Monday, September 23, 2013

Per ip_address flow rate-limiting

Have you ever had bandwidth hogs that kills your internet? And you want to rate limit their traffic.Here's a quick simple means based on the client source address.

1st craft a acl to match the client(s) or network(s)

e.g ( sales dept and networks 10.1.{0..3}.0/24 )


ip access-list extended sales
 remark "whitelist address here if any"
 deny   ip 10.1.0.0 0.0.0.0 any
 permit  10.1.0.0 0.0.3.255



2nd, built flow record based on source-addr

flow record sales-profile1
 description "sales-profile"
 match ipv4 source address

!         

Now we make map-class using the match-all  & apply this to a policy-map;

class-map match-all limit-sales
  match access-group name  sales
  match flow record sales-profile1
!
!
!
policy-map police-traffic
 description "set QoS level based on depts"
 class limit-sales
    police 1000000 80000

And you apply the policer to your interface and your are done. The match-all is critical since we want to match the src_address and then the specific /32 sources in the flow record.



Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
          o
       /     \

No comments:

Post a Comment