Mar 23, 2013

How to Inbound Rate Limiting on Cisco Catalyst Switches

If you need to limit the inbound bandwidth of a switch port on a Cisco Catalyst, the key is in the QoS configuration.
This particular configuration was done on a Cisco Catalyst 2960.

As I mentioned, the key is QoS. The first thing you need to do is globally enable QoS with the mls qos configuration command. Once this command is enabled, QoS is enabled on all ports with default settings.
Next, we'll need an access-list to match traffic on. In this example, we are going to police all traffic coming through the switch port, so our access-list will match all IP addresses.
ip access-list extended ACL_SLAP
 permit ip any any

A class map is necessary to classify our traffic.
class-map match-all CLASS_SLAP
  match access-group name ACL_SLAP

The policy map dictates what we want done to the traffic class previously defined. The police configuration command sets our rate limit in this example to 8 Mbps the a burst size of 100 KB. The burst size is the trickiest part of this command. If the burst is set too low, your traffic will not be able to approach the maximum allowed throughput do to packet drops.
Because TCP window scaling halves the window size for each dropped packet, it's important to set the burst size at a level that doesn't impact performance. The rule of thumb is that the burst size should be double the amount of traffic sent at the maximum rate at a given round-trip time. In this example, I assumed a round-trip time of 50 ms which results in a burst size of 100 KB.
policy-map POLICY_SLAP
  class CLASS_SLAP
    police 8000000 100000 exceed-action drop

Finally, apply the policy-map to the switch port with the service-policy configuration command.
interface GigabitEthernet0/2
 service-policy input POLICY_SLAP

And now you're done. In our example, we configured a switch port to only allow inbound traffic at 8 Mbps. We won't be able to truly max the 8 Mbps, but we should come close.

This is the full text rate limiting example
mls qos

ip access-list extended ACL_SLAP
 permit ip any any
 
class-map match-all CLASS_SLAP
  match access-group name ACL_SLAP

policy-map POLICY_SLAP
  class CLASS_SLAP
    police 8000000 100000 exceed-action drop

interface GigabitEthernet0/2 
 service-policy input POLICY_SLAP 

1 comments:

Post a Comment