Rate-limiting File Downloads

Rate limiting is useful if the connection between the Control Center and the appliance has low bandwidth and you do not wish to fill the entire pipe during archive or config update.

By default, there is no rate limiting on the Control Center. File transfers will use as much bandwidth as possible.

Before starting, compile a list of IP addresses that you want to rate limit.

This feature uses the rate_limit.sh script found in /home/emsadmin on the Control Center.

1) Log into the Control Center as emsadmin and become root. Use emsadmin's password when prompted.

# ssh emsadmin@172.30.161.26
password: 
[emsadmin@ems26 ~] sudo su -
password:  

2) Edit the rate_limit.sh script

[root@ems26 ~] cd /home/emsadmin
[root@ems26 emsadmin] vi rate_limit.sh

Here are the important lines:

DOWNLOAD=32Kbit

Adjust for your desired speed.

DWEIGHT=3.2Kbit

This value should always be 1/10th the DOWNLOAD variable.

limit 172.30.4.226

Near the bottom of the script is a space to add limit statements. Use the format limit .

4) Run the rate_limit.sh script.

[root@ems18 emsadmin]# ./rate_limit.sh 

Clearing out existing traffic filters

Rate limiting envoy 172.30.4.226 at 32Kbit

Showing iptables
# Generated by iptables-save v1.2.11 on Mon Feb 14 19:53:12 2011
*mangle
:PREROUTING ACCEPT [1005105:553850938]
:INPUT ACCEPT [1005105:553850938]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [866226:234181039]
:POSTROUTING ACCEPT [866226:234181039]
-A OUTPUT -d 172.30.4.226 -j MARK --set-mark 0x1 
COMMIT
# Completed on Mon Feb 14 19:53:12 2011
# Generated by iptables-save v1.2.11 on Mon Feb 14 19:53:12 2011
*filter
:INPUT ACCEPT [3424412:1202814295]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2602632:512503376]
-A INPUT -i lo -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT 
-A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j DROP 
-A INPUT -p tcp -m tcp --dport 7 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
-A INPUT -p udp -m udp --dport 123 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 8443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
-A INPUT -i eth1 -p tcp -m tcp --dport 40001 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
-A INPUT -i eth1 -p udp -m udp --dport 4446 -j ACCEPT 
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP 
-A OUTPUT -o lo -j ACCEPT 
COMMIT
# Completed on Mon Feb 14 19:53:12 2011

Showing traffic settings
class cbq 1: root rate 1000Mbit (bounded,isolated) prio no-transmit
 Sent 5600 bytes 40 pkts (dropped 0, overlimits 0 requeues 0) 
  borrowed 0 overactions 0 avgidle 8 undertime 0
class cbq 1:1 parent 1: rate 32Kbit (bounded) prio 1
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0 requeues 0) 
  borrowed 0 overactions 0 avgidle 0 undertime 0

Your Control Center is now configured to rate limit the specified IP addresses.

For example, an SCP transfer before and after limiting:

dverastiqui@support:~$ scp rmos4.0.bin emsadmin@172.30.161.26:.
emsadmin@172.30.161.26's password: 
rmos4.0.bin                                                                                       100%  178MB  11.1MB/s   00:16    
dverastiqui@support:~$ scp rmos4.0.bin emsadmin@172.30.161.26:.
emsadmin@172.30.161.26's password: 
rmos4.0.bin                                                                                       100%  178MB 167.3KB/s   18:09    
dverastiqui@support:~$