Blocks all traffic to or from the configured MAC address in the specified VLAN.
รูปแบบคำสั่ง
Switch(config)# mac address-table static mac_address vlan vlan_ID drop
ตัวอย่าง
Switch(config)# mac address-table static 0000.abcd.efgh vlan 103 drop
วันศุกร์ที่ 17 สิงหาคม พ.ศ. 2555
CAR – Rate limit examples
Credit: Networkers-online.com
CAR is a policing mechanism used to limit the
transmission rate of some traffic flow. Cisco actually recommends using MQC
policing for its modularity and features, but CAR is still used widely in most
operational networks for its simplicity.
CAR can be used whenever you need to place a
limit on upload/download traffic of any interface or any specific traffic flow
passing through this interface. Rate-limit can be used to enforce your
organization policy, bandwidth reservation method or even as a security
mitigation technique.
CAR uses the token bucket algorithm to limit
the transmission rate of data flows in or from network interfaces. In brief the
bucket is filled up with number of tokens “determined by the configuration”
every refresh interval; each passing packet removes a number of tokens from the
bucket equal to its size. If the tokens are not enough to send this packet the
packet is considered exceeding the limits and may be dropped, else the packet
is conforming and can be forwarded.
CAR
configuration:
1- Determine what type of traffic you want to
rate limit and the limit value.
2- Determine traffic direction. Is it uploading or downloading/ in or out?
3- Apply the rate-limit command under the interface
2- Determine traffic direction. Is it uploading or downloading/ in or out?
3- Apply the rate-limit command under the interface
Note: IP
CEF must be enabled for the CAR to work.
Practical
examples
1st
example:
You may need to rate-limit HTTP traffic in
your network so users can not exceed 256Kbps browsing the internet.
Configuration:
your-router(config)#access-list 180 permit tcp any any eq www
your-router(config)#int e0/0
your-router(config-if)#rate-limit output access-group 180
256000 48000 96000 conform-action transmit exceed-action drop
|
Or you can mark exceeding traffic without
dropping using the exceed-action set-prec-transmit or set-dscp-transmit in
order to allow other devices from handling this traffic as exceeding traffic.
Note: don’t
forget to determine the right direction of the traffic (in/out) through the
interface.
2nd
example:
Service providers may use rate-limiting to
police customer traffic to conform to contracted policy.
Configuration:
CE router is connected to the PE by an
Ethernet interface while the contracted rate is only 256Kbps (using the same
above values for simplicity). The following configuration can be used to limit
the traffic both ways upload and download.
PE-router(config)#int e0/0
PE-router(config-if)#rate-limit output 256000 48000 96000 conform-action transmit exceed-action drop PE-router(config-if)#rate-limit input 256000 48000 96000 conform-action transmit exceed-action drop |
3rd example:
Using rate-limit as a security mitigation
method is dicussed widely in this document “using CAR during DOS attacks”
To test the effect of you configuration use
the command show interfaces rate-limit.
For more information on configuring CAR
please consult the following link “rate-limit command reference”
สมัครสมาชิก:
บทความ (Atom)