comment

by:chicagoan
ID: 9621367
The rate you see is an average, shaping prevents the actual rate from ever exceeding the limit, so while your average may be low, a few burst may have been throttled.
0
 

Author Comment

by:cwiggler
ID: 9622905
Is the bandwidth shaping on Ethernet interface is fine? how about my access-list, could it throttle the bandwith going out for that specific IP address or I am shaping the whole Interface?
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9625037
You're limiting traffic from the one host only, assuming that address is not a firewall or router interface.
0
 

Author Comment

by:cwiggler
ID: 9626161
Some more please. =)
0
 

Author Comment

by:cwiggler
ID: 9626808
Last question. what does access-list 101 do? is it filtering incoming, outgoing or both? im my idea, 101 is for incoming, am i filtering incoming only?

0
 

Author Comment

by:cwiggler
ID: 9626820
Last question. what does access-list 101 do? is it filtering incoming, outgoing or both? im my idea, 101 is for incoming, am i filtering incoming only?

0
 
LVL 3

Accepted Solution

by:
sheahmed earned 120 total points
ID: 9664014
cwiggler, traffic shaping works on outbound traffic only ... 101 is on your outgoing traffic ...

and it shows active=yes when the threshold is reached .... threshold is the max bytes u define ... and shaping is in progress ...

active= no when there isnt any shaping in progress ....

it directly affects your cpu load so be careful ...

Regards,
Sheeraz Ahmed
0
 
LVL 3

Expert Comment

by:sheahmed
ID: 9664019

Try Rate-Limit ... It works both ways ... (i.e. inbound and outbound)
0
 

Author Comment

by:cwiggler
ID: 9664308
Sheahmed can you give me an example how to do the rate-limit on per IP basis?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 3

Expert Comment

by:sheahmed
ID: 9665731
cwiggle, rate-limit is more flexible and deeper then traffic shaping, here you can define actions to be taken on reaching the limit ...

router(config-if)# rate-limit input access-group 101 32000 8000 16000 conform-action transmit exceed-action drop

here ...
access-group 101 is the traffic which will be limited to 32k ...
8000 is normal burst size
16000 is excess burt size

i would like you to study topics of CAR (Committed Access Rate) supported by cisco on web to explore the features of rate-limit ...

Regards,
Sheeraz Ahmed
0
 

Author Comment

by:cwiggler
ID: 9666834
Hi Sheeraz,

What should be the access-list use for rate-limit? can i use my access-list sample?

Your example is for the input, can i use the rate-limit output access-group 101 32000 8000 16000 ?

can you compare the rate-limit and traffic-shape in terms of memory utilization?

Thanks

Cwiggler
0
 
LVL 3

Expert Comment

by:sheahmed
ID: 9668486
Yes cwiggler, Rate-Limit works both ways ... and you can implement it for your output as well ...

i will recommend it to traffic shape or rate limit on two different interfaces ... like if you are implementing it on FastEth for inbound, then ...

access-list 101 permit ip host 10.10.10.5 any


and if you are implementing it on Serial for inbound,
then ...

access-list 109 permit ip any host 10.10.10.5


if 10.10.10.5 is your VoIP device? then access-list if fine ...
0
 
LVL 3

Expert Comment

by:sheahmed
ID: 9668612
cwiggler, kindly skip this line
"if 10.10.10.5 is your VoIP device? then access-list if fine ... "

i merged another query with this one ... sorry

if your host is 10.10.10.5, then access-list is fine ... and as far as the cpu load is concerned ...  it increases only when the threshold is reached, and shaping or limiting is in progress ... traffic shaping is lighter than the rate-limit ... but u better monitor it ...
0
 

Author Comment

by:cwiggler
ID: 9688911
Hi sheadmed,

I tried to implement the rate-limit on my router E0 which is facing the Lan. I set a specific bandwith to a specific IP address. I monitored the input rate(5 minutes) of E0.

I have a question. Why is it that 5 minute input rate goes higher to 1MB since I set 512 to a specific IP address and that the only IP address is using the bandwidth. can you explain it to me further why?

Btw, 10.10.10.5 gateway of a seperate network. I also have an MRTG and I could see a high bandwidth consumption on the router E0.

Can i ask your yahoo id or msn id, so I could we talk on private?

thanks

Cwiggler
0
 
LVL 3

Expert Comment

by:sheahmed
ID: 9692381
u implemented that rate-limit for both inbound and outbound traffic?
what was your excess and normal busrst size?

my id is <edited by AnnieMod for user privacy>
0
 
LVL 1

Expert Comment

by:danasp
ID: 10248919
Hi!

I know I found your question a bit late but I just wanted to tell you this: Consider using traffic-shaping instead of rate-limit. Rate-limit is not designed to limit/shape traffic in the same nice way as traffic-shaping is.
0
 

Expert Comment

by:selva123
ID: 33284268

Hi,

I have same problem below my config

interface FastEthernet0
 description $$$$ Lan $$$$
 ip address 192.168.2.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto

interface FastEthernet1
 description ######## Internet #########
 ip address 192.168.0.10 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 rate-limit input access-group 101 96000 24000 48000 conform-action transmit exc
eed-action drop
 rate-limit output access-group 101 96000 24000 480000 conform-action transmit e
xceed-action drop
 duplex auto
 speed auto

ip nat pool IP_NAT 192.168.0.11 192.168.0.11 netmask 255.255.255.0
ip nat inside source list 100 pool IP_NAT overload
!
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 permit ip  host 192.168.2.10 any

Above is my config but it's not working if any apply access-list 101 permit ip any any it appling for all host and it's working fine.

Kindly suggest which will be the right command
0
 

Expert Comment

by:selva123
ID: 33284271

Hi,

I have same problem below my config

interface FastEthernet0
 description $$$$ Lan $$$$
 ip address 192.168.2.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto

interface FastEthernet1
 description ######## Internet #########
 ip address 192.168.0.10 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 rate-limit input access-group 101 96000 24000 48000 conform-action transmit exc
eed-action drop
 rate-limit output access-group 101 96000 24000 480000 conform-action transmit e
xceed-action drop
 duplex auto
 speed auto

ip nat pool IP_NAT 192.168.0.11 192.168.0.11 netmask 255.255.255.0
ip nat inside source list 100 pool IP_NAT overload
!
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 permit ip  host 192.168.2.10 any

Above is my config but it's not working if any apply access-list 101 permit ip any any it appling for all host and it's working fine.

Kindly suggest which will be the right command
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Adtran access-list command lines 15 54
NTP Server in VMware 5 115
Wireless WAP School 4 54
Networking/NAT rules 4 27
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now