I've got a situation in which I'd like to rate limit a few servers that hang off of my 6590's... it appears that this can only be done on a layer 3 interface. These servers however aren't, they simply on a switch port / access. Aside from hard setting the l2 interface to 10mbit, can anyone think of another creative way to do this? Is one option moving these servers into a separate VLAN, then rate-limiting from there? Rob
On Thu, 30 Mar 2006 15:56:02 -0800 Robert Sherrard <rob@robsherrard.com> wrote:
I've got a situation in which I'd like to rate limit a few servers that hang off of my 6590's... it appears that this can only be done on a layer 3 interface. These servers however aren't, they simply on a switch port / access. Aside from hard setting the l2 interface to 10mbit, can anyone think of another creative way to do this? Is one option moving these servers into a separate VLAN, then rate-limiting from there?
Is rate limiting by source IP address an acceptable to you? If so, then you could do it that way. An untested example that should set you out in search of the necessary doc: class-map match-all cm-src-specific match access-group name acl-src-specific ! interface Vlan99 service-policy input sp-rate-limit ! policy-map sp-rate-limit class cm-src-specific police flow mask src-only 1000000 4000 conform-action transmit exceed-action drop ! ip access-list extended acl-src-specific permit ip any any John
I'm really interested in rate limiting outbound... with many unknown dest IP's. Rob John Kristoff wrote:
On Thu, 30 Mar 2006 15:56:02 -0800 Robert Sherrard <rob@robsherrard.com> wrote:
I've got a situation in which I'd like to rate limit a few servers that hang off of my 6590's... it appears that this can only be done on a layer 3 interface. These servers however aren't, they simply on a switch port / access. Aside from hard setting the l2 interface to 10mbit, can anyone think of another creative way to do this? Is one option moving these servers into a separate VLAN, then rate-limiting from there?
Is rate limiting by source IP address an acceptable to you? If so, then you could do it that way. An untested example that should set you out in search of the necessary doc:
class-map match-all cm-src-specific match access-group name acl-src-specific ! interface Vlan99 service-policy input sp-rate-limit ! policy-map sp-rate-limit class cm-src-specific police flow mask src-only 1000000 4000 conform-action transmit exceed-action drop ! ip access-list extended acl-src-specific permit ip any any
John
On Thu, 30 Mar 2006 17:25:38 -0800 Robert Sherrard <rob@robsherrard.com> wrote:
I'm really interested in rate limiting outbound... with many unknown dest IP's.
That's what that example was intending to show. That is, rate limiting traffic coming from the servers into the VLAN interface towards the rest of the internetwork on the other side. Don't let the term 'input' fool you. If what you meant was to rate limit traffic to those servers, then I am afraid I can't help you. You could technically do that, but it is probably not of much value to any decent server implementation. John
Your first example makes sense... I think I'll give that a shot. Rob John Kristoff wrote:
On Thu, 30 Mar 2006 17:25:38 -0800 Robert Sherrard <rob@robsherrard.com> wrote:
I'm really interested in rate limiting outbound... with many unknown dest IP's.
That's what that example was intending to show. That is, rate limiting traffic coming from the servers into the VLAN interface towards the rest of the internetwork on the other side. Don't let the term 'input' fool you.
If what you meant was to rate limit traffic to those servers, then I am afraid I can't help you. You could technically do that, but it is probably not of much value to any decent server implementation.
John
participants (2)
-
John Kristoff
-
Robert Sherrard