Meter - ACL - Policy : "rate-limit" Protocol based traffic ? eg. port 80

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
Good day all, 

Need some advice if you may - I have an X440 and I would like to create ACLs that limit certain protocol ports, like port 80 (http).

Please check my config below:

vlan 2 created
ports 1-10 added to vlan 2 untagged
meter created:
"create meter HTTP-limit
configure meter HTTP-limit committed-rate 1024 Kbps max-burst-size 128 Kb out-actions drop
configure access-list Limits ports 10 ingress"
ACL created and applied to port 10 (port where user is connected):
"configure access-list Limits vlan "DATA" ingress"
Policy created:
"Policies at Policy Server:
Policy: Limits
entry 1 {
if match all {
    protocol TCP ;
    destination-port 80 ;
}
then {
    meter HTTP-limit ;
    count HTTP-limit-count ;
}
}
Number of clients bound to policy: 1
Client: acl bound once"
Access-List counter:
"show acce count
Policy Name       Vlan Name        Port   Direction
    Counter Name                   Packet Count         Byte Count
==================================================================
Limits     *                10     ingress
    HTTP-limit-count               1638"

With the above config - there is NO meter limiting on the traffic.

BUT - when I remove:
  "protocol TCP ;    destination-port 80 " 
and have the brackets empty - it works beautifully.

From my understanding and reading through the ACL Solutions Guide - the above should work ?

If I enter :
check policy Limits
it returns successful..

I think I am missing a command or expression somewhere.  Can anyone provide some guidance ?

thanks !
Photo of Dewald Botha

Dewald Botha

  • 674 Points 500 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Prashanth KG

Prashanth KG, Employee

  • 5,300 Points 5k badge 2x thumb
Hi Dewald,

Is the same policy applied to VLAN data?
"configure access-list Limits vlan "DATA" ingress"
The  policy looks fine to me.
Please clarify how you are verifying if the policy is working or not?

when the match conditions, protocol tcp and destination-port 80 are used, do you see the counters incrementing in the "show access-list counter" output?
When the match conditions are removed, it will match all the traffic coming into the port. If that works fine, then we can conclude that the meter configuration is correct. So, we just need to ensure that the actual http traffic hits the ACL.

Looking forward to your response!
Photo of Dewald Botha

Dewald Botha

  • 674 Points 500 badge 2x thumb
Hi Prashanth, 

thanks for the reply - see reply below :

1. policy applied to vlan "Data" ?  not too sure what is meant - afaik the command listed above is what applies this policy to the Vlan ?  VLAN "Data" IS vlan 2 if that is what you are asking.

2. I am verifying the policy by 3 ways:
HTTP file download;
Speedtest.net test;
& by checking the ACL counter - there are Hits coming through when both of the following Policy statements are applied :

entry 1 {
if match all {
    protocol TCP ;
    destination-port 80 ;
}
then {
    meter HTTP-limit ;
    count HTTP-limit-count ;
}
}
or this one :  (with this one - this is the only one that actually works [no the above one])

entry 1 {
if match all {
}
then {
    meter HTTP-limit ;
    count HTTP-limit-count ;
}
}

3. As mentioned above - without the match conditions, this works like a charm.  The worry is that once the conditions are added the ACL is not enforced even though the counter is moving up. 
Photo of Prashanth KG

Prashanth KG, Employee

  • 5,300 Points 5k badge 2x thumb
Thank you for the response!
In the policy that you have shared with us in the first post, I could see the following line:
configure access-list Limits vlan "DATA" ingress
That is why, I wanted to be sure that the policy is applied to the VLAN or the port.

1. Please share the EXOS version that X440 is running and the exact X440 version (24t or 24p)?
Photo of Dewald Botha

Dewald Botha

  • 674 Points 500 badge 2x thumb
ExtremeXOS version 15.3.1.4 v1531b4-patch1-19 by release-manager          on Fri Sep 20 14:57:37 EDT 2013

X440-48p

If I apply it to the VLAN, or int he event that I do not use VLANs ( port based) the same thing occurs.

thanks for the reply !
Photo of Prashanth KG

Prashanth KG, Employee

  • 5,300 Points 5k badge 2x thumb
Just did a quick test in the lab with the exact version and the hardware. I am able to limit the traffic with the same policy file and the configuration you have provided above.
Sharing my lab outputs so that you can verify if you are missing something.

