Header Only - DO NOT REMOVE - Extreme Networks

Meter - ACL - Policy : "rate-limit" Protocol based traffic ? eg. port 80


Good day all,

Need some advice if you may - I have an X440 and I would like to create ACLs that limit certain protocol ports, like port 80 (http).

Please check my config below:


vlan 2 created
ports 1-10 added to vlan 2 untagged
meter created:
"create meter HTTP-limit
configure meter HTTP-limit committed-rate 1024 Kbps max-burst-size 128 Kb out-actions drop
configure access-list Limits ports 10 ingress"[/code]ACL created and applied to port 10 (port where user is connected):
"configure access-list Limits vlan "DATA" ingress"
Policy created:
"Policies at Policy Server:
Policy: Limits
entry 1 {
if match all {
protocol TCP ;
destination-port 80 ;
}
then {
meter HTTP-limit ;
count HTTP-limit-count ;
}
}
Number of clients bound to policy: 1
Client: acl bound once"[/code]Access-List counter:
"show acce count
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
Limits * 10 ingress
HTTP-limit-count 1638"[/code]


With the above config - there is NO meter limiting on the traffic.

BUT - when I remove:
"protocol TCP ; destination-port 80 " [/code]and have the brackets empty - it works beautifully.

From my understanding and reading through the ACL Solutions Guide - the above should work ?

If I enter :
check policy Limits[/code]it returns successful..

I think I am missing a command or expression somewhere. Can anyone provide some guidance ?

thanks !

16 replies

Userlevel 6
Hi Dewald,

Is the same policy applied to VLAN data?
"configure access-list Limits vlan "DATA" ingress"
[/code]The policy looks fine to me.
Please clarify how you are verifying if the policy is working or not?

when the match conditions, protocol tcp and destination-port 80 are used, do you see the counters incrementing in the "show access-list counter" output?
When the match conditions are removed, it will match all the traffic coming into the port. If that works fine, then we can conclude that the meter configuration is correct. So, we just need to ensure that the actual http traffic hits the ACL.

Looking forward to your response!
Hi Prashanth,

thanks for the reply - see reply below :

1. policy applied to vlan "Data" ? not too sure what is meant - afaik the command listed above is what applies this policy to the Vlan ? VLAN "Data" IS vlan 2 if that is what you are asking.

2. I am verifying the policy by 3 ways:
HTTP file download;
Speedtest.net test;
& by checking the ACL counter - there are Hits coming through when both of the following Policy statements are applied :

entry 1 {
if match all {
protocol TCP ;
destination-port 80 ;
}
then {
meter HTTP-limit ;
count HTTP-limit-count ;
}
}[/code]or this one : (with this one - this is the only one that actually works [no the above one])

entry 1 {if match all {
}
then {
meter HTTP-limit ;
count HTTP-limit-count ;
}
}[/code]
3. As mentioned above - without the match conditions, this works like a charm. The worry is that once the conditions are added the ACL is not enforced even though the counter is moving up.
Userlevel 6
Thank you for the response!
In the policy that you have shared with us in the first post, I could see the following line:
configure access-list Limits vlan "DATA" ingress[/code]That is why, I wanted to be sure that the policy is applied to the VLAN or the port.

1. Please share the EXOS version that X440 is running and the exact X440 version (24t or 24p)?
ExtremeXOS version 15.3.1.4 v1531b4-patch1-19 by release-manager on Fri Sep 20 14:57:37 EDT 2013

X440-48p

If I apply it to the VLAN, or int he event that I do not use VLANs ( port based) the same thing occurs.

thanks for the reply !
Userlevel 6
Just did a quick test in the lab with the exact version and the hardware. I am able to limit the traffic with the same policy file and the configuration you have provided above.
Sharing my lab outputs so that you can verify if you are missing something.

