CAR - Rate limit examples
CAR is a policing mechanism used to limit the transmission rate of some traffic flow. Cisco actually recommends using MQC policing for its modularity and features, but CAR is still used widely in most operational networks for its simplicity.
CAR can be used whenever you need to place a limit on upload/download traffic of any interface or any specific traffic flow passing through this interface. Rate-limit can be used to enforce your organization policy, bandwidth reservation method or even as a security mitigation technique.
CAR uses the token bucket algorithm to limit the transmission rate of data flows in or from network interfaces. In brief the bucket is filled up with number of tokens "determined by the configuration" every refresh interval; each passing packet removes a number of tokens from the bucket equal to its size. If the tokens are not enough to send this packet the packet is considered exceeding the limits and may be dropped, else the packet is conforming and can be forwarded.
1- Determine what type of traffic you want to rate limit and the limit value.
2- Determine traffic direction. Is it uploading or downloading/ in or out?
3- Apply the rate-limit command under the interface
Note: IP CEF must be enabled for the CAR to work.
You may need to rate-limit HTTP traffic in your network so users can not exceed 256Kbps browsing the internet.
|your-router(config)#access-list 180 permit tcp any any eq www
your-router(config-if)#rate-limit output access-group 180 256000 48000 96000 conform-action transmit exceed-action drop
Or you can mark exceeding traffic without dropping using the exceed-action set-prec-transmit or set-dscp-transmit in order to allow other devices from handling this traffic as exceeding traffic.
Note: don't forget to determine the right direction of the traffic (in/out) through the interface.
Service providers may use rate-limiting to police customer traffic to conform to contracted policy.
CE router is connected to the PE by an Ethernet interface while the contracted rate is only 256Kbps (using the same above values for simplicity). The following configuration can be used to limit the traffic both ways upload and download.
PE-router(config-if)#rate-limit output 256000 48000 96000 conform-action transmit exceed-action drop
PE-router(config-if)#rate-limit input 256000 48000 96000 conform-action transmit exceed-action drop
Using rate-limit as a security mitigation method is dicussed widely in this document "using CAR during DOS attacks"
To test the effect of you configuration use the command show interfaces rate-limit.
For more information on configuring CAR please consult the following link "rate-limit command reference"