CAR - Rate limit examples

CAR is a policing mechanism used to limit the transmission rate of some traffic flow. Cisco actually recommends using MQC policing for its modularity and features, but CAR is still used widely in most operational networks for its simplicity.

CAR can be used whenever you need to place a limit o­n upload/download traffic of any interface or any specific traffic flow passing through this interface. Rate-limit can be used to enforce your organization policy, bandwidth reservation method or even as a security mitigation technique.

CAR uses the token bucket algorithm to limit the transmission rate of data flows in or from network interfaces. In brief the bucket is filled up with number of tokens "determined by the configuration" every refresh interval; each passing packet removes a number of tokens from the bucket equal to its size. If the tokens are not enough to send this packet the packet is considered exceeding the limits and may be dropped, else the packet is conforming and can be forwarded.

CAR configuration:

1- Determine what type of traffic you want to rate limit and the limit value.
2- Determine traffic direction. Is it uploading or downloading/ in or out?
3- Apply the rate-limit command under the interface

Note: IP CEF must be enabled for the CAR to work.

Practical examples

1st example:

You may need to rate-limit HTTP traffic in your network so users can not exceed 256Kbps browsing the internet.


your-router(config)#access-list 180 permit tcp any any eq www
your-router(config)#int e0/0

your-router(config-if)#rate-limit output access-group 180 256000 48000 96000 conform-action transmit exceed-action drop

Or you can mark exceeding traffic without dropping using the exceed-action set-prec-transmit or set-dscp-transmit in order to allow other devices from handling this traffic as exceeding traffic.

Note: don't forget to determine the right direction of the traffic (in/out) through the interface.

2nd example:

Service providers may use rate-limiting to police customer traffic to conform to contracted policy.


CE router is connected to the PE by an Ethernet interface while the contracted rate is o­nly 256Kbps (using the same above values for simplicity). The following configuration can be used to limit the traffic both ways upload and download.

PE-router(config)#int e0/0
PE-router(config-if)#rate-limit output 256000 48000 96000 conform-action transmit exceed-action drop
PE-router(config-if)#rate-limit input 256000 48000 96000 conform-action transmit exceed-action drop

3rd example:

Using rate-limit as a security mitigation method is dicussed widely in this document "using CAR during DOS attacks"

To test the effect of you configuration use the command show interfaces rate-limit.

For more information o­n configuring CAR please consult the following link "rate-limit command reference"

Check Also

Best AI tools list