Incoming port 2, egress port 4

# sh poli "Limits"
Policies at Policy Server:
Policy: Limits
entry 1 {
if match all {
protocol TCP ;
destination-port 80 ;
}
then {
meter HTTP-limit ;
count HTTP-limit-count ;
}
}

sh conf acl
#
# Module acl configuration.
#
create meter HTTP-limit
configure meter HTTP-limit committed-rate 1024 Kbps max-burst-size 128 Kb out-actions drop
configure access-list Limits ports 2 ingress

With ACL, the traffic flow:

sh port 2 4 utilization bandwidth
Port Link Link Rx Peak Rx Tx Peak Tx
State Speed % bandwidth % bandwidth % bandwidth % bandwidth
================================================================================
2 A 1000 20.03 21.41 0.00 0.00
4 A 1000 0.00 0.00 0.10 0.11
================================================================================
> indicates Port Display Name truncated past 8 characters
Link State: A-Active, R-Ready, NP-Port Not Present, L-Loopback

Without ACL, the traffic utilization:

EDGE-Sw.8 # sh port 2 4 utilization bandwidth
Port Link Link Rx Peak Rx Tx Peak Tx
State Speed % bandwidth % bandwidth % bandwidth % bandwidth
================================================================================
2 A 1000 19.58 21.41 0.00 0.00
4 A 1000 0.00 0.00 19.58 19.58
================================================================================
> indicates Port Display Name truncated past 8 characters
Link State: A-Active, R-Ready, NP-Port Not Present, L-Loopback

Hope this helps to verify what is missed in your configuration/testing.
Thanks - I will test this again now - but with my HTTP downloads, it is not getting limited.
How are you testing the HTTP traffic so that the port's utilization spikes so high ? mine stay the same..
Hi Prashanth,

I am not seeing any changes on my side. In fact - I have used the config you used on top.
I have changed the committed-rate to 56 Kbps to see if it has any effect. Nothing.

My PC is plugged into port 4, and the link to the internet on port 10. I applied the ACL to port 4 and the ACL counter increases its hits. But nothing else.

* X440-48p.40 # show conf acl # # Module acl configuration. # create meter HTTP-limit configure meter HTTP-limit committed-rate 56 Kbps max-burst-size 56 Kb out-actions drop configure access-list Limits ports 4 ingress[/code]
Policy Name Vlan Name Port Direction Counter Name Packet Count Byte Count
==================================================================
Limits * 4 ingress
HTTP-limit-count 6072[/code]

See below output:

* X440-48p.35 # unconf acce Limits. done!
* X440-48p.36 # sh port 4 10 uti band
Port Link Link Rx Peak Rx Tx Peak Tx
State Speed % bandwidth % bandwidth % bandwidth % bandwidth
================================================================================
4 A 1000 0.01 2.12 0.18 1.99
10 A 1000 0.18 1.99 0.01 2.12
================================================================================
> indicates Port Display Name truncated past 8 characters
Link State: A-Active, R-Ready, NP-Port Not Present, L-Loopback
* X440-48p.37 # conf acce Limits port 4 ingr
done!
* X440-48p.38 # sh port 4 10 uti band
Port Link Link Rx Peak Rx Tx Peak Tx
State Speed % bandwidth % bandwidth % bandwidth % bandwidth
================================================================================
4 A 1000 0.02 2.12 0.24 1.99
10 A 1000 0.24 1.99 0.02 2.12
================================================================================
> indicates Port Display Name truncated past 8 characters
Link State: A-Active, R-Ready, NP-Port Not Present, L-Loopback
* X440-48p.39 # sh port 4 10 uti band
Port Link Link Rx Peak Rx Tx Peak Tx
State Speed % bandwidth % bandwidth % bandwidth % bandwidth
================================================================================
4 A 1000 0.01 2.12 0.10 1.99
10 A 1000 0.10 1.99 0.01 2.12
================================================================================
> indicates Port Display Name truncated past 8 characters
Link State: A-Active, R-Ready, NP-Port Not Present, L-Loopback[/code]

This is done by downloading a 100mb file over HTTP. Also, the user-experience is unchanged. Speedtest.net is unchanged. webpages are loading fine....

