Cisco 877 download rate limiting

Filed under: Geekiness — iain @ 16:37:16

I’m in the process of migrating to a different ISP. Whereas until now I have been on a flat rate for download usage, the new provider charges significantly more for downloads between 0900 and 1800 on weekdays.

As I have a Cisco 877 router I should be able to throttle downloads during peak times and save myself money compared to the plan I’ve been using.

Note that the ISP doesn’t charge for excessive upload so my work was focussed 100% on download throttling.

The first thing to do was set up a time-range so the router knows what peak time is. Well actually the zeroth thing to do was configure my timezone correctly.

    clock timezone GMT 0
    clock summer-time BST recurring last Sun Mar 1:00 last sun Oct 2:00

Now I could define the time range.

    time-range peak
     periodic weekdays 9:00 to 17:59

Just for fun I set up an off-peak time range.

    time-range off-peak
     periodic weekdays 0:00 to 8:59
     periodic weekdays 18:00 to 23:59
     periodic weekend 0:00 to 23:59

The sh time-range command verifies that these are set up.

    # sh time-range
    time-range entry: off-peak (active)
       periodic weekdays 0:00 to 8:59
       periodic weekdays 18:00 to 23:59
       periodic weekend 0:00 to 23:59
    time-range entry: peak (inactive)
       periodic weekdays 9:00 to 17:59

The off-peak range shows as active which is correct because it’s Sunday at time of writing.

Next I created an access list which would match any connection at peak time.

    ip access-list extended peak
     permit ip any any time-range peak

At this point I could have just set things up so downloads were throttled at peak times but that would have been inelegant and I wanted more control. For instance Rebecca will be at home working during the day and she wants to be able to download her mail and make calls to China with Skype. So for want of a better idea I decided to set up five usage categories:

  1. Default Anything I forget about and don’t fit into one of the subsequent categories. Limited to 64kbps.

  2. Lowest: Stuff that has no business running during the day, like Bittorrent. Limited to 32kbps.

  3. Low: Stuff like Steam automatic downloads and SSH. Limited to 128kbps.

  4. Medium: Stuff which could well run during the day and which shouldn’t be horrendously slow but which I don’t want spiralling out of control. Skype and HTTP for example. Limited to 256kbps.

  5. High: For things that gotta do what they gotta do. Mail, DNS etc. Limited to 1Mbps.

Now I set up a class-map for each protocol I was interested in. The Cisco 877 has some protocol information builtin such as for Skype:

    class-map match-any skype
     match protocol skype

Others can be defined manually with access lists.

    ip access-list extended steam
     permit tcp any range 27014 27050 any

    class-map match-any steam
     match access-group name steam

Further class maps allow grouping of protocols according to the classification defined earlier. Here’s medium. lowest, low and high are similar. These are match-any classes which match any of the listed protocols.

    class-map match-any medium
     match class-map http
     match class-map skype

A final set of class maps match only at peak time. These are match-all classes so both criteria – it’s peak time and it’s a particular protocol class – must match. Here’s peak-medium.

    class-map match-all peak-medium
     match access-group name peak
     match class-map medium

One more class, peak-default acts as the catchall.

    class-map match-all peak-default
     match access-group name peak
     match not class-map lowest
     match not class-map low
     match not class-map medium
     match not class-map high

With those classes defined we can now set up a policy-map which assigns a DSCP tag to traffic matching particular classes.

    policy-map peak
     class peak-default
      set dscp 1
     class peak-lowest
      set dscp 2
     class peak-low
      set dscp 3
     class peak-medium
      set dscp 4
     class peak-high
      set dscp 5

To convert these policies into actual rate limiting we set rate-limit rules matching the defined DSCP values on the ADSL interface, which for me is Dialer0.

rate-limit expects three numbers: a target bitrate, a normal burst rate and a maximum burst rate. Cisco recommend setting the normal parameter as 1.5/8 x the target and the maximum as twice the normal. So for the 128kbps profile (DSCP 3) the numbers are 128000 24000 48000. If in doubt just multiply the target rate by 0.1875 for the second number and then double it…

    interface Dialer0
     rate-limit input dscp 1 64000 12000 24000 conform-action transmit exceed-action drop
     rate-limit input dscp 2 32000 6000 12000 conform-action transmit exceed-action drop
     rate-limit input dscp 3 128000 24000 48000 conform-action transmit exceed-action drop
     rate-limit input dscp 4 256000 48000 96000 conform-action transmit exceed-action drop
     rate-limit input dscp 5 1024000 192000 384000 conform-action transmit exceed-action drop

