If you need to limit the inbound bandwidth of a switch port on a Cisco Catalyst, the key is in the QoS configuration. Rather than going into an depth discussion of QoS and how it works, let’s skip that (check out Cisco’s QoS site for that level of detail) and jump into the configuration details. This particular configuration was done on a Cisco Catalyst 2960.
As I mentioned, the key is QoS. The first thing you need to do is globally enable QoS with the mls qos configuration command. Once this command is enabled, QoS is enabled on all ports with default settings.
Next, we’ll need an access-list to match traffic on. In this example, we are going to police all traffic coming through the switch port, so our access-list will match all IP addresses.
ip access-list extended ACL_SLAP
permit ip any anyA class map is necessary to classify our traffic.
class-map match-all CLASS_SLAP
match access-group name ACL_SLAPThe policy map dictates what we want done to the traffic class previously defined. The police configuration command sets our rate limit in this example to 8 Mbps the a burst size of 100 KB. The burst size is the trickiest part of this command. If the burst is set too low, your traffic will not be able to approach the maximum allowed throughput do to packet drops.
Because TCP window scaling halves the window size for each dropped packet, it’s important to set the burst size at a level that doesn’t impact performance. The rule of thumb is that the burst size should be double the amount of traffic sent at the maximum rate at a given round-trip time. In this example, I assumed a round-trip time of 50 ms which results in a burst size of 100 KB.
policy-map POLICY_SLAP
class CLASS_SLAP
police 8000000 100000 exceed-action dropFinally, apply the policy-map to the switch port with the service-policy configuration command.
interface GigabitEthernet0/2
service-policy input POLICY_SLAPAnd now you’re done. In our example, we configured a switch port to only allow inbound traffic at 8 Mbps. We won’t be able to truly max the 8 Mbps, but we should come close. I’ve created a full text example that should be ready to copy and paste.
Leave a comment and let me know how it goes for you.
Get Slaptijack updates delivered to your Inbox or RSS Reader for free!
[...] you followed my recent Cisco Catalyst rate-limiting post, you already know that policing traffic on a Cisco Catalyst switch requires a bit of thought. [...]
I am looking into some TCP differences on a policer like this as compared to the typical internet speed test. If you run SMB or FTP through this type of policer, you will get a fairly low rate. Internet speed tests seem to be fairly accurate most of the time.
I am not a TCP guy, but do you have any thoughts as to the overall difference? It’s as though these speed tests don’t window down very aggressively, but I haven’t had time to go through comparative traces yet.
Good news. Thanks for clause. I shall go to search for the information on the given theme further
Very good It’s Great !!
Just a reminder, don’t forget the
mls qoscommand at the very beginning. It’s easy to overlook and none of the rate-limiting works without it.Hi,
I’m curious about one thing.. what’s happening to a download/upload stream when it exceeds the 8Mbit and packets are dropped?
Will you receive corrupted data? Does the sender re-send the packets?
Bart
That’s a great question, Bart.
When TCP packets are dropped, the receiver notifies the sender that it is missing some packets. This is normal congestion control and the TCP/IP stack is designed to handle it.
Hope that helps!
Help!
I followed the guide above, and several others, and I cannot ge this to work on my Cisco 2950 switch. Here is my config:
mls qos map cos-dscp 0 10 16 18 24 26 32 34
!
class-map match-all alltraffic
match access-group 133
!
!
policy-map 1m-bandwidth
class alltraffic
police 1000000 65536 exceed-action drop
policy-map POLICY_SLAP
!
interface FastEthernet0/6
bandwidth 1024
ip access-group 133 in
load-interval 30
service-policy input 1m-bandwidth
!
@Richard -
What we can see of your configuration looks OK. What are the contents of access-list 133?
Also, check which version of the Catalyst 2950 switch you have. I seem to remember that rate-limiting may have only been supported in the EI version.
Good luck!
Here is my show running config:
show running-config
Building configuration…
Current configuration : 2028 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname switch
!
enable secret 5 apple
enable password apple
!
!
class-map match-all alltraffic
match access-group 133
!
