[89663] in North American Network Operators' Group
Re: Rate-Limiting.
daemon@ATHENA.MIT.EDU (Robert Sherrard)
Thu Mar 30 20:26:07 2006
Date: Thu, 30 Mar 2006 17:25:38 -0800
From: Robert Sherrard <rob@robsherrard.com>
Reply-To: rob@robsherrard.com
To: John Kristoff <jtk@ultradns.net>
Cc: nanog@merit.edu
In-Reply-To: <200603310117.k2V1Hnrm019843@atlas.centergate.com>
Errors-To: owner-nanog@merit.edu
This is a multi-part message in MIME format.
--------------070204050509050808080300
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
I'm really interested in rate limiting outbound... with many unknown
dest IP's.
Rob
John Kristoff wrote:
> On Thu, 30 Mar 2006 15:56:02 -0800
> Robert Sherrard <rob@robsherrard.com> wrote:
>
>
>> I've got a situation in which I'd like to rate limit a few servers
>> that hang off of my 6590's... it appears that this can only be done
>> on a layer 3 interface. These servers however aren't, they simply on
>> a switch port / access. Aside from hard setting the l2 interface to
>> 10mbit, can anyone think of another creative way to do this? Is one
>> option moving these servers into a separate VLAN, then rate-limiting
>> from there?
>>
>
> Is rate limiting by source IP address an acceptable to you? If so,
> then you could do it that way. An untested example that should set
> you out in search of the necessary doc:
>
> class-map match-all cm-src-specific
> match access-group name acl-src-specific
> !
> interface Vlan99
> service-policy input sp-rate-limit
> !
> policy-map sp-rate-limit
> class cm-src-specific
> police flow mask src-only 1000000 4000 conform-action transmit exceed-action drop
> !
> ip access-list extended acl-src-specific
> permit ip any any
>
> John
>
>
--------------070204050509050808080300
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
I'm really interested in rate limiting outbound... with many unknown
dest IP's.<br>
<br>
Rob<br>
<br>
John Kristoff wrote:
<blockquote cite="mid200603310117.k2V1Hnrm019843@atlas.centergate.com"
type="cite">
<pre wrap="">On Thu, 30 Mar 2006 15:56:02 -0800
Robert Sherrard <a class="moz-txt-link-rfc2396E" href="mailto:rob@robsherrard.com"><rob@robsherrard.com></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I've got a situation in which I'd like to rate limit a few servers
that hang off of my 6590's... it appears that this can only be done
on a layer 3 interface. These servers however aren't, they simply on
a switch port / access. Aside from hard setting the l2 interface to
10mbit, can anyone think of another creative way to do this? Is one
option moving these servers into a separate VLAN, then rate-limiting
from there?
</pre>
</blockquote>
<pre wrap=""><!---->
Is rate limiting by source IP address an acceptable to you? If so,
then you could do it that way. An untested example that should set
you out in search of the necessary doc:
class-map match-all cm-src-specific
match access-group name acl-src-specific
!
interface Vlan99
service-policy input sp-rate-limit
!
policy-map sp-rate-limit
class cm-src-specific
police flow mask src-only 1000000 4000 conform-action transmit exceed-action drop
!
ip access-list extended acl-src-specific
permit ip any any
John
</pre>
</blockquote>
</body>
</html>
--------------070204050509050808080300--
