Cisconinja’s Blog

Rate-limit ACLs

Posted by Andy on February 16, 2009

In this post we will examine how rate-limit ACLs work with CAR.  The topology and method of generating traffic will be the same as I used for testing WFQ.  The topology and inital configurations are shown below:

car-acl-topology

R1:
interface FastEthernet0/0
 ip address 10.1.1.1 255.255.255.0
 load-interval 30
 speed 100
 full-duplex
 no keepalive
 no mop enabled
!
interface Serial0/0
 ip address 10.1.12.1 255.255.255.0
 load-interval 30
 no keepalive
!
no cdp run

R2:
interface Serial0/0
 ip address 10.1.12.2 255.255.255.0
 load-interval 30
 no keepalive
!
no cdp run

The point of this example will be to examine how rate-limit ACLs work, and in particular the mask feature, so we will need traffic with various IP precedence values.  This particular traffic generator does not allow ToS byte values to be specified, so we will mark the traffic inbound on R1 F0/0.  We will generate 8 different traffic streams to ports 1000 – 1007, and each type of traffic will be marked with IPP X, where X is the last digit in the port number.  With an interpacket delay of 125 ms and packet size of 1500 bytes, this will give us 96 kbps of each IPP value (1500 * 8 * 8).  R2 will be configured to measure incoming traffic.  Let’s configure and verify this before setting up the rate-limit ACL:

R1:
access-list 100 permit udp any any eq 1000
access-list 101 permit udp any any eq 1001
access-list 102 permit udp any any eq 1002
access-list 103 permit udp any any eq 1003
access-list 104 permit udp any any eq 1004
access-list 105 permit udp any any eq 1005
access-list 106 permit udp any any eq 1006
access-list 107 permit udp any any eq 1007
!
class-map match-all Prec0
 match access-group 100
class-map match-all Prec1
 match access-group 101
class-map match-all Prec2
 match access-group 102
class-map match-all Prec3
 match access-group 103
class-map match-all Prec4
 match access-group 104
class-map match-all Prec5
 match access-group 105
class-map match-all Prec6
 match access-group 106
class-map match-all Prec7
 match access-group 107
!
policy-map Marker
 class Prec0
  set precedence 0
 class Prec1
  set precedence 1
 class Prec2
  set precedence 2
 class Prec3
  set precedence 3
 class Prec4
  set precedence 4
 class Prec5
  set precedence 5
 class Prec6
  set precedence 6
 class Prec7
  set precedence 7
!
interface FastEthernet0/0
 service-policy input Marker

R2:
class-map match-all Prec0
 match precedence 0
class-map match-all Prec1
 match precedence 1
class-map match-all Prec2
 match precedence 2
class-map match-all Prec3
 match precedence 3
class-map match-all Prec4
 match precedence 4
class-map match-all Prec5
 match precedence 5
class-map match-all Prec6
 match precedence 6
class-map match-all Prec7
 match precedence 7
!
policy-map Traffic-Meter
 class Prec0
 class Prec1
 class Prec2
 class Prec3
 class Prec4
 class Prec5
 class Prec6
 class Prec7
!
interface Serial0/0
 service-policy input Traffic-Meter

flood.pl --port=1000 --size=1496 --delay=125 10.1.12.2
flood.pl --port=1001 --size=1496 --delay=125 10.1.12.2
flood.pl --port=1002 --size=1496 --delay=125 10.1.12.2
flood.pl --port=1003 --size=1496 --delay=125 10.1.12.2
flood.pl --port=1004 --size=1496 --delay=125 10.1.12.2
flood.pl --port=1005 --size=1496 --delay=125 10.1.12.2
flood.pl --port=1006 --size=1496 --delay=125 10.1.12.2
flood.pl --port=1007 --size=1496 --delay=125 10.1.12.2

car-acl-1-r1f0

car-acl-1-r1s0

car-acl-1-r2s0

car-acl-1-r1pmap

car-acl-1-r2pmap

We can see that the input rate on R1 F0/0, output rate on R1 S0/0, and input rate on R2 S0/0 roughly matches the combined bandwidth of the 8 traffic streams.  We can also see that the traffic is being marked with the IPP values we specified on R1 and that R2 is receiving approximately 96 kbps of each type.  Now we can move onto configuring the rate-limit ACL.

Rate-limit ACLs, when used with the mask option, allow a 1-byte mask value to be entered.  Each position in the mask corresponds to an IPP value (MPLS EXP values work the same way), with IPP 7 being the left most value and IPP 0 the right most value.  The values that should be matched are set to 1 in their respective positions and the resulting mask is entered as a hexadecimal value.  Let’s say that we want to limit all IPP 0-4 traffic to a combined rate of 128 kbps.  The mask to match these values will be 00011111, which is hexadecimal 0x1F.  The configuration for this is:

R1:
access-list rate-limit 0 mask 1F
!
interface Serial0/0
 rate-limit output access-group rate-limit 0 128000 8000 8000 conform-action transmit exceed-action drop

On R1, we can see that policing is taking place:

car-acl-2-r1car1

On R2, we can verify the amount of each IP Precedence value received:

car-acl-2-r2pmap

The combined 30 second offered rates for IPP values 0-4 equal roughly 128 kbps, while the other IPP values continued to send 96 kbps each.  This verifies that we have used the mask value correctly.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: