Announcement

Collapse
No announcement yet.

Can't get rate-limiting to work (877, 12.4)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Can't get rate-limiting to work (877, 12.4)

    Hi all,

    Cisco 877, 12.4(24)T1.

    I run an FTP server inside the LAN, and my remote customers get files from it. I want to rate-limit the traffic so they don't kill my bandwidth. But it doesn't seem to be working.
    They are connecting with ACTIVE FTP, so it's just port 20 and 21.

    I've limited the traffic to 30000 (30KB), yet they are still able to download from my FTP server (192.68.1.50) at 45KB/s-50KB/s.

    My config is below.

    Many thanks.


    Code:
    !
    ! Last configuration change at 08:03:44 GMT Wed Sep 9 2009 by root
    ! NVRAM config last updated at 07:49:32 GMT Wed Sep 9 2009 by root
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec localtime
    service timestamps log datetime msec localtime
    service password-encryption
    !
    hostname Cisco877
    !
    boot-start-marker
    boot-end-marker
    !
    logging message-counter syslog
    logging buffered 52000
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication ppp default local
    !
    !
    aaa session-id common
    clock timezone GMT 0
    clock summer-time GMT recurring
    !
    !
    dot11 syslog
    ip source-route
    !
    !
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.1.1 192.168.1.200
    ip dhcp excluded-address 192.168.1.241 192.168.1.254
    !
    ip dhcp pool CLIENTS
       network 192.168.1.0 255.255.255.0
       default-router 192.168.1.1 
       dns-server 192.168.1.1 192.168.1.254 
       lease 0 12
    !
    !
    no ip cef
    ip domain name XX.local
    ip host xx.xx 192.168.1.50
    ip name-server XXX.74.113.XXX
    ip inspect name fw tcp timeout 3600
    ip inspect name fw udp timeout 3600
    login block-for 180 attempts 2 within 120
    login on-failure log
    login on-success log
    no ipv6 cef
    !
    multilink bundle-name authenticated
    !
    vpdn enable
    !
    vpdn-group 1
    ! Default PPTP VPDN group
     accept-dialin
      protocol pptp
      virtual-template 1
    !
    !
    !
    username XX privilege 15 password 7 XX
    username XX password 7 XX
    ! 
    !
    !
    archive
     log config
      hidekeys
    !
    !
    ip ssh version 2
    !
    class-map match-all Traffic-Class-HighPriority
     match access-group 161
     match protocol rtsp
     match protocol ssh
    class-map match-all Traffic-Class-LowPriority
     match access-group 162
    !
    !
    policy-map Dialer0-Outbound
     class Traffic-Class-HighPriority
        priority percent 30
     class Traffic-Class-LowPriority
        police 30000
     class class-default
        fair-queue
    !
    !
    !
    !
    interface ATM0
     description ADSL Connection
     no ip address
     no atm ilmi-keepalive
     pvc 0/38 
      encapsulation aal5mux ppp dialer
      dialer pool-member 1
     !
     dsl enable-training-log 
     hold-queue 200 in
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Virtual-Template1
     ip unnumbered Vlan1
     peer default ip address pool VPNPOOL
     no keepalive
     ppp encrypt mppe auto required
     ppp authentication ms-chap ms-chap-v2 chap
    !
    interface Vlan1
     description LAN
     ip address 192.168.0.254 255.255.255.0 secondary
     ip address 192.168.1.1 255.255.255.0
     ip nat inside
     ip nat enable
     ip virtual-reassembly
     ip tcp adjust-mss 1452
     hold-queue 100 in
     hold-queue 100 out
    !
    interface Dialer0
     bandwidth inherit
     ip address negotiated
     ip access-group 120 in
     ip access-group 121 out
     ip nat outside
     ip inspect fw out
     ip virtual-reassembly
     encapsulation ppp
     ip tcp header-compression iphc-format
     ip tcp adjust-mss 1452
     dialer pool 1
     dialer-group 1
     no cdp enable