!
policy-map 1m-bandwidth
class alltraffic
police 1000000 65536 exceed-action drop
policy-map POLICY_SLAP
!
mls qos map cos-dscp 0 10 16 18 24 26 32 34
ip subnet-zero
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
description test1
ip access-group 133 in
load-interval 30
service-policy input 1m-bandwidth
!
interface FastEthernet0/6
description test2
bandwidth 1024
ip access-group 133 in
load-interval 30
service-policy input 1m-bandwidth
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address x.x.x.x 255.255.255.0
no ip route-cache
!
ip default-gateway x.x.x.x
ip http server
snmp-server community public RO
!
line con 0
line vty 0 4
password vivio!switch
login
line vty 5 15
password vivio!switch
login
!
!
!
monitor session 1 source interface Fa0/24
monitor session 1 destination interface Fa0/23
end
*************************
and my IOS version
*************************
show version
Cisco Internetwork Operating System Software
IOS ™ C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA8a, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2006 by cisco Systems, Inc.
Compiled Fri 28-Jul-06 15:16 by weiliu
Image text-base: 0×80010000, data-base: 0×8056A000
ROM: Bootstrap program is C2950 boot loader
vivio-backbone-switch uptime is 1 week, 2 days, 5 hours, 13 minutes
System returned to ROM by power-on
System image file is “flash:/c2950-i6q4l2-mz.121-22.EA8a.bin”
cisco WS-C2950T-24 (RC32300) processor (revision R0) with 21004K bytes of memory.
Processor board ID FOC1038Z3ZM
Last reset from system-reset
Running Enhanced Image
24 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:19:56:5B:2C:C0
Motherboard assembly number: 73-6114-10
Power supply part number: 34-0965-01
Motherboard serial number: FOC10381W83
Power supply serial number: DTH10202L0A
Model revision number: R0
Motherboard revision number: A0
Model number: WS-C2950T-24
System serial number: FOC1038Z3ZM
Configuration register is 0xF
Maybe I am going to have to load the enhanced image on this switch.
@Richard -
It looks to me like you need to add a line like
access-list 133 permit ip any any
so that the class map can have something to match on.
Scott,
Awesome! It worked, thank you so much for your help in pointing that out to me, not sure how I missed that!
Thanks again!
@Richard -
My pleasure. I’m glad everything worked out.
For a lot of older devices, only some of the commands are supported, and/or QoS just doesn’t work. For example, on a 2950 running 12.1(19)EA1c, the “mls qos” command is not supported (some docs suggest QoS is enabled by default), and you can configure policy-maps all you want to, but at least ACL-based policy-maps will not work.
Tested on a 2950 EI with 12.1(22)EA13 and it is working just fine
[Altough the "mls qos" command is not recognised but it seems indeed enabled by default]
Very precious information provided here, I have been digging all day long to get a proper guide on how to do this.
Thanks a lot !
Hi Scott,
I did not understand how you calculate the burst size. Especially the line”I assumed a round-trip time of 50 ms which results in a burst size of 100 KB.” kindly explain
thanks
No problem, nairrk.
The formula is “double the amount of traffic sent at the maximum rate at a given round-trip time.” In this case, we know the bandwidth, 8 Mbps, but we’ll have to make an assumption regarding the round-trip time. I chose 50 ms, but your RTT may vary.
Thus the formula is:
8000000 / 8 * .05 * 2 = 100000Thanks Scott for the quick clarification.
I’m trying to do this on a cataylst 6500 but I dont have the option “exceed-action drop” I’m trying to limit the bandwidth on a port to 1MEG. I connected a laptop to the port I applied the access list to and I still got a 100 meg connection. Suggestions?
Here is what I get –
Router(config-pmap-c)#police 1000000 100000 ?
Maximum burst bytes
conform-action action when rate is less than normal burst
pir PIR
When you say a “100 meg connection,” do you mean that the connection negotiated at 100 Mbps or that you were able to pump 100 Mbps of traffic through the port?
