FAQs

SecureStack Rate Limiting not Functioning as Expected for Untagged Traffic

  • 1.  SecureStack Rate Limiting not Functioning as Expected for Untagged Traffic

    Posted 11-26-2013 18:10
    Article ID: 7177

    Products
    Matrix C2
    SecureStack C2
    Firmware 3.03.38 and lower
    SecureStack B2
    Firmware 3.00.18 and lower
    NetSight Policy Manager
    Version 2.0.1 and lower

    Protocols/Features
    Rate limiting
    802.1Q
    Policy
    UPN

    Symptoms
    Rate limiting not functioning for untagged traffic
    'set port ratelimit'

    Cause
    802.1Q-VLAN-tagged traffic can be rate limited according to its priority association based on policy.

    Untagged traffic, on the other hand, cannot be rate limited according to its priority association based on policy or ingress port priority. This is because priority based (port) rate limiters are applied by hardware prior to packet classification. The impact of this is that all non-priority tagged traffic will have the limiter associated with the default queue (queue 0) applied. This is true even if the packet is later classified to a new priority level. If, however, a rate limit is created for priority 0, all priority (0-7) untagged traffic will be rate limited.

    Solution
    Upgrade to Policy Manager 2.1 or higher, and use Role Based Rate Limiting.

    Role Based Rate Limiting provides a very granular rate limiting solution. Unlike our traditional Priority Based Rate Limiting, role based enables rate limits to be assigned at the role and rule level rather than assigning rate limits to 802.1p priority queues.

    Release notes state:
    Policy Manager now supports inbound role-based rate limiting on SecureStack C2/B2 Devices.

    This also requires the use of C2 firmware 4.00.24 or higher, and/or B2 firmware 3.01.16 or higher.