Inbound Rate Limiting on Cisco Catalyst Switches

Posted on in networking

cover image for article

If you need to limit the inbound bandwidth of a switch port on a Cisco Catalyst, the key is in the QoS configuration. Rather than going into an depth discussion of QoS and how it works, let's skip that (check out Wikipedia to get started with that) and jump into the configuration details. This particular configuration was done on a Cisco Catalyst 2960.

As I mentioned, the key is QoS. The first thing you need to do is globally enable QoS with the mls qos configuration command. Once this command is enabled, QoS is enabled on all ports with default settings.

Next, we'll need an access-list to match traffic on. In this example, we are going to police all traffic coming through the switch port, so our access-list will match all IP addresses.

ip access-list extended ACL_SLAP
  permit ip any any

A class map is necessary to classify our traffic.

class-map match-all CLASS_SLAP
  match access-group name ACL_SLAP

The policy map dictates what we want done to the traffic class previously defined. The police configuration command sets our rate limit in this example to 8 Mbps the a burst size of 100 KB. The burst size is the trickiest part of this command. If the burst is set too low, your traffic will not be able to approach the maximum allowed throughput do to packet drops.

Because TCP window scaling halves the window size for each dropped packet, it's important to set the burst size at a level that doesn't impact performance. The rule of thumb is that the burst size should be double the amount of traffic sent at the maximum rate at a given round-trip time. In this example, I assumed a round-trip time of 50 ms which results in a burst size of 100 KB.

policy-map POLICY_SLAP
  class CLASS_SLAP
    police 8000000 100000 exceed-action drop

Finally, apply the policy-map to the switch port with the service-policy configuration command.

interface GigabitEthernet0/2
  service-policy input POLICY_SLAP

And now you're done. In our example, we configured a switch port to only allow inbound traffic at 8 Mbps. We won't be able to truly max the 8 Mbps, but we should come close. I've created a full text example that should be ready to copy and paste.

UPDATE: I recently added a post that discussues rate-limiting based on time of day. Check it out!

My Bookshelf

Reading Now

Other Stuff