Hi James, > On 7 Sep 2021, at 14:10, james list <[email protected]> wrote: > > Dear experts, > I'd like to rate limit some ingress traffic coming from untrusted source to > 10Mbs. > > I've an ASR1001X (16.3.7) and this is the config I'd place: > > ********************* > ip access-list extended ACL_10_203_231_129 > permit ip any host 10.203.231.129 > > class-map match-all CM_LIMIT_INGRESS > match access-group name ACL_10_203_231_129 > > policy-map PM_LIMIT_INGRESS > class CM_LIMIT_INGRESS > police 10000000 5000000 5000000 conform-action transmit exceed-action > drop violate-action drop > class class-default > > The PM is attached to tunnel interface: > > TUNNEL0 > service-policy input PM_LIMIT_INGRESS > > ********************* > > Can you please confirm: > > 1) I'll not drop/limit other traffic
It won’t. It will apply the policy only to matching traffic (ACL ACL_10_203_231_129). > 2) ASR1001X applies rate limit in hardware and not in software (in order to > avoid CPU overload) Hardware. > 3) is there any mode to limit pps and not only bandwidth I no longer remember this from top of my mind, but there’s bunch of good QoS/HQoS presentations about ASR 1000 in particular on ciscolive.com that you can use as reference. -- ./ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
