[c-nsp] rate limiting pointers?

Michael Malitsky malitsky at netabn.com
Wed Apr 8 17:59:20 EDT 2009 

Generally speaking, Muhammad is correct.  From personal experience, you
are going to find a lot of limitations on the switching platform when
you try to implement this, though.  The switching platforms vary
significantly in their abilities to classify traffic and police in
different directions.  Off the top of my head, I am not sure whether the
2960 supports policing at all.  3550 does, with significant limitations.
I can share more specific experiences offline.

As an alternative, consider doing the straightforward "rate-limit input
| output ..." on the subinterfaces on the 7200.  Works like a champ
(assuming the CPU can keep up of course) and is just 2 lines to set up
vs the MQC on the switch.

Sincerely,
Michael Malitsky

> Date: Wed, 8 Apr 2009 09:36:07 +0500
> From: Muhammad Salman Zahid <gregariouspearl at gmail.com>
> Subject: Re: [c-nsp] rate limiting pointers?
> To: Scott Granados <gsgranados at comcast.net>
> Cc: cisco-nsp at puck.nether.net
> Message-ID:
> 	<44c523750904072136u5c3c82c0scf20d47d5c2e3241 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Dear Scott,
> 
> Read & try the following:
> 
> 
> Step 1: Define ACL for desired IP Pools
> Step 2: Define a Packet classification criteria
>  Class-map match-all <traffic_class_name>
>         description Control plane normal traffic
>         match access-group name <Access_list_name>
> 
> Step 3: Define a Service Policy
>         policy-map <service_policy_name>
>         class <traffic_class_name>
>         police cir <rate, bc(confirm burst) , be (excess burst)>
> conform-action set-dscp-transmit default exceed-action drop violate-
> action
> drop
> 
> Step 4: Enter service policy on control plane interface
>         service-policy input <service_policy_name>
>         service-policy output <service_policy_name>
> 
> ip access-list extended [ABC]
> ip access-list extended [XYZ]
> class-map match-all [NAME1]=== NAME1=ABC (so easily remember)
>  match access-group name [ABC]
> class-map match-all [NAME2]=== NAME2=XYZ (so easily remember)
>  match access-group name [XYZ]
> policy-map [POLICY NAME]
>  class [ABC]
>  put rate limit
>  class [XYZ]
>  put rate limit
> Regards,
> MSZ
> On Wed, Apr 8, 2009 at 6:36 AM, Scott Granados
> <gsgranados at comcast.net>wrote:
> 
> > Since the topic of rate limiting came up...
> >
> > I have a 7206VXR NPE-300 and 2 switches (2960 and 3550).
> >
> > I plan on setting up  a trunk from the 7206 to the 3500 and break
out
> via
> > vlans as you'd expect.  What are some good methods for rate limiting
> the
> > individual ports on the access switches?
> >
> > I'm open to other hardware but this is more of a lab / personal
> environment
> > so solutions for the listed hardware would be appreciated.  Could
> someone
> > also suggest some good foundation type reading for rate limiting and
> > practices?
> >
> > Thank you
> > Scott
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> 
> 
> 
> --
> "Death is no the greatest loss in life ....
> The greatest loss is what dies inside
>  you while U live...!"

More information about the cisco-nsp mailing list