CCIE Pursuit Blog

November 5, 2008

Question Of The Day: 05 November, 2008

“Yesterday’s” QoD:

Your co-worker has been tasked with limiting the amount of traffic inbound on interface fa0/0 from a device with the MAC address of 11-11-22-22-33-33 to 5Mbits/second.  Your boss has just informed him that there is more than 20Mbits/second inbound on that port from the device with that MAC address.  He turns to you and asks you to look at his configuration:

interface FastEthernet0/0
rate-limit input access-group 100 5000000 2500 2500 conform-action transmit exceed-action drop
!
access-list rate-limit 100 1111.2222.3333

Why are you receiving significantly more than 5Mbps inbound on interface f0/0 from the device with the MAC address of 1111.2222.3333?

Answer: Rate-limit command is wrong.  Should use ‘access-group rate-limit 100’ to reference rate-limit access-list 100, not ‘access-group 100’.

Congratulations to Brandon Bennett for absolutely nailing this one.

This is one of those technologies where you can make a simple mistake in the lab and never know that you made a mistake.  When you configure the rate-limit command you have the option of referring to an access-list OR a rate-limit access-list.  In order to refer to the rate-limit access-list you need to ensure that you use ‘access-group rate-limit’.  In our example we have inadvertently referenced access-list 100 – which does not exist:

interface FastEthernet0/0
rate-limit input access-group 100 5000000 2500 2500 conform-action transmit exceed-action drop
!
access-list rate-limit 100 1111.2222.3333

Note that your matching extended ACL 100 – NOT the rate-limit access list of 100

r1(config-if)#do sh int fa0/0 rate-limit
FastEthernet0/0
Input
matches: access-group 100
params:  5000000 bps, 2500 limit, 2500 extended limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 2757436ms ago, current burst: 0 bytes
last cleared 00:00:45 ago, conformed 0 bps, exceeded 0 bps

Should be:

r1(config-if)#do sh int fa0/0 rate-limit
FastEthernet0/0
Input
matches: access-group rate-limit 100
params:  5000000 bps, 2500 limit, 2500 extended limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 2557168ms ago, current burst: 0 bytes
last cleared 00:01:43 ago, conformed 0 bps, exceeded 0 bps

Since there is no ACL 100, no traffic is matched and rate-limiting is not active.  In real life you may become aware of this by someone screaming at you, but in the lab you could easily overlook this.

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: