|
Cisco IOS - rate limiting a server |
|
The following example will rate limit a server (in this case a webserver) to 8Mbit/sec both ingress/egress.
The example server below has an IP address of 192.168.0.10.
The access-list 100 deny statements specifically define the traffic that we will rate limit.
The class-map defines matching packets, in this case from access-list 100.
The policy-map defines the policy which we are going to enforce and which class is affected.
The service-policy statement is finally applied to the interface that we want to rate limit (in this case our webserver).
class-map match-all rate-limit-webserver
match access-group 100
policy-map rate-limit-webserver
class rate-limit-webserver
police 8000000 bps 8000000 byte conform-action transmit exceed-action drop
interface GigabitEthernet1/1
description webserver 192.168.0.10
service-policy input rate-limit-webserver
service-policy output rate-limit-webserver
access-list 100 remark ----- Rate limit our webserver 192.168.0.10 -----
access-list 100 remark ----- Do not rate limit internal private ranges -----
access-list 100 deny ip host 192.168.0.10 10.0.0.0 0.255.255.255
access-list 100 deny ip 10.0.0.0 0.255.255.255 host 192.168.0.10
access-list 100 deny ip host 192.168.0.10 172.16.0.0 0.15.255.255
access-list 100 deny ip 172.16.0.0 0.15.255.255 host 192.168.0.10
access-list 100 deny ip host 192.168.0.10 192.168.0.0 0.0.255.255
access-list 100 deny ip 192.168.0.0 0.0.255.255 host 1192.168.0.10
access-list 100 remark ----- Rate limit webserver ingress/egress internet -----
access-list 100 permit ip host 192.168.0.10 any
access-list 100 permit ip any host 192.168.0.10
|
