Still cannot perform rate-limiting on SVI

fonestar1978

Hi there..

I have been asked to rate-limit a particular dorm that has people downloading alot of stuff on their network. They attach via a wireless router to a Cisco 3560 switch and then that goes through a wireless link to a Cisco 3750 and onto the 2900 Router.

I have had success performing rate-limiting on routers before but that is on Layer 3 fastethernet ports. These guys go straight into the vlan instead. It doesn't seem to matter whether I apply the rate-limiting at the 3560, the 3750 or the 2900. It just doesn't seem to work on SVI's!

I have tried using the old way on the vlan interface ie: "rate-limit input ...." and also using policy map cir and that doesn't work either. If it helps here is a simple diagram if you can help me pls..

[WIFI-USERS] -vlan30->[WRT54G]-vlan30->[C3560]-vlan30->[C3750]-vlan30->[C2900]

My understanding is the rate-limiting has to be performed before the traffic enters the vlan? But what if you don't have any L3 ports to work with?

Forsaken_GA

Ok, the way that diagram is setup leads me to believe that the gateway for the vlan is on the 2900. If that's the case, I'm not surprised that rate limiting on your SVI's isn't working. If the traffic can just trunk right up to the 2900, it'll never pass through the SVI's, so they'll never hit the rate limit commands.

You should be able to rate limit on the 2900. If you need to do it on the 3560, you'll need to rate limit ports, or else break the vlan into a different subnet that uses an SVI on that switch as it's default gateway

chrisone

Why dont you just rate-limit on the outbound interface on the 2900 attached to the ISP? stop trying to cut it close to the source host, just nail them trying to go out. It doesnt matter how many VLANs might be involved in the end the packet will go out outside interface attached to the ISP. Do some tests on GNS as far as setting up the QOS on an interface.

Forsaken_GA

It sounds like it's the ingress traffic (he mentioned downloading as being the problem) that's the issue, not the outbound. And it sounds like he doesn't want to affect anyone elses traffic, just those guys on vlan30.

If he's doing all his routing on the 2900 (that diagram looks like a RoaS setup), then I'd just shape the outbound traffic for that vlan's subinterface and leave everyone else alone. Hard to make a recommendation without any more specific information.

APA

Do you want to prevent the traffic from coming into the network before getting to the VLAN 30 sub-interface?

I don't see the point in policing\car at the Vlan30 sub-interface...... especially if the issue is rate-limiting the amount of inbound traffic that a particular network can consume....

If you don't rate-limit at the ingress point (ISP WAN Interface)..... then the traffic is still going to enter the network an potentially cause a bottle-neck...if that is indeed the reason for wanting to rate-limit in the first place...

If you can clear define\identify the VLAN30 traffic at ingress... then use CAR with a matching access-list to match only on traffic to VLAN30 network and therefore only rate-limit that network...

Otherwise the next best bet is to rate limit at the sub-interface....

creamy_stew

How about you start by posting the like to the last time you asked about this?

Also, it seems you're running a straight l2 vlan (30)

How do you expect to rate limit/police at layer 3 (SVI)

Post the config of the 3560 port where the wrt54 connects.

What you want is to config egress policing/shaping on that port.