Cisco: Time-based, Inbound Rate Limiting

Posted on in Networking

cover image for article

Slaptijack reader Raj is looking for a way to limit inbound traffic on his switch ports based on the time of day. Specifically, he wants to restrict speed to 256 Kbps between 9 AM and 9 PM, and allow up to 1 Mbps the rest of the day. I've done something similar to this in the past, but with only one restriction, not two. Hopefully, this configuration will work!

Note: This post is based on the work of a previous post on Cisco Catalyst rate limiting. Although I know this will work in some cases, it may not work in yours. In other words, your mileage may vary.

Raj, the key to time-based rate limiting is to use the time range command built into IOS. In your case, we want to define the time range from 9 AM to 9 PM:

time-range DAILY-0900-2100
 periodic daily 7:00 to 21:00

Next, we need our access lists:

ip access-list extended ACL-0900-2100
 permit ip any any time-range DAILY-0900-2100
ip access-list extended ACL_ALL_HOURS
 permit ip any any

And now our class maps to define which traffic to match:

class-map match-all 256K
 match access-group name ACL-0900-2100
class-map match-all 1M
 match access-group name ACL_ALL_HOURS

And finally, our policy map:

policy-map POLICY-IN
 class 256K
  police 256000 8000 exceed-action drop
 class 1M
  police 1000000 12500 exceed-action drop

Put it all together, and it looks like this:

time-range DAILY-0900-2100
 periodic daily 7:00 to 21:00
!
ip access-list extended ACL-0900-2100
 permit ip any any time-range DAILY-0900-2100
ip access-list extended ACL_ALL_HOURS
 permit ip any any
!
class-map match-all 256K
 match access-group name ACL-0900-2100
class-map match-all 1M
 match access-group name ACL_ALL_HOURS
!
policy-map POLICY-IN
 class 256K
  police 256000 8000 exceed-action drop
 class 1M
  police 1000000 12500 exceed-action drop

Related Reading:

Slaptijack's Koding Kraken