The speed limit configuration is as follows:
Access-list rate_limit_1 Extended Permit ip any host 192.168.1.2 //(limit 192.168.1.2 download)
access-list rate_limit_1 Extended Permit IP host 192.168.1.2 any //(limit 192.168.1.2 uploads)
access-list rate_limit_2 extended permit IP any host 1 92.168.1.3 //(limit 192.168.1.3 download)
access-list rate_limit_2 extended permit IP host 192.168.1.3 any //( Limit 192.168.1.3 upload)
Class-map rate_limit_1
match access-list rate_limit_1
class-map rate_limit_2
match Access-list rate_limit_2
Policy-map rate_limit
class rate_limit_1
Police input 819000 4368000 //(limit 192.168.1.2 upload speed 99k/s)
police output 819000 4368000 //(limit 192.168.1.2 download speed to 99k/s)
class rate_limit_2
Police input 819000 4368000 //(limit 192.168.1.3 upload speed to 99k/s)
police output 819000 4368000 //(limit 192.168.1.3 upload speed to 99k/s)
Service-policy Rate_limit interface Inside //(Applied to intranet interface)
Note: Because the speed is limited by a single IP, the ACL is written as an IP two-sentence ACL, a matching upload, and another matching download. If all IP is written in an ACL, then the 99k/s of all IPs is restricted. Be sure to write a different ACL.
Police input 819000 4368000 the previous 819000 speed is the basic rate, after a 4368000 is the burst rate, the outgoing flow: can be calculated according to the maximum flow/8 *1.5 this formula. It could be something else.
Such as: Police output 40000000 5625000//Policy outbound traffic limit below 40M bits, burst 45M (5625000 bytes) Watch the unit
Note 1: This method of limiting traffic cannot be used on outside, because pat on the outside port, the address after NAT conversion, cannot find the matching destination and the original address, but I tried to use any to any can limit the traffic. Any source and destination specified address speed limit will not take effect.
Note 2: Questions about the rate
When applying police the unit is bps remember is bit it is the rate unit, so if you want to convert it to a storage unit byte needs to be divided by 8.
Second, limit the total uplink and downlink rate of a network segment
To limit the 172.16.18.0/24 network segment, for example:
!
Access-list Pol Extended permit ip any 172.16.18.0 255.255.255.0
access-list pol extended permit IP 172.16.18.0 255.25 5.255.0 any
!
Class-map Pol
match access-list Pol
!
Policy-map pol
class Pol
police input 3276500 600000
police output 26214000 5000000
!
Service-policy POL interface inside
!
Third, the method of using Object-group object grouping
In the end is to achieve a certain IP total upstream down, or can achieve a certain IP uplink downlink speed limit, not actually tested. This writing looks convenient, keep it first.
To change the ACL, it is better to build a group of objects, and then add this object to the ACL, so that later want to a certain IP speed limit, directly add it to this object group is OK.
Object-group Network Rate_limit
Network host *.*.*.*
access-list rate_limit Extended permit IP object-group rate _limit any
access-list rate_limit extended permit ip any object-group rate_limit class-map
map1
match Access-list rate_limit
policy-map map2
class map1
police output 200000 43750
Police input 800000 250000
Service-policy Map2 interface outside
.
Q: Object-group network Rate_limit
Network host *.*.*.*
Replace with Range x.x.x.2 x.x.x.90
Does it have a separate speed limit for each IP?
A single add job is still too big.
For:
Have not tried, but should be able to use object grouping is actually to write down a few ACLs, as long as the IP can be located.
The above show access-list can see the effective ACL, in fact, is: the use of object-group can greatly simplify the configuration of the workload