[c-nsp] policer on ASR1001X
Lukasz Bromirski
lukasz at bromirski.net
Wed Sep 8 09:27:42 EDT 2021
Hi James,
> On 7 Sep 2021, at 14:10, james list <jameslist72 at gmail.com> wrote:
>
> Dear experts,
> I'd like to rate limit some ingress traffic coming from untrusted source to
> 10Mbs.
>
> I've an ASR1001X (16.3.7) and this is the config I'd place:
>
> *********************
> ip access-list extended ACL_10_203_231_129
> permit ip any host 10.203.231.129
>
> class-map match-all CM_LIMIT_INGRESS
> match access-group name ACL_10_203_231_129
>
> policy-map PM_LIMIT_INGRESS
> class CM_LIMIT_INGRESS
> police 10000000 5000000 5000000 conform-action transmit exceed-action
> drop violate-action drop
> class class-default
>
> The PM is attached to tunnel interface:
>
> TUNNEL0
> service-policy input PM_LIMIT_INGRESS
>
> *********************
>
> Can you please confirm:
>
> 1) I'll not drop/limit other traffic
It won’t. It will apply the policy only to matching traffic (ACL ACL_10_203_231_129).
> 2) ASR1001X applies rate limit in hardware and not in software (in order to
> avoid CPU overload)
Hardware.
> 3) is there any mode to limit pps and not only bandwidth
I no longer remember this from top of my mind, but there’s bunch of good QoS/HQoS presentations about ASR 1000 in particular on ciscolive.com that you can use as reference.
--
./
More information about the cisco-nsp
mailing list