     ppp authentication pap chap callin
     ppp chap hostname [email protected]
     ppp chap password 7 XX
     ppp ipcp dns request
     service-policy output Dialer0-Outbound
     ip rtp header-compression iphc-format
    !
    ip local pool VPNPOOL 192.168.16.201 192.168.16.210
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer0
    no ip http server
    no ip http secure-server
    !
    !
    ip dns server
    no ip nat service sip udp port 5060
    ip nat pool PASSIVEFTP 192.168.1.50 192.168.1.50 netmask 255.255.255.0 type rotary
    ip nat inside source static tcp 192.168.1.50 25 interface Dialer0 25
    ip nat inside source static tcp 192.168.1.50 80 interface Dialer0 80
    ip nat inside source static tcp 192.168.1.50 443 interface Dialer0 443
    ip nat inside source static tcp 192.168.1.50 995 interface Dialer0 995
    ip nat inside source static tcp 192.168.1.50 20 interface Dialer0 20
    ip nat inside source static tcp 192.168.1.50 21 interface Dialer0 21
    ip nat inside source list 102 interface Dialer0 overload
    ip nat inside destination list PASSIVEACL pool PASSIVEFTP
    !
    ip access-list standard SNMP-ALLOWED
     permit 192.168.1.50
     deny   any
    !
    !
    logging 192.168.1.50
    access-list 40 remark Control who can access the router via SSH
    access-list 40 permit 192.168.0.0 0.0.0.255
    access-list 40 permit 192.168.1.0 0.0.0.255
    access-list 102 remark Define NAT internal ranges
    access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    access-list 102 permit ip 192.168.0.0 0.0.0.255 any
    access-list 120 remark Allow public services
    access-list 120 remark This ACL should match the ip nat inside source static tcp lines
    access-list 120 permit tcp any any eq smtp
    access-list 120 permit tcp any any eq www
    access-list 120 permit tcp any any eq 443
    access-list 120 permit tcp any any eq 995
    access-list 120 permit tcp any any eq ftp
    access-list 120 permit tcp any any eq ftp-data
    access-list 120 permit tcp any any eq 1723
    access-list 120 permit tcp any any range 50000 50050
    access-list 120 permit gre any any
    access-list 120 permit icmp any any echo
    access-list 120 permit icmp any any echo-reply
    access-list 120 permit icmp any any source-quench
    access-list 120 permit icmp any any packet-too-big
    access-list 120 permit icmp any any time-exceeded
    access-list 120 deny   icmp any any
    access-list 120 remark Allow unrestricted UDP traffic to the Entanet DNS Servers
    access-list 120 permit udp host 195.74.113.58 eq domain any
    access-list 120 permit udp host 195.74.113.62 eq domain any
    access-list 120 permit udp host 195.74.102.146 eq domain any
    access-list 120 permit udp host 195.74.102.147 eq domain any
    access-list 121 remark Allow all outbound IP
    access-list 121 permit ip any any
    access-list 161 remark High Priority / Low Latency Traffic
    access-list 161 permit tcp any eq 3389 any
    access-list 161 permit tcp any any eq 3389
    access-list 161 permit udp any any
    access-list 161 permit icmp any any
    access-list 161 permit tcp any eq www any
    access-list 161 permit tcp any any eq www
    access-list 162 remark Low Priority Traffic
    access-list 162 permit tcp any any eq ftp-data
    dialer-list 1 protocol ip permit
    !
    !
    !
    !
    snmp-server community XX RW SNMP-ALLOWED
    !
    control-plane
    !
    !
    line con 0
     exec-timeout 0 0
     password 7 XX
     no modem enable
     transport output all
    line aux 0
     transport output all
    line vty 0 4
     access-class 40 in
     exec-timeout 0 0
     privilege level 15
     password 7 XX
     transport input ssh
     transport output all
    !
    scheduler max-task-time 5000
    scheduler allocate 20000 1000
    time-range WEEKDAY
     periodic weekdays 8:00 to 18:00
    !
    end