Here is the pertinent part of the running config notice the line ” police 1000000 100000 100000 conform-action drop exceed-action drop
” on the bottom I wasnt able to put in just the “exceed-action drop” portion
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service counters max age 10
!
hostname Router
!
enable password $smcore
!
no aaa new-model
ip subnet-zero
!
!
!
mls ip multicast flow-stat-timer 9
no mls flow ip
no mls flow ipv6
mls qos
mls cef error action freeze
!
!
!
!
!
!
power redundancy-mode combined
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree vlan 600 priority 28672
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
!
redundancy
mode sso
main-cpu
auto-sync running-config
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
class-map match-all CLASS_Building_Tenants
match access-group name ACL_Building_Tenants
!
!
policy-map POLICY_Building_Tenants
class CLASS_Building_Tenants
police 1000000 100000 100000 conform-action drop exceed-action drop
What happens when you use
police 1000000 100000 100000 conform-action transmit
instead of
police 1000000 100000 100000 conform-action drop ?
I found out that you canot apply ingress and egress rules to a port in a layer 2 vlan, so i created a layer 3 vlan, put my test port in that vlan and I get this error. the rate limiting is working for upload speeds – when I do a test to the internet I’m limited to 1gigabit but download speeds remain unchecked.
service-policy output POLICY_Building_Tenants
QoS: GigabitEthernet13/14 doesn’t support policy POLICY_Building_Tenants for class CLASS_Building_Tenants in Out direction
I have this piece of code running and its working to limit upload speed. I converted the port to be in a vlan that is layer 3, it was layer 2 previously but I get the error I outlined above. Same error I got when it was in a layer 2 vlan.
policy-map POLICY_Building_Tenants
class CLASS_Building_Tenants
police 1024000 1024000 1024000 conform-action transmit exceed-action drop
service-policy output POLICY_Building_Tenants
QoS: GigabitEthernet13/14 doesn’t support policy POLICY_Building_Tenants for class CLASS_Building_Tenants in Out direction
Yeah, this post is specifically about inbound rate limiting because many (if not all) of the switches in question do not support egress policing.
Some platforms may support the srr-queue command which can be used to limit the bandwidth to a percentage of the interface speed.
I guess at this point your posting is working correctly, do you know of a way to get both inbound and outbound traffic limitations working without converting the port layer 3?
I was looking at the srr-queue command but I need to upgrade my IOS to support it. thank you for the feedback!
Hi Scott,
I’m using a catalyst 4000, where I need to limit globally the bandwitdh on the “uplink” to 12 Megabits/sec, so I followed your example and it work flowlessly. Thanks for the tip.
Now, I’m face with another problem :
I need to keep the 12 mbit/sec limitation, but inside this 12 mbits/sec,
i want to limit some traffic to a specific network IP at 6 mbits/sec:
so i want 12 mbits max when going anywhere,
but no more that 6 mbits when going to a specific network.
I don’t want 6 mbit to the specific network and 6 mbit to the other destination ( 6+6=12 total … but i’m limiting all to 6 mbits ->not good)
and I don’t want 6 mbit to the specific network and 12 mbit to other destination ( 6 + 12 = 18 total …not good)
Is it possible to setup this kind of traffic limitation on one interface ?
Thanks for any help you may povide me.
Hi,
I would like advice on non IP traffic, I have a 4948 that im trying limit the input the bandwidth to 5mb for non IP traffic at layer 2. Could anyone point me in the right direction of limiting box1 to 5mb input.
box 1 port 2 vlan2 port3 vlan2 box 2.
Any help would be greatly appreciated
remember there are some version of IOS / hardware on which the QoS commands are implemented but QoS is not operational. For example, I have some WS-C3550-24’s running 12.1(20)EA1a, all the QoS commands are there but none of them cause any policing to actually take place. In fact, all the class-maps just log 0 packets / 0 bps.
Well, let me retract that – this particular C3550/IOS version is one that appears to support ingress policy only. Of course, outbound policy is the policy I *need*. This C3550/IOS accepts the “service-policy output” command but it is ignored (ie no error is generated when the command is typed but the command never appears in the configuration.)