SecureStack Rate Limiting not Functioning as Expected for Untagged Traffic

  • 0
  • 1
  • Article
  • Updated 5 years ago
Article ID: 7177 

Products
Matrix C2
SecureStack C2
Firmware 3.03.38 and lower
SecureStack B2
Firmware 3.00.18 and lower
NetSight Policy Manager
Version 2.0.1 and lower 

Protocols/Features
Rate limiting
802.1Q
Policy
UPN 

Symptoms
Rate limiting not functioning for untagged traffic
'set port ratelimit' 

Cause
802.1Q-VLAN-tagged traffic can be rate limited according to its priority association based on policy. 

Untagged traffic, on the other hand, cannot be rate limited according to its priority association based on policy or ingress port priority. This is because priority based (port) rate limiters are applied by hardware prior to packet classification. The impact of this is that all non-priority tagged traffic will have the limiter associated with the default queue (queue 0) applied. This is true even if the packet is later classified to a new priority level. If, however, a rate limit is created for priority 0, all priority (0-7) untagged traffic will be rate limited. 

Solution
Upgrade to Policy Manager 2.1 or higher, and use Role Based Rate Limiting. 

Role Based Rate Limiting provides a very granular rate limiting solution. Unlike our traditional Priority Based Rate Limiting, role based enables rate limits to be assigned at the role and rule level rather than assigning rate limits to 802.1p priority queues. 

Release notes state:
Policy Manager now supports inbound role-based rate limiting on SecureStack C2/B2 Devices.

This also requires the use of C2 firmware 4.00.24 or higher, and/or B2 firmware 3.01.16 or higher.
Photo of FAQ User

FAQ User, Official Rep

  • 13,620 Points 10k badge 2x thumb

Posted 5 years ago

  • 0
  • 1

There are no replies.

This conversation is no longer open for comments or replies.