topic Disabling Ports using Inbound Rate Limiters on the N-Series in FAQs https://community.extremenetworks.com/t5/faqs/disabling-ports-using-inbound-rate-limiters-on-the-n-series/m-p/42006#M83 Article ID: 11731 <BR /> <BR /> <B>Products</B><BR /> Matrix N-Series DFE <BR /> <BR /> <B>Goals</B><BR /> This document provides a sample configuration using packets per second rate limiting to trigger a port disable. A policy-rule-based action will disable on the <I>first</I> packet seen, but this policy-cos-based action will disable upon reaching the threshold of packets per second. <BR /> <BR /> If using anything other than packets per second configurations (only supported on the Platinum and Diamond series), then one-minute intervals are used for the calculations. <BR /> <BR /> The real-world purpose of this configuration was originally to disable a port when registering a certain quantity of a specific type of traffic, expected on an edge port but seen entering an Inter-Switch Link (ISL) port - helping to assist in locating and disabling a flooding path in the network. Other applications and/or classifications may be used. <BR /> <BR /> <B>Solution</B><BR /> The policy rule drops packets destined to HTTP port 80 at IP address 10.16.19.163, and associates them with Class of Service (CoS) table entry# 8, used to feed traffic to the rate limiter. The specific traffic targeted in this manner, and the decision to drop this traffic, is purely at the discretion of the user.# policy<BR /> set policy profile 3 name CB2 cos-status enable<BR /> set policy rule admin-profile port ge.5.30 mask 16 port-string ge.5.30 admin-pid 3<BR /> set policy rule 3 tcpdestportIP 80:10.16.19.163 mask 48 drop cos 8Set cos 8 so that it maps to 802.1p priority 0 and Inbound Rate Limiter logical reference# 9.# cos settings<BR /> set cos settings 8 priority 0 irl-reference 9Map the group/index# (0.0 and 0.1 to cover both default hardware types) and reference# (9) to the hardware-based Inbound Rate Limiter (2) to be used.# cos reference<BR /> set cos reference irl 0.0 9 rate-limit 2<BR /> set cos reference irl 0.1 9 rate-limit 2Instruct that the group/index# (0.0 and 0.1) and hardware Inbound Rate Limiter (2) combo not reach or exceed 20 Packets per Second (the specified range must be within 1-100 pps), and to syslog and disable the port when the limit is violated. The determination of this rate is purely at the discretion of the user. <BR /> <BR /> The 'disable-port enable' parameter is what makes the rate limiting action disable the port rather than just drop violating traffic as configured in <A href="http://bit.ly/1a1waga" target="_blank" rel="nofollow noreferrer noopener">7537</A>.# cos port-resource<BR /> set cos port-resource irl 0.0 2 unit pps rate 20 syslog enable disable-port enable<BR /> set cos port-resource irl 0.1 2 unit pps rate 20 syslog enable disable-port enableEnabling the cos state alllows all the issued 'set cos' commands to become active.# cos state<BR /> set cos state enableIt is important to see log messages when a rate limiter has been hit. Policy/cos messages generate at level 7, though by default they are only displayed at level 6 and lower.# logging<BR /> set logging application UPN level 7After exposing port ge.5.30 to at least 20 pps of the targeted traffic, here are some results. <BR /> <BR /> Example of resulting syslog messages:&lt;166&gt;Mar 6 16:12:11 10.26.156.19 UPN[5]CosTable Inbound Rate Limiter 1 was violated on ge.5.30<BR /> &lt;166&gt;Mar 6 16:12:11 10.26.156.19 UPN[5]ge.5.30 disabled by Inbound Rate Limiter 1 violationA 'show port status' command will now show the port as operstatus down (and the Link LED remains on), and a 'show port operstatuscause' will show why.Matrix N5 Platinum(su)-&gt;show port status ge.5.30<BR /> <BR /> Port Alias Oper Admin Speed Duplex Type<BR /> (truncated) Status Status (bps)<BR /> ------------ ---------------- -------- ------- ------ ------- ------------------<BR /> ge.5.30 down up 1.0G full 1000-t rj45<BR /> 1 of 1 ports displayed, 0 port(s) with oper status 'up' or 'dormant'.<BR /> <BR /> Matrix N5 Platinum(su)-&gt;show port operstatuscause ge.5.30<BR /> +------------------------------+<BR /> | A L L D |<BR /> | D L F S I F O |<BR /> | M O L E N L P C T L |<BR /> | I S A L I O O O 1 A |<BR /> Port | N S P F T W L S X G |<BR /> ----------+------------------------------+<BR /> ge.5.30 | . . . . . . . X . . |<BR /> Matrix N5 Platinum(su)-&gt;Use 'clear port operstatuscause' to regain use of this port.Matrix N5 Platinum(su)-&gt;clear port operstatuscause<BR /> Matrix N5 Platinum(su)-&gt;show port status ge.5.30<BR /> <BR /> Port Alias Oper Admin Speed Duplex Type<BR /> (truncated) Status Status (bps)<BR /> ------------ ---------------- -------- ------- ------ ------- ------------------<BR /> ge.5.30 up up 1.0G full 1000-t rj45<BR /> 1 of 1 ports displayed, 1 port(s) with oper status 'up' or 'dormant'.