  • #2
    Re: Can't get rate-limiting to work (877, 12.4)

    You have applied the policy to the Dialer interface but it should be applied to the ATM interface
    Infrastructure Architect
    CCNA, CCNA Security, MCSE, JNCIS

    Comment


    • #3
      Re: Can't get rate-limiting to work (877, 12.4)

      Many thanks for the really quick reply, it's appreciated.

      When I try to apply it to ATM I get an error:

      Code:
      policy-map ATM-QOS-Outbound
       class Traffic-Class-HighPriority
          priority percent 30
       class Traffic-Class-LowPriority
          police 30000
       class class-default
          fair-queue
       
      Cisco877#conf t
      Enter configuration commands, one per line.  End with CNTL/Z.
      Cisco877(config)#int ATM0
      Cisco877(config-if)#service-policy output  ATM-QOS-Outbound
      In PPP/PPPoE over ATM configuration, Attaching a service-policy to a main interface is not allowed in presense of virtual-access interface.
      Cisco877(config-if)#
      Any ideas?


      Jim

      Comment


      • #4
        Re: Can't get rate-limiting to work (877, 12.4)

        Hmmmmm....the plot thickens.

        I found this post:

        http://forums.whirlpool.net.au/forum...m/1163145.html

        which explains a bug in 12.4, and a workaround. I've now added the rule to the correct interface

        Code:
        class-map match-all Traffic-Class-HighPriority
         match access-group 161
         match protocol rtsp
         match protocol ssh
        class-map match-all Traffic-Class-LowPriority
         match access-group 162
        !
        !
        policy-map ATM-QOS-Outbound
         class Traffic-Class-HighPriority
            priority percent 30
         class Traffic-Class-LowPriority
            police 30000
         class class-default
            fair-queue
        !
        interface ATM0
         description ADSL Connection
         no ip address
         no atm ilmi-keepalive
         pvc 0/38
          encapsulation aal5mux ppp dialer
          dialer pool-member 1
         !
         dsl enable-training-log
         service-policy output ATM-QOS-Outbound
         hold-queue 200 in
        !
        access-list 162 remark Low Priority Traffic
        access-list 162 permit tcp any any eq ftp-data

        but no throttling seems to be taking effect:

        Code:
        Cisco877#show policy-map int
         ATM0
          Service-policy output: ATM-QOS-Outbound
            queue stats for all priority classes:
              queue limit 64 packets
              (queue depth/total drops/no-buffer drops) 0/0/0
              (pkts output/bytes output) 0/0
            Class-map: Traffic-Class-HighPriority (match-all)
              0 packets, 0 bytes
              5 minute offered rate 0 bps, drop rate 0 bps
              Match: access-group 161
              Match: protocol rtsp
              Match: protocol ssh
              Priority: 30% (249 kbps), burst bytes 6200, b/w exceed drops: 0
        
            Class-map: Traffic-Class-LowPriority (match-all)
              0 packets, 0 bytes
              5 minute offered rate 0 bps, drop rate 0 bps
              Match: access-group 162
              police:
                  cir 30000 bps, bc 1500 bytes
                conformed 0 packets, 0 bytes; actions:
                  transmit
                exceeded 0 packets, 0 bytes; actions:
                  drop
                conformed 0 bps, exceed 0 bps
            Class-map: class-default (match-any)
              11795 packets, 12998375 bytes
              5 minute offered rate 180000 bps, drop rate 0 bps
              Match: any
              Queueing
              queue limit 64 packets
              (queue depth/total drops/no-buffer drops/flowdrops) 0/0/0/0
              (pkts output/bytes output) 0/0
              Fair-queue: per-flow queue limit 16
        and customers are still getting files at 75KB/s.



        Jim

        Comment


        • #5
          Re: Can't get rate-limiting to work (877, 12.4)

          You have configured the priority percent of 30

          I think that the "priority percent" uses the configured interface bandwidth to work out the allowed limit. What is the total amount of bandwidth you want to allocate?
          Last edited by BigDeesDad; 9th September 2009, 10:13.
          Infrastructure Architect
          CCNA, CCNA Security, MCSE, JNCIS

          Comment


          • #6
            Re: Can't get rate-limiting to work (877, 12.4)

            All too complex for me, I'm very much a Cisco newbie.

            I can add the

            service-policy output ATM-QOS-Outbound

            line to ATM0 (via the workaround from that other forum). I can also add the same line (not at the same time) to the pvc 0/38 line, but I then get the same error:

            Code:
            In PPP/PPPoE over ATM configuration, Attaching a service-policy to a vc is not allowed in presense of virtual-access interface
            Looks like it's getting too complex for a newbie

            Comment


            • #7
              Re: Can't get rate-limiting to work (877, 12.4)

              I ended up applying the max_rate value into the VSFTPD (FTP server) configuration file. This allows per-user throttling, and I've throttled the particular user to 30KB/s. Looking at the logs, their downloads are now finishing at 29.28KB/s. So a result.



              Jim

              Comment


              • #8
                Re: Can't get rate-limiting to work (877, 12.4)

                Two things:

                By using "match-all" it needs to match the ACL and the SSH and RSTP..which isnt going to happen.

                Also your ACLs are the wrong way around for the direction the service policy is applied.

                Remember to control your upload you can apply it ok the wan interface however if you want to control downloading apply the policy to the LAN interface.

                You might have better luck with the "police" command too.

                Comment

                Working...
                X