ACL-based Traffic Policer
ACL-based traffic policer provides the ability to monitor the data rates for a particular class of traffic, and drops the traffic that exceed the user-configured rate-limit and burst limit values.
ACL-based traffic policer defines a rate limiting policy including traffic classification using ACL rules and policer (rate limit, burst limit and action) which can be applied to the management interface(eth0 / eth1) or an Ethernet interface to control the packet bandwidth in or out of the interface.
ACL-based Traffic Policer Implementation
When configured the ACL-based traffic policer on PICA8 switch, the sequence of packets processing is as follows:
1. A packet enters the switch configured with ACL-based traffic policer on the ingress port.
2. PICOS performs any applicable firewall filter services on the ingress port.
3. Packets are processed by ACL-based traffic policer module and are dropped or forwarded according to each firewall filter policy.
4. The forwarded packet is sent to the switch CPU if it is destined for the switch CPU.
5. The switch CPU makes a routing or switching decision, determining whether the packet is should be dropped or forwarded.
6. Packets that have destinations other than CPU are forwarded normally.
Rate-limit and Burst Applied in ACL-based Traffic Policer Function
Figure 1. RFC2697 Single-Rate Three-Color Policer Logic
The single-rate three-color policer/marker algorithm with dual buckets is used to implement ACL- based traffic policer rate-limit and burst-limit. Unlike the standard algorithm, the yellow traffic will be discarded as well as red traffic in order to make the implementation simple enough.
Additionally, the action to be applied to a packet, forward or discard, totally depends on the Tc, the token counter of CBS, the instantaneous number of tokens left in the CBS bucket because both yellow and red traffic will be discarded for PICA8 switch, which means the second bucket - EBS bucket - is not used to police the traffic at all.
For example:
set firewall policer 10pps if-exceeding count-mode packet
set firewall policer 10pps if-exceeding rate-limit 10
set firewall policer 10pps if-exceeding burst-limit 5
The above configuration is equal to below :
CIR (Committed Information Rate): 10 pps
CBS (Committed Burst Size): 5 packet
EBS (Excess Burst Size): 5 packet
10 pps is rate-limit value, 5 packet is burst value, the size of the bucket.
Interoperability with CoPP Policy
ACL-based traffic policer can take effect on packets that are both directed and non-directed to the CPU. The CoPP policy takes effect only on the packets directed to the CPU. These are independent functions. You can configure only one of them, or both of them.
If both ACL-based traffic policer and the COPP policy are configured, for the packets directed to the CPU, the system processing is different in the following two cases: both the policies are applied to the same management interface or both the policies are applied to the same Ethernet interface.
1. When both ACL-based traffic policer and COPP policy are applied to the same management interface.
In this case, the ACL-based traffic policer and the CoPP policy are in the same rule list in which the rules are ordered by the firewall filter name (for example, firewall filter with name “a_filter” is in front of “b_filter”. Firewall filter name of CoPP policy is fixed to “copp” ). The packets are matched against the rules in the ascending order.
When the configured ACL-based traffic policer conflicts with the CoPP policy, first matched policy takes effect and the other policy will not take effect. Therefore, it is recommended not to configure conflicted ACL-based traffic policer with the CoPP policy.
Figure 2. ACL-based traffic policer rules and CoPP policy rules are put in the same rule list
2. When both ACL-based traffic policer and COPP policy are applied to the same Ethernet interface.
For the packets directed to the CPU, the packet is processed by the ACL-based traffic policer module first, and then is processed by the COPP policy module.
Figure 3. ACL-based traffic policer and CoPP policy are performed one by one
Configuring ACL-based Traffic Policer
NOTE:
|
Step1 Configure ACL-based traffic policer rate-limit and burst-limit.
set firewall policer <policer-name> if-exceeding count-mode <count-mode>
set firewall policer <policer-name> if-exceeding rate-limit <value>
set firewall policer <policer-name> if-exceeding burst-limit <value>
Step2 Configure ACL-based traffic policer action as discard. The default action is discard if not configured.
set firewall policer <policer-name> then action discard
Step3 Configure firewall filter match condition and the policer for packets matching a filter sequence.
set firewall filter <filter-name> sequence <sequence-number> from <match-conditions>
set firewall filter <filter-name> sequence <sequence-number> then policer <policer-name>
set firewall filter <filter-name> sequence <sequence-number> then action {discard | forward}
Step4 Configure firewall filter applied to an Ethernet interface or a Layer 3 VLAN interface in the inbound or outbound direction.
set firewall filter <filer-name> input interface <interface-name>
set firewall filter <filter-name> output interface <interface-name>
set firewall filter <filter-name> input vlan-interface <vlan-interface-name>
set firewall filter <filter-name> output vlan-interface <vlan-interface-name>
Configuration Example
The following example configures ACL-based traffic policer for ICMP protocol packets and applies to the management port Eth1.
Step1 Configure ACL-based traffic policer rate-limit and burst-limit.
admin@Switch# set firewall policer 100pps if-exceeding count-mode packet admin@Switch# set firewall policer 100pps if-exceeding rate-limit 100 admin@Switch# set firewall policer 100pps if-exceeding burst-limit 5 admin@Switch# set firewall policer 100pps then action discard
Step2 Configure firewall filter match and applied policer to firewall filter action.
admin@Switch# set firewall filter f1 sequence 1 from protocol icmp admin@Switch# set firewall filter f1 sequence 1 then policer 100pps admin@Switch# set firewall filter f1 sequence 1 then action forward
Step3 Configure firewall filter applied to the management interface eth1.
admin@Switch# set firewall filter f1 input interface eth1
Step4 Commit the configuration.
admin@Switch# commit
Step5 Run run show policer command to check the configuration.
admin@Switch# run show policer policer rate limit burst limit count mode action ------------ ---------- ---------- ---------- ---------- 100pps 100 5 packet discard
Copyright © 2024 Pica8 Inc. All Rights Reserved.