Per ip_address flow rate-limiting

Have you ever had bandwidth hogs that kills your internet? And you want to rate limit their traffic.Here's a quick simple means based on the client source address.

1st craft a acl to match the client(s) or network(s)

e.g ( sales dept and networks 10.1.{0..3}.0/24 )

ip access-list extended sales

 remark "whitelist address here if any"

 deny   ip 10.1.0.0 0.0.0.0 any

 permit  10.1.0.0 0.0.3.255

2nd, built flow record based on source-addr

flow record sales-profile1

 description "sales-profile"

 match ipv4 source address

!         

Now we make map-class using the match-all  & apply this to a policy-map;

class-map match-all limit-sales
  match access-group name  sales

  match flow record sales-profile1
!

!
!
policy-map police-traffic

 description "set QoS level based on depts"
 class limit-sales
    police 1000000 80000

And you apply the policer to your interface and your are done. The match-all is critical since we want to match the src_address and then the specific /32 sources in the flow record.

Ken Felix

Freelance Network / Security Engineer

kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^

=(  @   @ )=

          o

       /     \