Actually there is one more thing. As it stands the configuration won’t have any effect. We have to apply the service policy to the interface for the magic to happen.

    interface Dialer0
     service-policy input peak

Initial testing suggests that this works. A Steam download at peak time claims to run at 7kBps and at 800kBps at off-peak. Temporarily adding a line to the peak time range allows easy testing when the actual time is off-peak.

I’m sure I’ll need to tweak the download rates and/or move protocol definitions around as real life usage patterns become apparent but the underlying concepts work well enough.


  1. Hi,
    I’ve been doing some reading on the rate-limit command and I came across your blog. Excellent writeup i have to say …

    I’m trying to understand if I can apply the same to a VLAN on my Core switch, which is a Cisco Catalyst 3750G (AdvancedServices IOS image). Based on some Cisco docs that I read, I can match the traffic based on my ACL without using class-map. Can you confirm if my understanding is correct?

    Basically, I’m trying to limit incoming email traffic on my LAN to 512Kbps, between 9am and 1pm . Will the below help me achive this:

    time-range Email-0900-1300
    periodic sundary monday tuesday wednesday thursday 9:00 to 13:00
    ! The IP etc are fictitious ip addresses from which I’m expecting incoming emails
    ip access-list extended Email-0900-1300
    permit ip host any time-range Email-0900-1300
    permit ip host any time-range Email-0900-1300
    permit ip host anytime-range Email-0900-1300

    interface vlan 10
    rate-limit input access-group Email-0900-1300 512000 96000 192000 conform-action transmit exceed-action drop

    Thank you for your input …


    Comment by mankool — 2011-09-15 @ 10:06:49

  2. I don’t know about matching directly with an ACL without having to use class-map. If your docs say you can then it’s worth a try.

    In any event I wouldn’t recommend using rate-limit. In a later post I commented that I saw better results with police. So it would be something this (your formula looks correct to limit at 512kbps):

    class-map match-any Email-0900-1300
    match access-group name Email-0900-1300
    policy-map vlan10-incoming
    class Email-0900-1300
    police 512000 96000 192000 conform-action transmit exceed-action drop violate-option drop
    interface Vlan 10
    service-policy input vlan10-incoming

    Comment by iain — 2011-09-15 @ 11:38:45

  3. Hi Iain,
    Thank you for the prompt reply. I tried the rate limit in my test lab using a 3550 and a 3750 but to no effect. I even set my acl to ‘permit ip any any’ and even that didn’t help cause when I did a show int vlan10 rate-limit I didn’t see the “conform” counter increase :(

    Moreover, I did a file transfer across the switches (a laptop connected at each end) and didn’t notice a drop in the transfer rate.

    Moving on, I tried the class-map command that you suggested and I’m getting the following error:

    %QoS: policy-map with police action at parent level not supported on Vlan10 interface.

    Any clue on this? I read this post on cisco forums that talks about using “mls qos vlan-based” but that is for individual ports and not an EtherSVI.

    The IOS on my 3750 is 12.2(50)SE1 so it should suport EtherSVI

    Comment by mankool — 2011-09-18 @ 13:49:52

  4. ok, I created an L3 port on my switch and then applied the class-map to it and it worked!

    Great, thanks alot for your great blog!

    Comment by mankool — 2011-09-19 @ 11:52:42

  5. Good stuff. If you’re using policing I should mention that you can get stats with:

    # sh policy-map int <interface> [input|output [class <class>]]

    Comment by iain — 2011-09-19 @ 12:03:31

  6. Hello..

    I couldn’t make my router work with this configuration, i have a 5Mbits service and want to limit any kind of traffic to 1Mbit, it isn’t important the time nor day of the week. the policy should be active all the time. Could you please help me posting an example?

    Thanks in advance.

    Comment by joseoplmx — 2013-03-05 @ 00:28:32

RSS feed for comments on this post.

Leave a comment

You must be logged in to post a comment.

Powered by WordPress