This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Meter - ACL - Policy : "rate-limit" Protocol based traffic ? eg. port 80

Meter - ACL - Policy : "rate-limit" Protocol based traffic ? eg. port 80

Dewald_Botha1
New Contributor

‎01-12-2016 08:15 AM

Good day all,

Need some advice if you may - I have an X440 and I would like to create ACLs that limit certain protocol ports, like port 80 (http).

Please check my config below:

vlan 2 created
ports 1-10 added to vlan 2 untagged
meter created:
"create meter HTTP-limit
configure meter HTTP-limit committed-rate 1024 Kbps max-burst-size 128 Kb out-actions drop
configure access-list Limits ports 10 ingress"ACL created and applied to port 10 (port where user is connected):
"configure access-list Limits vlan "DATA" ingress"
Policy created:
"Policies at Policy Server:
Policy: Limits
entry 1 {
if match all {
protocol TCP ;
destination-port 80 ;
}
then {
meter HTTP-limit ;
count HTTP-limit-count ;
}
}
Number of clients bound to policy: 1
Client: acl bound once"Access-List counter:
"show acce count
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
Limits * 10 ingress
HTTP-limit-count 1638"

With the above config - there is NO meter limiting on the traffic.

BUT - when I remove:
"protocol TCP ; destination-port 80 " and have the brackets empty - it works beautifully.

From my understanding and reading through the ACL Solutions Guide - the above should work ?

If I enter :
check policy Limitsit returns successful..

I think I am missing a command or expression somewhere. Can anyone provide some guidance ?

thanks !

0 Kudos
16 REPLIES 16

Dewald_Botha1
New Contributor

‎01-12-2016 10:27 AM

Hi Prashanth,

thanks for the reply - see reply below :

1. policy applied to vlan "Data" ? not too sure what is meant - afaik the command listed above is what applies this policy to the Vlan ? VLAN "Data" IS vlan 2 if that is what you are asking.

2. I am verifying the policy by 3 ways:
HTTP file download;
Speedtest.net test;
& by checking the ACL counter - there are Hits coming through when both of the following Policy statements are applied :

entry 1 {
if match all {
protocol TCP ;
destination-port 80 ;
}
then {
meter HTTP-limit ;
count HTTP-limit-count ;
}
}or this one : (with this one - this is the only one that actually works [no the above one])

entry 1 {if match all {
}
then {
meter HTTP-limit ;
count HTTP-limit-count ;
}
}
3. As mentioned above - without the match conditions, this works like a charm. The worry is that once the conditions are added the ACL is not enforced even though the counter is moving up.

0 Kudos

Prashanth_KG
Extreme Employee

‎01-12-2016 09:56 AM

Hi Dewald,

Is the same policy applied to VLAN data?
"configure access-list Limits vlan "DATA" ingress"
The policy looks fine to me.
Please clarify how you are verifying if the policy is working or not?

when the match conditions, protocol tcp and destination-port 80 are used, do you see the counters incrementing in the "show access-list counter" output?
When the match conditions are removed, it will match all the traffic coming into the port. If that works fine, then we can conclude that the meter configuration is correct. So, we just need to ensure that the actual http traffic hits the ACL.

Looking forward to your response!

0 Kudos
GTM-P2G8KFN