Matching multiple ports in an ACL for bandwidth throttling?

  • 0
  • 1
  • Question
  • Updated 5 months ago
Hello,

I'm new to exos, coming from the Cisco world, and we are implementing some X690's in the core of our network.  Currently if we need to communicate to another branch office, the X690's will forward to a Cisco 2901 router that handles where the traffic should go, and what kind of QoS or bandwidth is applied.

Eventually I'd like to remove the Cisco 2901 router, as our ISP's provide Ethernet handoff from their NID which is a virtual private Ethernet circuit over their fiber. 

I was reading a bit on creating meters and policies, but one question in a policy that I could never find the answer for could best be demonstrated in this example.

Say the ISP has limited the WAN to 20mbps, and I want to limit http and https traffic to 15mbps, so they can't hog up the whole pipe doing web surfing... I was thinking of this:

create meter http15m
configure meter http15m committed-rate 15 Mbps out-actions set-drop-precedence

edit policy Branch20m

entry rule1 {
if match all {
protocol TCP ;
destination-port 80 ;
}
then meter http15m ;
count HTTP-15m count ;
}
entry rule2 {
if match all {
protocol TCP ;
destination-port 443 ;
}
then meter https15m ;
count HTTPs-15m count ;
}


However instead of two rules above, could I include testing for BOTH destination-port 80 and 443 in the same bracket?  Like this?

entry rule1 {
if match any {
protocol TCP ;
destination-port 80 ;
destination-port 443 ;
}
then meter http15m ;
count HTTP-15m count ;
}

I haven't seen if an or statement could be used.  I don't care about segregating http vs https traffic in a counter, so if I can simplify the rule that would be great.

I have another site with 100mbps link but I want to keep VSphere replication traffic limited to 60mbps.  Unfortunately its the same thing as it uses two ports ( 44046 and 31031).  So I originally came up with this:

create meter VRepl60m
configure meter VRepl60m committed-rate 60 Mbps out-actions drop

entry rule1 {
if match all {
protocol TCP ;
destination-port 44046 ;
}
then meter VRepl60m ;
count VRepl60m count ;
}
entry rule2 {
if match all {
protocol TCP ;
destination-port 31031 ;
}
then meter VRepl60m ;
count VRepl60m count ;
}


The thing I don't want to happen in the above http / https rule, is someone could attempt to throw 30mbps down the pipe if they fully saturate it with 15 mbps of http (port 80) and 15 mbps of https (port 443).

Thanks for the assistance!
Photo of Keith

Keith

  • 70 Points

Posted 5 months ago

  • 0
  • 1

Be the first to post a reply!