ASR1001X policer

james_72 · ‎09-07-2021

Dear experts,

I'd like to rate limit some ingress traffic coming from untrusted source to 10Mbs.

I've an ASR1001X (16.3.7) and this is the config I'd place:

*********************
ip access-list extended ACL_10_203_231_129
permit ip any host 10.203.231.129

class-map match-all CM_LIMIT_INGRESS
match access-group name ACL_10_203_231_129

policy-map PM_LIMIT_INGRESS
class CM_LIMIT_INGRESS
police 10000000 5000000 5000000 conform-action transmit exceed-action drop violate-action drop
class class-default

The PM is attached to tunnel interface:

TUNNEL0
service-policy input PM_LIMIT_INGRESS

*********************

Can you please confirm:

1) I'll not drop/limit other traffic
2) ASR1001X applies rate limit in hardware and not in software (in order to avoid CPU overload)
3) is there any mode to limit pps and not only bandwidth

Thanks in advance
Cheers

James

Georg Pauwen · ‎09-07-2021

Hello,

the QoS policy looks fine, you might want to add a shaper to the default class and shape whatever your bandwidth is:

policy-map PM_LIMIT_INGRESS
class CM_LIMIT_INGRESS
police 10000000 5000000 5000000 conform-action transmit exceed-action drop violate-action drop
class class-default
--> shape average

Joseph W. Doherty · ‎09-08-2021

BTW, @Georg Pauwen, shaping isn't allowed within an ingress policy, only allowed within an egress policy. (At least such used to be true.)

james_72 · ‎09-07-2021

Hi

Hence understand I will not cut different traffic, correct?

What happens if I do not apply shape average?

Is shape average the maximum link bandwidth?

Any comment on questions 2 and 3?

Thanks

Giuseppe Larosa · ‎09-08-2021

Hello @james_72 ,

for your question 2) I would expect that the policer is supported in hardware by the ESP module in the ASR 1000.

And yes shaping is only supported in outbound out direction so it does not apply to your scenario.

Q3: support for policing in pps : Policing acts on packets but the packet size counts as only if there are enough token in the token packets the packet is considered conformant and transmitted otherwise it will be dropped ( with your configuration).

So policing in terms of packet per seconds is not supported because the policer objective is to respect the rate.

By allowing 50 packets / s we can have a traffic volume varying depending on packet size.

What can be done is to define the rate as a percentage of the interface bandwidth / speed.

( same as speed unless the bandwidth command is configured)

Hope to help

Giuseppe

Joseph W. Doherty · ‎09-08-2021

Since you want to limit "untrusted", "trusted" is unlimited? If so, your policy limits all hosts sending to your defined IP to 10 Mbps.

All other destination hosts is unlimited.

#1 Yes, sort of, because your statement requirement and configuration are a bit unclear, i.e. results what you really intend.

#2 Hard to say. The ASR 1Ks have additional hardware to accelerate some features, but I don't know if it's well documented which features are so supported. In your case you have an ACL, policing and a tunnel. One or more likely have hardware support, but the combination? Also, if somewhat like the prior 7200 RP with PXF, I recall some hardware accelerated features were added in later IOS releases.

#3 Not that I'm aware. Also, such a policer would provide vastly different data rates depending on packet sizes.

james_72 · ‎09-08-2021

Thanks @All

For 3) what about pps rate limit like this?

Eg:

police rate 1000 pps conform-action transmit exceed-action drop violate-action drop

Can I use both bandwidth limit and pps limit in OR against the mentioned targets?

@joseph

The purpose is limit traffic to those hosts since they are subject to DOS and jeopardize all other traffic. Hope this answer your question.

Cheers

Joseph W. Doherty · ‎09-08-2021

"The purpose is limit traffic to those hosts since they are subject to DOS and jeopardize all other traffic. Hope this answer your question."

Well in that case, I can see where a PPS limiter would have value. Can, though, again, have an impact against actual data rates.

Was unaware of the PPS option.

Again, unaware of a "or" option to both police either rate and/or PPS.

james_72 · ‎09-09-2021

Hi @Joseph W. Doherty @Giuseppe Larosa

just teste and police rate x pps is only applicable to control plane at least in 16.3.7

Cheers

Giuseppe Larosa · ‎09-09-2021

Hello @james_72 .

>> just teste and police rate x pps is only applicable to control plane at least in 16.3.7

this makes sense in CoPP the packet rate is important for example how many ARP frames per second should be processed to avoid a Denial of Service ? Here putting a maximum expressed in pps is appropriate.

For user traffic as I have written Policers looks at the rate in bps and the decision if a new packet is conformant or exceeding or violating depends on the policer rate, the time interval between the previous packet and this packet and the current packet size

Hope to help

Giuseppe

Joseph W. Doherty · ‎09-09-2021

"this makes sense in CoPP the packet rate is important for example how many ARP frames per second should be processed to avoid a Denial of Service ? Here putting a maximum expressed in pps is appropriate."

Ditto, especially as PPS generally has more of an impact on CPU consumption that "volume" of data.