Sample Inbound Rate Limiter configuration for the SecureStacks

  • 0
  • 1
  • Article
  • Updated 4 years ago
Article ID: 11321 

Products
C5-Series, all firmware
C3-Series, firmware 1.01.01.0039 and higher
C2-Series, firmware 3.03.23 and higher
B5-Series, all firmware
B3-Series, firmware 1.01.01.0039 and higher
B2-Series, firmware 3.00.14 and higher

Goals
Create a variety of Inbound Rate Limiters (IRL) for demonstration purposes.

The sample configuration presented below will constrain nine sets of port pairs so that each set will limit its traffic, in both directions, to a specific bandwidth unique to that pair. The rate limiting capabilities of the SecureStacks may then be tested by establishing the actual throughput of traffic traversing these port pairs.

The goal is to achieve the following:

  • Ports 1 & 13 should limit to 256 kilobits per second (kb/s).
  • Ports 2 & 14 should limit to 512 kb/s.
  • Ports 3 & 15 should limit to 1 megabit per second (Mb/s).
  • Ports 4 & 16 should limit to 2 Mb/s.
  • Ports 5 & 17 should limit to 4 Mb/s.
  • Ports 6 & 18 should limit to 5 Mb/s.
  • Ports 7 & 19 should limit to 8 Mb/s.
  • Ports 8 & 20 should limit to 10 Mb/s.
  • Ports 9 & 21 should limit to 100 Mb/s.
See also: 5821 and 11667.

Solution
Set up a profile/role for each rate limit to be defined.

  set policy profile 1 name "limit_256kbps" cos-status enable cos 8
  set policy profile 2 name "limit_512kbps" cos-status enable cos 9
  set policy profile 3 name "limit_1Mbps" cos-status enable cos 10
  set policy profile 4 name "limit_2Mbps" cos-status enable cos 11
  set policy profile 5 name "limit_4Mbps" cos-status enable cos 16
  set policy profile 6 name "limit_5Mbps" cos-status enable cos 20
  set policy profile 7 name "limit_8Mbps" cos-status enable cos 32
  set policy profile 8 name "limit_10Mbps" cos-status enable cos 40
  set policy profile 9 name "limit_100Mbps" cos-status enable cos 255

Statically assign each role to a pair of test ports. Each role will thus only apply its designated Class of Service to the traffic ingressing its port pairs.

  set policy port ge.1.1 1
  set policy port ge.1.2 2
  set policy port ge.1.3 3
  set policy port ge.1.4 4
  set policy port ge.1.5 5
  set policy port ge.1.6 6
  set policy port ge.1.7 7
  set policy port ge.1.8 8
  set policy port ge.1.9 9
  set policy port ge.1.13 1
  set policy port ge.1.14 2
  set policy port ge.1.15 3
  set policy port ge.1.16 4
  set policy port ge.1.17 5
  set policy port ge.1.18 6
  set policy port ge.1.19 7
  set policy port ge.1.20 8
  set policy port ge.1.21 9

Enable Class of Service, which will be needed to use Inbound Rate Limiting.

  set cos state enable

Define the role-referencing cos values (range 0-255) to leave the traffic at priority 0 (range 0-7) and to point to a unique logical IRL instance (range 0-99). This configuration purposely avoids cos values 0-7 because here the priority does not match the cos (10323).

  set cos settings 8 priority 0 irl-reference 1
  set cos settings 9 priority 0 irl-reference 2
  set cos settings 10 priority 0 irl-reference 4
  set cos settings 11 priority 0 irl-reference 8
  set cos settings 16 priority 0 irl-reference 16
  set cos settings 20 priority 0 irl-reference 20
  set cos settings 32 priority 0 irl-reference 32
  set cos settings 40 priority 0 irl-reference 40
  set cos settings 255 priority 0 irl-reference 99

Map each logical IRL instance (range 0-99) to a hardware-based IRL instance (0-99).

  set cos reference irl 0.0 1 rate-limit 1
  set cos reference irl 0.0 2 rate-limit 2
  set cos reference irl 0.0 4 rate-limit 4
  set cos reference irl 0.0 8 rate-limit 8
  set cos reference irl 0.0 16 rate-limit 16
  set cos reference irl 0.0 20 rate-limit 20
  set cos reference irl 0.0 32 rate-limit 32
  set cos reference irl 0.0 40 rate-limit 40
  set cos reference irl 0.0 99 rate-limit 99

Define the behavior of each hardware-based IRL instance (0-99).

  set cos port-resource irl 0.0 1 unit kbps rate 256 type drop syslog enable trap enable
  set cos port-resource irl 0.0 2 unit kbps rate 512 type drop syslog enable trap enable
  set cos port-resource irl 0.0 4 unit kbps rate 1000 type drop syslog enable trap enable
  set cos port-resource irl 0.0 8 unit kbps rate 2000 type drop syslog enable trap enable
  set cos port-resource irl 0.0 16 unit kbps rate 4000 type drop syslog enable trap enable
  set cos port-resource irl 0.0 20 unit kbps rate 5000 type drop syslog enable trap enable
  set cos port-resource irl 0.0 32 unit kbps rate 8000 type drop syslog enable trap enable
  set cos port-resource irl 0.0 40 unit kbps rate 10000 type drop syslog enable trap enable
  set cos port-resource irl 0.0 99 unit kbps rate 100000 type drop syslog enable trap enable

View the results.

  show config policy
  show policy profile all

  show config cos
  show cos state
  show cos settings
  show cos reference
  show cos port-resource

For Inbound Rate Limiting you may alternately use DiffServ (5848), if your B3/B2 is not Policy-licensed (5781).
Photo of FAQ User

FAQ User, Official Rep

  • 13,610 Points 10k badge 2x thumb

Posted 4 years ago

  • 0
  • 1

There are no replies.

This conversation is no longer open for comments or replies.