Monday, September 23, 2013

Per ip_address flow rate-limiting

Have you ever had bandwidth hogs that kills your internet? And you want to rate limit their traffic.Here's a quick simple means based on the client source address.

1st craft a acl to match the client(s) or network(s)

e.g ( sales dept and networks 10.1.{0..3}.0/24 )

ip access-list extended sales
 remark "whitelist address here if any"
 deny   ip any

2nd, built flow record based on source-addr

flow record sales-profile1
 description "sales-profile"
 match ipv4 source address


Now we make map-class using the match-all  & apply this to a policy-map;

class-map match-all limit-sales
  match access-group name  sales
  match flow record sales-profile1
policy-map police-traffic
 description "set QoS level based on depts"
 class limit-sales
    police 1000000 80000

And you apply the policer to your interface and your are done. The match-all is critical since we want to match the src_address and then the specific /32 sources in the flow record.

Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
       /     \

No comments:

Post a Comment