Incoming port 2, egress port 4

# sh poli "Limits"
Policies at Policy Server:
Policy: Limits
entry 1 {
if match all {
    protocol TCP ;
    destination-port 80 ;
}
then {
    meter HTTP-limit ;
    count HTTP-limit-count ;
}
}

sh conf acl
#
# Module acl configuration.
#
create meter HTTP-limit
configure meter HTTP-limit committed-rate 1024 Kbps max-burst-size 128 Kb out-actions drop
configure access-list Limits ports 2 ingress


With ACL, the traffic flow:

 sh port 2 4 utilization bandwidth
Port     Link    Link   Rx             Peak Rx       Tx            Peak Tx
         State   Speed  % bandwidth    % bandwidth   % bandwidth   % bandwidth
================================================================================
2         A       1000     20.03         21.41          0.00            0.00
4         A       1000      0.00          0.00          0.10            0.11
================================================================================
          > indicates Port Display Name truncated past 8 characters
          Link State: A-Active, R-Ready, NP-Port Not Present, L-Loopback

Without ACL, the traffic utilization:

EDGE-Sw.8 # sh port 2 4 utilization bandwidth
Port     Link    Link   Rx             Peak Rx       Tx            Peak Tx
         State   Speed  % bandwidth    % bandwidth   % bandwidth   % bandwidth
================================================================================
2         A       1000     19.58         21.41          0.00            0.00
4         A       1000      0.00          0.00         19.58           19.58
================================================================================
          > indicates Port Display Name truncated past 8 characters
          Link State: A-Active, R-Ready, NP-Port Not Present, L-Loopback

Hope this helps to verify what is missed in your configuration/testing.
Photo of Dewald Botha

Dewald Botha

  • 674 Points 500 badge 2x thumb
Thanks - I will test this again now - but with my HTTP downloads, it is not getting limited.
How are you testing the HTTP traffic  so that the port's utilization spikes so high ?  mine stay the same..
Photo of Dewald Botha

Dewald Botha

  • 674 Points 500 badge 2x thumb
Hi Prashanth,

I am not seeing any changes on my side.  In fact - I have used the config you used on top.
I have changed the committed-rate to 56 Kbps to see if it has any effect.  Nothing.

My PC  is plugged into port 4, and the link to the internet on port 10.  I applied the ACL to port 4 and the ACL counter increases its hits.  But nothing else.

* X440-48p.40 # show conf acl
#
# Module acl configuration.
#
create meter HTTP-limit
configure meter HTTP-limit committed-rate 56 Kbps max-burst-size 56 Kb out-actions drop
configure access-list Limits ports 4 ingress

Policy Name       Vlan Name        Port   Direction    Counter Name                   Packet Count         Byte Count
==================================================================
Limits            *                4      ingress
    HTTP-limit-count               6072


See below output: 

* X440-48p.35 # unconf acce Limits. done!
* X440-48p.36 # sh port 4 10 uti band
Port     Link    Link   Rx             Peak Rx       Tx            Peak Tx
         State   Speed  % bandwidth    % bandwidth   % bandwidth   % bandwidth
================================================================================
4         A       1000      0.01          2.12          0.18            1.99
10        A       1000      0.18          1.99          0.01            2.12
================================================================================
          > indicates Port Display Name truncated past 8 characters
          Link State: A-Active, R-Ready, NP-Port Not Present, L-Loopback
* X440-48p.37 # conf acce Limits port 4 ingr
 done!
* X440-48p.38 # sh port 4 10 uti band
Port     Link    Link   Rx             Peak Rx       Tx            Peak Tx
         State   Speed  % bandwidth    % bandwidth   % bandwidth   % bandwidth
================================================================================
4         A       1000      0.02          2.12          0.24            1.99
10        A       1000      0.24          1.99          0.02            2.12
================================================================================
          > indicates Port Display Name truncated past 8 characters
          Link State: A-Active, R-Ready, NP-Port Not Present, L-Loopback
* X440-48p.39 # sh port 4 10 uti band
Port     Link    Link   Rx             Peak Rx       Tx            Peak Tx
         State   Speed  % bandwidth    % bandwidth   % bandwidth   % bandwidth
================================================================================
4         A       1000      0.01          2.12          0.10            1.99
10        A       1000      0.10          1.99          0.01            2.12
================================================================================
          > indicates Port Display Name truncated past 8 characters
          Link State: A-Active, R-Ready, NP-Port Not Present, L-Loopback


This is done by downloading a 100mb file over HTTP.  Also, the user-experience is unchanged.  Speedtest.net is unchanged.  webpages are loading fine....

Surely there must be something that I am missing - my config is exactly like yours.  I need to present this as a working solution.  Please let me know if there are any changes that you would like me to make.  If it works on your end - why not on mine ?

thanks a mil !
Photo of Prashanth KG

Prashanth KG, Employee

  • 5,300 Points 5k badge 2x thumb
Hi Dewald,

Thanks a lot for sharing the outputs. We use the packet generators to match the http traffic. That is why, I could simulate the high amount of traffic.

