QoS & VoIP
QOS: Configuring Policing using the access-list rate-limit command
Email this post
⋅ 
Print this post
⋅ Post a commentSite Search Tags: access list, access-list rate-limit, Class-map, mqc, policing, qos
Let’s say you have a scenario that says we want to configure R2 such that all inbound traffic marked with an IP precedence of 5 and 3 should be limitied to a maximum of 1Mbps. Anything above this rate should be discarded.
Sounds simple enough. What are the different IOS tools that you can use accomplish this?
Method 1: MQC
ip access-list extended PRECEDENCE53
permit ip any any precedence 5
permit ip any any precedence 3
class-map match-any PRECEDENCE53
match access-group name PRECEDENCE53
!
!
policy-map CAR
class PRECEDENCE53
police 1000000 35000 35000 conform-action transmit exceed-action drop
!
interface FastEthernet0/0
service-policy input CAR
Pretty simple really. We have used an extended access-list that matches IP Precedence values 5 and 3 on class “PRECEDENCE53″. All traffic in that class will be policed to 1Mbs (the normal and burst sizes have been set to 35,000).
Let’s verify this:
Verification:
R2#sh policy-map int f0/0
FastEthernet0/0
Service-policy input: CAR
Class-map: PRECEDENCE53 (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name PRECEDENCE53
0 packets, 0 bytes
5 minute rate 0 bps
police:
1000000 bps, 35000 limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
conformed 0 bps, exceed 0 bps
Class-map: class-default (match-any)
17 packets, 1258 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Looks good. How about we do the same thing, but this time using the traditional rate-limit command?
Method 2: Rate-Limit with extended access-list
access-list 101 permit ip any any precedence 5
access-list 101 permit ip any any precedence 3
!
interface FastEthernet0/0
rate-limit input access-group 101 1000000 35000 35000 conform-action transmit exceed-action drop
Not much different really (just less typing!). Let’s verify this:
Verification:
R2#sh int f0/0 rate-limit
FastEthernet0/0
Input
matches: access-group 101
params: 1000000 bps, 35000 limit, 35000 extended limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 97872632ms ago, current burst: 0 bytes
last cleared 00:00:07 ago, conformed 0 bps, exceeded 0 bps
Looks great.
Method 3: Access-list rate-limit command
Now, for the twist! I’m going to add one more condition. We are only allowed to have a 1 line ACL for this. What the?! How are we going to do that. The extended access-lists (whether named or not) only allow you to match one precedence per line! Enter the access-list rate-limit command!
There is always more than one way to skin a cat (poor cat!…whoever came up with that expression is one sick puppy). The CCIE exam often forces us to perform a task in multiple ways. Each methos acts like a little tool in your toolkit that you can whip out at a moments notice. This is no exception.
Let’s take a look at that rate-limit command closely:
R2(config)#int f0/0
R2(config-if)#rate-limit input access-group ?
<1-2699> Access list index
rate-limit Match rate-limit access list
R2(config-if)#rate-limit input access-group rate-limit ?
<0-99> Rate-limit prec access list index
<100-199> Rate-limit mac access list index
<200-299> Rate-limit exp access list index
Looks like when you define an access-list on the rate-limit command, you have the option of specifying a special type of access list.
R2(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1000-1099> IPX SAP access list
<1100-1199> Extended 48-bit MAC address access list
<1200-1299> IPX summary address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<300-399> DECnet access list
<400-499> XNS standard access list
<500-599> XNS extended access list
<600-699> Appletalk access list
<700-799> 48-bit MAC address access list
<800-899> IPX standard access list
<900-999> IPX extended access list
dynamic-extended Extend the dynamic ACL abolute timer
rate-limit Simple rate-limit specific access list
See that right at the end there (I never really noticed it before today either!). What the hell is that thing?
R2(config)#access-list rate-limit ?
<0-99> Precedence ACL index
<100-199> MAC address ACL index
<200-299> mpls exp ACL index
Well looks like we can match Precedence, MAC, or MPLS experimental bits. We want Precedence…
R2(config)#access-list rate-limit 1 ?
<0-7> Precedence
mask Use precedence bitmask
Looks promising, I wander if you can specify more than one Precedence? That would solve our problem!
