ACL-based Traffic Policer

Owned by Tracy Yang
May 24, 2024
5 min read

ACL-based traffic policer provides the ability to monitor the data rates for a particular class of traffic, and drops the traffic that exceed the user-configured rate-limit and burst limit values.

ACL-based traffic policer defines a rate limiting policy including traffic classification using ACL rules and policer (rate limit, burst limit and action) which can be applied to the management interface(eth0 / eth1) or an Ethernet interface to control the packet bandwidth in or out of the interface.

ACL-based Traffic Policer Implementation

When configured the ACL-based traffic policer on PICA8 switch, the sequence of packets processing is as follows:

1.    A packet enters the switch configured with ACL-based traffic policer on the ingress port.

2.    PICOS performs any applicable firewall filter services on the ingress port.

3.    Packets are processed by ACL-based traffic policer module and are dropped or forwarded according to each firewall filter policy.

4.   The forwarded packet is sent to the switch CPU if it is destined for the switch CPU.

5.    The switch CPU makes a routing or switching decision, determining whether the packet is should be dropped or forwarded.

6.    Packets that have destinations other than CPU are forwarded normally.

Rate-limit and Burst Applied in ACL-based Traffic Policer Function

Figure 1. RFC2697 Single-Rate Three-Color Policer Logic

The single-rate three-color policer/marker algorithm with dual buckets is used to implement ACL- based traffic policer rate-limit and burst-limit. Unlike the standard algorithm, the yellow traffic will be discarded as well as red traffic in order to make the implementation simple enough.

Additionally, the action to be applied to a packet, forward or discard, totally depends on the Tc, the token counter of CBS, the instantaneous number of tokens left in the CBS bucket because both yellow and red traffic will be discarded for PICA8 switch, which means the second bucket - EBS bucket - is not used to police the traffic at all. 

For example:  

set firewall policer 10pps if-exceeding count-mode packet

set firewall policer 10pps if-exceeding rate-limit 10

set firewall policer 10pps if-exceeding burst-limit 5

The above configuration is equal to below :

CIR (Committed Information Rate): 10 pps

CBS (Committed Burst Size): 5 packet

EBS (Excess Burst Size): 5 packet

10 pps is rate-limit value, 5 packet is burst value, the size of the bucket.

Interoperability with CoPP Policy

ACL-based traffic policer can take effect on packets that are both directed and non-directed to the CPU. The CoPP policy takes effect only on the packets directed to the CPU. These are independent functions. You can configure only one of them, or both of them.

If both ACL-based traffic policer and the COPP policy are configured, for the packets directed to the CPU, the system processing is different in the following two cases: both the policies are applied to the same management interface or both the policies are applied to the same Ethernet interface.

1.     When both ACL-based traffic policer and COPP policy are applied to the same management interface.

In this case, the ACL-based traffic policer and the CoPP policy are in the same rule list in which the rules are ordered by the firewall filter name (for example, firewall filter with name “a_filter” is in front of “b_filter”. Firewall filter name of CoPP policy is fixed to “copp” ). The packets are matched against the rules in the ascending order.

When the configured ACL-based traffic policer conflicts with the CoPP policy, first matched policy takes effect and the other policy will not take effect. Therefore, it is recommended not to configure conflicted ACL-based traffic policer with the CoPP policy.

Figure 2. ACL-based traffic policer rules and CoPP policy rules are put in the same rule list


2.     When both ACL-based traffic policer and COPP policy are applied to the same Ethernet interface.

For the packets directed to the CPU, the packet is processed by the ACL-based traffic policer module first, and then is processed by the COPP policy module.

Figure 3. ACL-based traffic policer and CoPP policy are performed one by one

Configuring ACL-based Traffic Policer

NOTE:

  • The filter can be configured on one or several interfaces in the inbound and outbound directions. However, a single filter can be configured either in the inbound direction or outbound direction at any given time.
  • One policer can be applied to one filter. We can configure one policer on one or several sequences of a filter.
  • Multiple sequences of the same filter share the rate limit and burst-limit of the policer. That is, when you configure the same policer to multiple sequences of the same filter, the packets matching the sequence condition of the filter can share the bandwidth rate limit and burst-limit of the policer, following the order in which the traffic arrives.

Step1         Configure ACL-based traffic policer rate-limit and burst-limit.

   set firewall policer <policer-name> if-exceeding count-mode <count-mode>

   set firewall policer <policer-name> if-exceeding rate-limit <value>

   set firewall policer <policer-name> if-exceeding burst-limit <value>

Step2         Configure ACL-based traffic policer action as discard. The default action is discard if not configured.

   set firewall policer <policer-name> then action discard

Step3         Configure firewall filter match condition and the policer for packets matching a filter sequence.

   set firewall filter <filter-name> sequence <sequence-number> from <match-conditions>

   set firewall filter <filter-name> sequence <sequence-number> then policer <policer-name>
   set firewall filter <filter-name> sequence <sequence-number> then action {discard | forward}

Step4         Configure firewall filter applied to an Ethernet interface or a Layer 3 VLAN interface in the inbound or outbound direction.

   set firewall filter <filer-name> input interface <interface-name>

   set firewall filter <filter-name> output interface <interface-name>

   set firewall filter <filter-name> input vlan-interface <vlan-interface-name>

   set firewall filter <filter-name> output vlan-interface <vlan-interface-name>

Configuration Example

The following example configures ACL-based traffic policer for ICMP protocol packets and applies to the management port Eth1.

Step1         Configure ACL-based traffic policer rate-limit and burst-limit.

admin@Switch# set firewall policer 100pps if-exceeding count-mode packet
admin@Switch# set firewall policer 100pps if-exceeding rate-limit 100
admin@Switch# set firewall policer 100pps if-exceeding burst-limit 5
admin@Switch# set firewall policer 100pps then action discard

Step2         Configure firewall filter match and applied policer to firewall filter action.

admin@Switch# set firewall filter f1 sequence 1 from protocol icmp
admin@Switch# set firewall filter f1 sequence 1 then policer 100pps
admin@Switch# set firewall filter f1 sequence 1 then action forward

Step3         Configure firewall filter applied to the management interface eth1.

admin@Switch# set firewall filter f1 input interface eth1

Step4         Commit the configuration.

admin@Switch# commit

Step5         Run run show policer command to check the configuration.

admin@Switch# run show policer
policer     rate limit   burst limit   count mode   action 
------------   ----------    ----------     ----------    ----------
100pps         100          5             packet         discard

Copyright © 2024 Pica8 Inc. All Rights Reserved.