IronClad Rate Limiting
December 2000 14 - 19
• 4 – flash override precedence
• 5 – critical precedence
• 6 – internetwork control precedence
• 7 – network control precedence
• set-prec-continue <new-prec> – Set the IP precedence to one of the values listed above, then evaluate the
traffic based on the next rate policy.
• drop – Drop the packet.
• continue – Evaluate the traffic based on the next rate policy.
The exceed-action <action> parameter specifies the action you want the device to perform for traffic that matches
the rule but exceeds the <normal-burst-size> within a given Committed Time Interval. You can specify one of the
actions listed above.
Complete CLI Examples
This section lists and explains the CLI commands for implementing the Adaptive Rate Limiting applications in
“Examples of Adaptive Rate Limiting Applications” on page 14-6.
Commands for “Adaptive Rate Policies For an Uplink”
To configure the Adaptive Rate Limiting application described in “Adaptive Rate Policies For an Uplink” on
page 14-6, enter the following commands.
The first three commands configure extended ACLs to characterize the traffic. ACL 101 is for all web traffic. ACL
102 is for all FTP traffic. ACL 102 is for all DNS traffic. Each of the ACLs matches on any source and destination
IP address.
NetIron(config)# access-list 101 permit tcp any any eq http
NetIron(config)# access-list 102 permit tcp any any eq ftp
NetIron(config)# access-list 103 permit udp any any eq dns
The following command changes the CLI to the configuration level for port 25. If the port is the primary port in a
trunk group, the rate policy configuration applies to all ports in the trunk group. In this case, port 25 is the primary
port in a trunk group that also contains port 26.
NetIron(config)# interface ethernet 25
The following command configures a rate limit rule that uses ACL 101.
NetIron(config-if-e1000-25)# rate-limit input access-group 101 10000000 125000
187500 conform-action set-prec-transmit 5 exceed-action set-prec-transmit 0
The rule compares all inbound packets on the trunk group to ACL 101. For packets that match the ACL, the rule
either sets the IP precedence to 5 (critical) and then sends the packet, or sets the IP precedence to 0 (routine) and
sends the packet. The rule sets the precedence to 5 for all packets received up to the maximum Normal Burst
Size, 125000 bytes. Once the interface receives this many bytes in the inbound direction that match ACL 101, the
device sets the precedence for the next 62500 bytes to the value associated with the Excess Burst Size.
The burst size counters increment for the duration of the Committed Time Interval, then change back to zero for
the next Committed Time Interval. The length of the Committed Time Interval is determined by the ratio of the
Average Rate to the Normal Burst Size. In this case, the ratio is 10:1, so the Committed Time Interval is 1/10th
second long. The counter for the Normal Burst Size accumulates packets for 1/10th second, then returns to zero.
The counter for the Excess Burst Size accumulates packets for 2/10ths second, then returns to zero.
The following command configures a rate limit rule that uses ACL 102. This rule also applies to inbound traffic.
The action for packets that exceed the Normal Burst Size is different from the action in the rule above. The rule
above sets the precedence to 0 in packets received after the maximum number of conforming packets (the
number represented by the Normal Burst Size) is received within the Committed Time Interval.
The following rule drops packets received after the maximum number of conforming packets have been received.
To Next Page
Loading...
Need help?
General
