09-07-2021 08:29 AM
Dear experts,
I'd like to rate limit some ingress traffic coming from untrusted source to 10Mbs.
I've an ASR1001X (16.3.7) and this is the config I'd place:
*********************
ip access-list extended ACL_10_203_231_129
permit ip any host 10.203.231.129
class-map match-all CM_LIMIT_INGRESS
match access-group name ACL_10_203_231_129
policy-map PM_LIMIT_INGRESS
class CM_LIMIT_INGRESS
police 10000000 5000000 5000000 conform-action transmit exceed-action drop violate-action drop
class class-default
The PM is attached to tunnel interface:
TUNNEL0
service-policy input PM_LIMIT_INGRESS
*********************
Can you please confirm:
1) I'll not drop/limit other traffic
2) ASR1001X applies rate limit in hardware and not in software (in order to avoid CPU overload)
3) is there any mode to limit pps and not only bandwidth
Thanks in advance
Cheers
James
09-07-2021 02:44 PM
Hello,
the QoS policy looks fine, you might want to add a shaper to the default class and shape whatever your bandwidth is:
policy-map PM_LIMIT_INGRESS
class CM_LIMIT_INGRESS
police 10000000 5000000 5000000 conform-action transmit exceed-action drop violate-action drop
class class-default
--> shape average
09-08-2021 07:43 AM - edited 09-08-2021 07:55 AM
BTW, @Georg Pauwen, shaping isn't allowed within an ingress policy, only allowed within an egress policy. (At least such used to be true.)
09-07-2021 09:48 PM
Hi
Hence understand I will not cut different traffic, correct?
What happens if I do not apply shape average?
Is shape average the maximum link bandwidth?
Any comment on questions 2 and 3?
Thanks
09-08-2021 08:08 AM - edited 09-08-2021 08:13 AM
Hello @james_72 ,
for your question 2) I would expect that the policer is supported in hardware by the ESP module in the ASR 1000.
And yes shaping is only supported in outbound out direction so it does not apply to your scenario.
Q3: support for policing in pps : Policing acts on packets but the packet size counts as only if there are enough token in the token packets the packet is considered conformant and transmitted otherwise it will be dropped ( with your configuration).
So policing in terms of packet per seconds is not supported because the policer objective is to respect the rate.
By allowing 50 packets / s we can have a traffic volume varying depending on packet size.
What can be done is to define the rate as a percentage of the interface bandwidth / speed.
( same as speed unless the bandwidth command is configured)
Hope to help
Giuseppe
09-08-2021 07:54 AM - edited 09-08-2021 07:54 AM
Since you want to limit "untrusted", "trusted" is unlimited? If so, your policy limits all hosts sending to your defined IP to 10 Mbps.
All other destination hosts is unlimited.
#1 Yes, sort of, because your statement requirement and configuration are a bit unclear, i.e. results what you really intend.
#2 Hard to say. The ASR 1Ks have additional hardware to accelerate some features, but I don't know if it's well documented which features are so supported. In your case you have an ACL, policing and a tunnel. One or more likely have hardware support, but the combination? Also, if somewhat like the prior 7200 RP with PXF, I recall some hardware accelerated features were added in later IOS releases.
#3 Not that I'm aware. Also, such a policer would provide vastly different data rates depending on packet sizes.
09-08-2021 08:32 AM
Thanks @All
For 3) what about pps rate limit like this?
Eg:
police rate 1000 pps conform-action transmit exceed-action drop violate-action drop
Can I use both bandwidth limit and pps limit in OR against the mentioned targets?
The purpose is limit traffic to those hosts since they are subject to DOS and jeopardize all other traffic. Hope this answer your question.
Cheers
09-08-2021 09:05 AM
"The purpose is limit traffic to those hosts since they are subject to DOS and jeopardize all other traffic. Hope this answer your question."
Well in that case, I can see where a PPS limiter would have value. Can, though, again, have an impact against actual data rates.
Was unaware of the PPS option.
Again, unaware of a "or" option to both police either rate and/or PPS.
09-09-2021 10:04 AM
Hi @Joseph W. Doherty @Giuseppe Larosa
09-09-2021 12:59 PM
Hello @james_72 .
>> just teste and police rate x pps is only applicable to control plane at least in 16.3.7
this makes sense in CoPP the packet rate is important for example how many ARP frames per second should be processed to avoid a Denial of Service ? Here putting a maximum expressed in pps is appropriate.
For user traffic as I have written Policers looks at the rate in bps and the decision if a new packet is conformant or exceeding or violating depends on the policer rate, the time interval between the previous packet and this packet and the current packet size
Hope to help
Giuseppe
09-09-2021 04:58 PM
"this makes sense in CoPP the packet rate is important for example how many ARP frames per second should be processed to avoid a Denial of Service ? Here putting a maximum expressed in pps is appropriate."
Ditto, especially as PPS generally has more of an impact on CPU consumption that "volume" of data.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide