Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 553
  • Last Modified:

Rate Limit by IP Address on Shared T1 Connection

Want to split bandwidth usage on T1 by ip address.  Cisco 7507 PACT3 at ISP side.  IP subnet routed to interface.  Unnumbered ip to wan side of Customer router. Customer router is a Netopia R5300 using X.X.X.1 from routed ip subnet.  Each of 2 customers have a linksys with customer A having X.X.X.2 and customer B having X.X.X.3 - both using X.X.X.1 as default gateway.   On the Cisco 7507, can I rate-limit based upon ip address?  ie. X.X.X.1 can use up-to 512Kb and X.X.X.2 can use up to 512Kb?

Thanks!
- Dean
0
dkorfanty
Asked:
dkorfanty
  • 4
  • 4
  • 2
1 Solution
 
klinko2kCommented:
Use MQC and shape their traffic out on the T1 link.

You can use class maps that match access-lists for each customer.

access-list 1 permit X.X.X.2
access-list 2 permit X.X.X.3
!
class-map CUSTOMER_A
match access-group 1
class-map CUSTOMER_B
match access-group 2
!
policy-map POLICING
class CUSTOMER_A
police cir 512
class CUSTOMER_B
police cir 512
!
int s0/0 << interface at the ISP connected to the customer router
service-policy input POLICING

0
 
klinko2kCommented:
"Use MQC and shape their traffic out on the T1 link."

I meant to say police their traffic inbound from the customer router.  I initially read your question incorrectly.
0
 
API_NOCCommented:
See attached code.  You can modify the percentages as you wish.  You can also use numbered ACLs instead of named ACLs.  There would also be addition exceed or violate parameters that you can opt to use in the policing section
!
ip access-list extended CustomerA-acl
 permit ip any host X.X.X.2
ip access-list extended CustomerB-acl
 permit ip any host X.X.X.3
!
!
class-map match-any CustomerA-class
  match access-group name CustomerA-acl
class-map match-any CustomerB-class
  match access-group name CustomerB-acl
!
!
policy-map Customer_Split_policy
  class CustomerA-class
    priority percent 35
   police cir percent 35 conform-action transmit exceed-action drop violate-action drop
  class CustomerB-class
    priority percent 35
   police cir percent 35 conform-action transmit exceed-action drop 
  class class-default
    fair-queue
!
<T1 interface command>
!
service-policy output Customer_Split_policy

Open in new window

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
klinko2kCommented:
API_NOC:  

You are trying to police on the outbound direction.  Is is recommended to shape outbound and police inbound.

Police from the ISP device to the customer will not accomplish what  dkorfanty is trying to do.

http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a00800a3a25.shtml#policingvsshaping
0
 
API_NOCCommented:
Didn't he say he wanted to do this from the ISP side.  I do not think that the Netopia can do this type of QoS, and the Netopia is on the other side of the T1.
 Taken from your link.  Policing can be tailored in either direction
                                            Shaping  Policing
Applicable on Inbound      No            Yes
Applicable on Outbound   Yes           Yes
0
 
dkorfantyAuthor Commented:
Can only be done on the ISP side 7507 - The Netopia cannot do this type of QoS.  Inbound from ISP to customer is the priority.  I will test after-hours tonight and post results.  Greatly appreciated!

-Dean
0
 
API_NOCCommented:
My ACL will get the job done
0
 
dkorfantyAuthor Commented:
API_NOC:

When in entered:
police cir percent 35 conform-action transmit exceed-action drop violate-action drop
I recieved:    
police cir percent 35 conform-action transmit exceed-action drop
           ^
% Invalid input detected at '^' marker.

Entered:
police cir ?
option was  <8000-200000000>  Bits per second

I entered:
police cir 750000 conform-action transmit exceed-action drop violate-action drop

When I did sho run I now see:
policy-map Customer-Split_policy
  class Nourtek-class
     police cir 750000 bc 23250 conform-action transmit exceed-action drop

I have not applied this to the T1 interface yet without verfication that it looks okay.

Thanks! -Dean
0
 
klinko2kCommented:
If you are working on the ISP device (PE), and want to only allow 512k of traffic to each customer, outbound from the PE, you need to shape outbound as the traffic goes on the wire.  By shaping you will allow the traffic to queue and only use it's allowed part of the wire at the given interval time interval (Tc).  Policing is just going to drop excessive traffic rather than queue it.

The next step is to only allow 512k of traffic from the CE in to the PE per customer.  This is where you would police inbound on the PE.  

Finally, the shared CE will need to start shaping to 512k outbound for traffic going on the wire.  Otherwise, each customer is going to be sending at wire speed to the CE, and the CE is going to send it out with the default queuing mechanism.  This does not ensure that each customer is allowed to use 1/2 of the T1 circuit.

0
 
API_NOCCommented:
Your IOS options are a little different. To get 512 each would have to be "police cir 512000"  and just hit <enter> after that..
From the ISP's perspective, you want to built a cookie-cutter type template.  Policing on the outbound will discard traffic over the 512 _if_ the additional parameters are not configured.  You have three configurable parameters with policing that you can use:  conform-action, exceed-action, and violate-action.  
dkorfanty, have your management look into using Adtran 3430 (two ethernet ports) or the 3200 (best to use VLANs in this situation) for future deployments.  The cost compared to the Netopia should be competitive, and is way better in pricing than Cisco.  The commands are very similar to Cisco, so you won't be lost either.
There's no harm in using klinko2k's approach of policing in and shaping out.  There's always more than on way to do things.  The approach I gave will quickly prove to the customer that they may need to upgrade their bandwidth, if you get a lot of drops.
 
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 4
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now