R2(config)#access-list rate-limit 1 7 ?
<cr>
Doh! Damn, but what about that mask option? Well turns out, according to the access-list rate-limit documentation, we can specify more than one precedence value using a mask! Cool!
R2(config)#access-list rate-limit 1 mask ?
<0-FF> Precedence bit mask
There area 8 IP precedence values <0-7>. To calculate the rate-limit mask, each bit corresponds to one IP Precedence value so:
| IP Precedence Value | Rate-Limit binary value |
| 0 | 00000001 |
| 1 | 00000010 |
| 2 | 00000100 |
| 3 | 00001000 |
| 4 | 00010000 |
| 5 | 00100000 |
| 6 | 01000000 |
| 7 | 10000000 |
So If I want to match IP Precedence 5 and 3 thats:
00100000 + 00001000 = 00101000
Converting 00101000 to hex gives us 0×28.
So the corresponding rate-limit mask to match IP precedence 5 and 3 is:
R2(config)#access-list rate-limit 1 mask 28
Our final configuration then (using a 1 line access-list) is:
access-list rate-limit 1 mask 28
!
interface FastEthernet0/0
rate-limit input access-group rate-limit 1 1000000 35000 35000 conform-action transmit exceed-action drop
Verification:
R2#sh int f0/0 rate-limit
FastEthernet0/0
Input
matches: access-group rate-limit 1
params: 1000000 bps, 25000 limit, 25000 extended limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 100597644ms ago, current burst: 0 bytes
last cleared 00:33:18 ago, conformed 0 bps, exceeded 0 bps
R2#sh access-lists
Rate-limit access list 1
mask 28
So we have managed to solve the scenario in two lines! Bring on those “use the minimum configuration possible” questions! Hope this helps! Now back to labs.
Discussion
6 comments for “QOS: Configuring Policing using the access-list rate-limit command”
Post a comment
Categories
Twitter Feed...
- Java Forver. Lol. http://bit.ly/d5DNmg
- Working on keeping my beginners mind when learning.. http://bit.ly/k5xvp
- I'll be sith forever. LOL. http://bit.ly/d7BU0e
- "test crash" IOS command. Simulate a crash. Neat. Just don't do it on a production box.
Follow me...
Recent Comments
- Matt on Tutorial: IPv6 Tunnels Part 2 – Automatic 6to4 Tunnels
- Marcel Lammerse on QOS: Applying CBWFQ to a sub-interface
- Aaron on Tutorial: What is the difference between bandwidth percent and bandwidth remaining percent?
- Ebiet on Tutorial: OSPF Network Types and Frame Relay Part 5
- Meeran on Tutorial: BGP Route Aggregation Part 1 – Using an Advertise-Map to control aggregation
Most Emailed
- Tutorial: OSPF Network Types and Frame Relay Part 1 - 20 emails
- Tutorial: How to use Cisco MQC & NBAR to filter websites like Youtube - 18 emails
- Tutorial: What is the difference between bandwidth percent and bandwidth remaining percent? - 18 emails
- Tutorial: How to set up a basic Dynamips Lab using Dynagen, Part 1 - 10 emails
- Tutorial: OSPF Network Types and Frame Relay Part 2 - 5 emails
Excellent !!! Very comprehensive and clear presentation of facts – I would say the best I have read on this topic – Keep up the good work
Hi arden,
First of all, thanks for all your excellent articles… your blog is a real pleasure to read.
Is there a problem with the “Print this post” link… each time I click on it, I got the following message: “Oops!
Looks like the page you’re looking for has been moved or had its name changed. Or maybe it’s just fate. You could use the search box in the header to search for what you’re looking for, or begin again from the home page.”
Is it possible to fix it? (TIA)
And please give us more article about VoIP,CCME,QOS…
Thanks again.
Hi Raybones,
Thanks for the heads up. It seems one of my plugins broke with the wordpress upgrade. I’ll see if I can get it fixed. Thanks again.
*Update*: All fixed!
Thanks a lot Arden.
on method 1 mqc
is there any reasoning why you choose extended access-list rather than using match ip precedence inside the class-map ?
just curious
thx
Thank a lot man
U r rocking