I see that you are applying the ACL on the port where the PC is connected. While downloading, the PC would be sending only minimal amount of traffic.

Only the traffic from the ISP should be rate-limited.

Try applying the following policy on the port 10.

entry 1 {
if match all {
    protocol TCP ;
    destination-port 80 ;
destination-address <ip-address of the PC/32>;
}
then {
    meter HTTP-limit ;
    count HTTP-limit-count ;
}
}
Let me know if this helps you!
Photo of Prashanth KG

Prashanth KG, Employee

  • 5,300 Points 5k badge 2x thumb
a correction in the policy file:

entry 1 {
if match all {
    protocol TCP ;
    source-port 80 ;
destination-address <ip-address of the PC/32>;
}
then {
    meter HTTP-limit ;
    count HTTP-limit-count ;
}
}

port number 80 would be source from the ISP. Also, ensure if the traffic is hitting the policy by checking the access-list counter.
Photo of Dewald Botha

Dewald Botha

  • 674 Points 500 badge 2x thumb
Hi, 

The rate limiting is still not working.  I am getting hits on the ACL with the abovementioned configuration.

I have changed the speed of the ports to 100mb to get a better % read-out.  They stay the same both ways - inbound and outbound traffic is the same

X440-48p.4 # show port 6 10 ut bandPort     Link    Link   Rx             Peak Rx       Tx            Peak Tx
         State   Speed  % bandwidth    % bandwidth   % bandwidth   % bandwidth
================================================================================
6         A       100       0.59          0.59         18.88           18.88
10        A       100      18.94         18.94          0.59            0.59
================================================================================
X440-48p.12 # show acce meter "HTTP-limit" ports 6 10Policy Name      Vlan Name        Port
                       Committed   Max Burst  Out-of-Profile  Out-of-Profile
    Meter              Rate (Kbps) Size (K)   Action    DSCP  Packet Count
===============================================================================
Limits           *                6
    HTTP-limit         1024        128        Drop            48
ISP-limit        *                10
    HTTP-limit         1024        128        Drop            935

X440-48p.13 # show acce coun ports 6 10Policy Name       Vlan Name        Port   Direction
    Counter Name                   Packet Count         Byte Count
==================================================================
Limits            *                6      ingress
    HTTP-limit-count               18793
ISP-limit         *                10     ingress
    HTTP-limit-count               29382
User is on port 6
ISP is on port 10

The user traffic should be 'shaped' to only 1024 Kbps (as per meter), however, no matter how I change this - it does not happen.  
I am not seeing the same bandwidth count as you did where it was clear that the one side is "limited".

Here are my polcies :
Policies at Policy Server:Policy: Limits
entry 1 {
if match all {
    protocol TCP ;
    destination-port 80 ;
}
then {
    meter HTTP-limit ;
    count HTTP-limit-count ;
}
}
Number of clients bound to policy: 1
Policies at Policy Server:Policy: ISP-limit
entry 1 {
if match all {
    protocol TCP ;
    source-port 80 ;
    destination-address 196.25.104.239/32 ;
}
then {
    meter HTTP-limit ;
    count HTTP-limit-count ;
}
}
Number of clients bound to policy: 1
Am I missing something ?  Is it the wrong way around ?  The outcome that I am expecting is that the user's web traffic is slow.

appreciate your patience with this query,

BR

Dewald
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
Hi,

ISP is on port 10, user is on port 6, where is this IP 196.25.104.239 on port 6 and this is user IP address or on port 10 and this is ISP address?


Regards
--
Jarek
(Edited)
Photo of Dewald Botha

Dewald Botha

  • 674 Points 500 badge 2x thumb
The ISP is on port 10.
Policy "ISP-limit" is applied to this port.
The IP address is the host address of the user located on port 6

The user is on port 6
Policy "Limit" is applied to this port.
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
Do you have any other ACL's on this switch ? (on vlan's or port's )

--
Jarek
Photo of Dewald Botha

Dewald Botha

  • 674 Points 500 badge 2x thumb
Hi, 

No - this is the only config that is on the switch.  Nothing else.

thanks
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
Can you paste:
 sh access-list usage acl-slice port 1

before and after applaying ACL ?
--
Jarek
(Edited)
Photo of Drew C.

Drew C., Community Manager

  • 38,610 Points 20k badge 2x thumb
Hi Dewald,  I wanted to follow up here and see if you were able to get this working.