Mar 23, 2013

How to Time-based, Inbound Rate Limiting


Slaptijack reader Raj is looking for a way to limit inbound traffic on his switch ports based on the time of day. Specifically, he wants to restrict speed to 256 Kbps between 9 AM and 9 PM, and allow up to 1 Mbps the rest of the day. I've done something similar to this in the past, but with only one restriction, not two. Hopefully, this configuration will work!
Note: This post is based on the work of a previous post on Cisco Catalyst rate limiting. Although I know that this will work in some cases, it may not work in yours. In other words, your mileage may vary.

Raj, the key to time-based rate limiting is to use the time range command built into IOS. In your case, we want to define the time range from 9 AM to 9 PM:
time-range DAILY-0900-2100
 periodic daily 7:00 to 21:00
Next, we need our access lists:
ip access-list extended ACL-0900-2100
 permit ip any any time-range DAILY-0900-2100
ip access-list extended ACL_ALL_HOURS
 permit ip any any
And now our class maps to define which traffic to match:
class-map match-all 256K
 match access-group name ACL-0900-2100
class-map match-all 1M
 match access-group name ACL_ALL_HOURS
And finally, our policy map:
policy-map POLICY-IN
 class 256K
  police 256000 8000 exceed-action drop
 class 1M
  police 1000000 12500 exceed-action drop
Put it all together, and it looks like this:
time-range DAILY-0900-2100
 periodic daily 7:00 to 21:00
!
ip access-list extended ACL-0900-2100
 permit ip any any time-range DAILY-0900-2100
ip access-list extended ACL_ALL_HOURS
 permit ip any any
!
class-map match-all 256K
 match access-group name ACL-0900-2100
class-map match-all 1M
 match access-group name ACL_ALL_HOURS
!
policy-map POLICY-IN
 class 256K
  police 256000 8000 exceed-action drop
 class 1M
  police 1000000 12500 exceed-action drop

0 comments:

Post a Comment