Surely there must be something that I am missing - my config is exactly like yours. I need to present this as a working solution. Please let me know if there are any changes that you would like me to make. If it works on your end - why not on mine ?

thanks a mil !
Userlevel 6
Hi Dewald,

Thanks a lot for sharing the outputs. We use the packet generators to match the http traffic. That is why, I could simulate the high amount of traffic.

I see that you are applying the ACL on the port where the PC is connected. While downloading, the PC would be sending only minimal amount of traffic.

Only the traffic from the ISP should be rate-limited.

Try applying the following policy on the port 10.

entry 1 {
if match all {
protocol TCP ;
destination-port 80 ;
destination-address [i];
}
then {
meter HTTP-limit ;
count HTTP-limit-count ;
}
}[/code]Let me know if this helps you!
Userlevel 6
a correction in the policy file:

entry 1 {
if match all {
protocol TCP ;
source-port 80 ;
destination-address [i];
}
then {
meter HTTP-limit ;
count HTTP-limit-count ;
}
}[/code]
port number 80 would be source from the ISP. Also, ensure if the traffic is hitting the policy by checking the access-list counter.
Hi,

The rate limiting is still not working. I am getting hits on the ACL with the abovementioned configuration.

I have changed the speed of the ports to 100mb to get a better % read-out. They stay the same both ways - inbound and outbound traffic is the same

X440-48p.4 # show port 6 10 ut bandPort Link Link Rx Peak Rx Tx Peak Tx
State Speed % bandwidth % bandwidth % bandwidth % bandwidth
================================================================================
6 A 100 0.59 0.59 18.88 18.88
10 A 100 18.94 18.94 0.59 0.59
================================================================================[/code]X440-48p.12 # show acce meter "HTTP-limit" ports 6 10Policy Name Vlan Name Port
Committed Max Burst Out-of-Profile Out-of-Profile
Meter Rate (Kbps) Size (K) Action DSCP Packet Count
===============================================================================
Limits * 6
HTTP-limit 1024 128 Drop 48
ISP-limit * 10
HTTP-limit 1024 128 Drop 935[/code]
X440-48p.13 # show acce coun ports 6 10Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
Limits * 6 ingress
HTTP-limit-count 18793
ISP-limit * 10 ingress
HTTP-limit-count 29382
[/code]User is on port 6
ISP is on port 10

The user traffic should be 'shaped' to only 1024 Kbps (as per meter), however, no matter how I change this - it does not happen.
I am not seeing the same bandwidth count as you did where it was clear that the one side is "limited".

Here are my polcies :
Policies at Policy Server:Policy: Limits
entry 1 {
if match all {
protocol TCP ;
destination-port 80 ;
}
then {
meter HTTP-limit ;
count HTTP-limit-count ;
}
}
Number of clients bound to policy: 1
[/code]Policies at Policy Server:Policy: ISP-limit
entry 1 {
if match all {
protocol TCP ;
source-port 80 ;
destination-address 196.25.104.239/32 ;
}
then {
meter HTTP-limit ;
count HTTP-limit-count ;
}
}
Number of clients bound to policy: 1 [/code]Am I missing something ? Is it the wrong way around ? The outcome that I am expecting is that the user's web traffic is slow.

appreciate your patience with this query,

BR

Dewald
Userlevel 3
Hi,

ISP is on port 10, user is on port 6, where is this IP 196.25.104.239 on port 6 and this is user IP address or on port 10 and this is ISP address?

Regards
--
Jarek
The ISP is on port 10.
Policy "ISP-limit" is applied to this port.
The IP address is the host address of the user located on port 6

The user is on port 6
Policy "Limit" is applied to this port.
Userlevel 3
Do you have any other ACL's on this switch ? (on vlan's or port's )

--
Jarek
Hi,

No - this is the only config that is on the switch. Nothing else.

thanks
Userlevel 3
Can you paste:
sh access-list usage acl-slice port 1

before and after applaying ACL ?
--
Jarek
Userlevel 7
Hi Dewald, I wanted to follow up here and see if you were able to get this working.

Reply