<BR /> <BR /> Matrix N5 Platinum(su)-&gt; Wed, 27 Nov 2013 04:23:00 GMT FAQ_User 2013-11-27T04:23:00Z Disabling Ports using Inbound Rate Limiters on the N-Series https://community.extremenetworks.com/t5/faqs/disabling-ports-using-inbound-rate-limiters-on-the-n-series/m-p/42006#M83 Article ID: 11731 <BR /> <BR /> <B>Products</B><BR /> Matrix N-Series DFE <BR /> <BR /> <B>Goals</B><BR /> This document provides a sample configuration using packets per second rate limiting to trigger a port disable. A policy-rule-based action will disable on the <I>first</I> packet seen, but this policy-cos-based action will disable upon reaching the threshold of packets per second. <BR /> <BR /> If using anything other than packets per second configurations (only supported on the Platinum and Diamond series), then one-minute intervals are used for the calculations. <BR /> <BR /> The real-world purpose of this configuration was originally to disable a port when registering a certain quantity of a specific type of traffic, expected on an edge port but seen entering an Inter-Switch Link (ISL) port - helping to assist in locating and disabling a flooding path in the network. Other applications and/or classifications may be used. <BR /> <BR /> <B>Solution</B><BR /> The policy rule drops packets destined to HTTP port 80 at IP address 10.16.19.163, and associates them with Class of Service (CoS) table entry# 8, used to feed traffic to the rate limiter. The specific traffic targeted in this manner, and the decision to drop this traffic, is purely at the discretion of the user.# policy<BR /> set policy profile 3 name CB2 cos-status enable<BR /> set policy rule admin-profile port ge.5.30 mask 16 port-string ge.5.30 admin-pid 3<BR /> set policy rule 3 tcpdestportIP 80:10.16.19.163 mask 48 drop cos 8Set cos 8 so that it maps to 802.1p priority 0 and Inbound Rate Limiter logical reference# 9.# cos settings<BR /> set cos settings 8 priority 0 irl-reference 9Map the group/index# (0.0 and 0.1 to cover both default hardware types) and reference# (9) to the hardware-based Inbound Rate Limiter (2) to be used.# cos reference<BR /> set cos reference irl 0.0 9 rate-limit 2<BR /> set cos reference irl 0.1 9 rate-limit 2Instruct that the group/index# (0.0 and 0.1) and hardware Inbound Rate Limiter (2) combo not reach or exceed 20 Packets per Second (the specified range must be within 1-100 pps), and to syslog and disable the port when the limit is violated. The determination of this rate is purely at the discretion of the user. <BR /> <BR /> The 'disable-port enable' parameter is what makes the rate limiting action disable the port rather than just drop violating traffic as configured in <A href="http://bit.ly/1a1waga" target="_blank" rel="nofollow noreferrer noopener">7537</A>.# cos port-resource<BR /> set cos port-resource irl 0.0 2 unit pps rate 20 syslog enable disable-port enable<BR /> set cos port-resource irl 0.1 2 unit pps rate 20 syslog enable disable-port enableEnabling the cos state alllows all the issued 'set cos' commands to become active.# cos state<BR /> set cos state enableIt is important to see log messages when a rate limiter has been hit. Policy/cos messages generate at level 7, though by default they are only displayed at level 6 and lower.# logging<BR /> set logging application UPN level 7After exposing port ge.5.30 to at least 20 pps of the targeted traffic, here are some results. <BR /> <BR /> Example of resulting syslog messages:&lt;166&gt;Mar 6 16:12:11 10.26.156.19 UPN[5]CosTable Inbound Rate Limiter 1 was violated on ge.5.30<BR /> &lt;166&gt;Mar 6 16:12:11 10.26.156.19 UPN[5]ge.5.30 disabled by Inbound Rate Limiter 1 violationA 'show port status' command will now show the port as operstatus down (and the Link LED remains on), and a 'show port operstatuscause' will show why.Matrix N5 Platinum(su)-&gt;show port status ge.5.30<BR /> <BR /> Port Alias Oper Admin Speed Duplex Type<BR /> (truncated) Status Status (bps)<BR /> ------------ ---------------- -------- ------- ------ ------- ------------------<BR /> ge.5.30 down up 1.0G full 1000-t rj45<BR /> 1 of 1 ports displayed, 0 port(s) with oper status 'up' or 'dormant'.<BR /> <BR /> Matrix N5 Platinum(su)-&gt;show port operstatuscause ge.5.30<BR /> +------------------------------+<BR /> | A L L D |<BR /> | D L F S I F O |<BR /> | M O L E N L P C T L |<BR /> | I S A L I O O O 1 A |<BR /> Port | N S P F T W L S X G |<BR /> ----------+------------------------------+<BR /> ge.5.30 | . . . . . . . X . . |<BR /> Matrix N5 Platinum(su)-&gt;Use 'clear port operstatuscause' to regain use of this port.Matrix N5 Platinum(su)-&gt;clear port operstatuscause<BR /> Matrix N5 Platinum(su)-&gt;show port status ge.5.30<BR /> <BR /> Port Alias Oper Admin Speed Duplex Type<BR /> (truncated) Status Status (bps)<BR /> ------------ ---------------- -------- ------- ------ ------- ------------------<BR /> ge.5.30 up up 1.0G full 1000-t rj45<BR /> 1 of 1 ports displayed, 1 port(s) with oper status 'up' or 'dormant'.<BR /> <BR /> Matrix N5 Platinum(su)-&gt; Wed, 27 Nov 2013 04:23:00 GMT https://community.extremenetworks.com/t5/faqs/disabling-ports-using-inbound-rate-limiters-on-the-n-series/m-p/42006#M83 FAQ_User 2013-11-27T04:23:00Z