This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- RE: Meter - ACL - Policy : "rate-limit" Protocol b...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Meter - ACL - Policy : "rate-limit" Protocol based traffic ? eg. port 80
Meter - ACL - Policy : "rate-limit" Protocol based traffic ? eg. port 80
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā01-12-2016 08:15 AM
Good day all,
Need some advice if you may - I have an X440 and I would like to create ACLs that limit certain protocol ports, like port 80 (http).
Please check my config below:
With the above config - there is NO meter limiting on the traffic.
BUT - when I remove:
"protocol TCP ; destination-port 80 " and have the brackets empty - it works beautifully.
From my understanding and reading through the ACL Solutions Guide - the above should work ?
If I enter :
check policy Limitsit returns successful..
I think I am missing a command or expression somewhere. Can anyone provide some guidance ?
thanks !
Need some advice if you may - I have an X440 and I would like to create ACLs that limit certain protocol ports, like port 80 (http).
Please check my config below:
vlan 2 created
ports 1-10 added to vlan 2 untagged
meter created:
"create meter HTTP-limit
configure meter HTTP-limit committed-rate 1024 Kbps max-burst-size 128 Kb out-actions drop
configure access-list Limits ports 10 ingress"ACL created and applied to port 10 (port where user is connected):
"configure access-list Limits vlan "DATA" ingress"
Policy created:
"Policies at Policy Server:
Policy: Limits
entry 1 {
if match all {
protocol TCP ;
destination-port 80 ;
}
then {
meter HTTP-limit ;
count HTTP-limit-count ;
}
}
Number of clients bound to policy: 1
Client: acl bound once"Access-List counter:
"show acce count
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
Limits * 10 ingress
HTTP-limit-count 1638"
With the above config - there is NO meter limiting on the traffic.
BUT - when I remove:
"protocol TCP ; destination-port 80 " and have the brackets empty - it works beautifully.
From my understanding and reading through the ACL Solutions Guide - the above should work ?
If I enter :
check policy Limitsit returns successful..
I think I am missing a command or expression somewhere. Can anyone provide some guidance ?
thanks !
16 REPLIES 16
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā01-15-2016 07:57 AM
Hi Prashanth,
I am not seeing any changes on my side. In fact - I have used the config you used on top.
I have changed the committed-rate to 56 Kbps to see if it has any effect. Nothing.
My PC is plugged into port 4, and the link to the internet on port 10. I applied the ACL to port 4 and the ACL counter increases its hits. But nothing else.
* X440-48p.40 # show conf acl # # Module acl configuration. # create meter HTTP-limit configure meter HTTP-limit committed-rate 56 Kbps max-burst-size 56 Kb out-actions drop configure access-list Limits ports 4 ingress
Policy Name Vlan Name Port Direction Counter Name Packet Count Byte Count
==================================================================
Limits * 4 ingress
HTTP-limit-count 6072
See below output:
* X440-48p.35 # unconf acce Limits. done!
* X440-48p.36 # sh port 4 10 uti band
Port Link Link Rx Peak Rx Tx Peak Tx
State Speed % bandwidth % bandwidth % bandwidth % bandwidth
================================================================================
4 A 1000 0.01 2.12 0.18 1.99
10 A 1000 0.18 1.99 0.01 2.12
================================================================================
> indicates Port Display Name truncated past 8 characters
Link State: A-Active, R-Ready, NP-Port Not Present, L-Loopback
* X440-48p.37 # conf acce Limits port 4 ingr
done!
* X440-48p.38 # sh port 4 10 uti band
Port Link Link Rx Peak Rx Tx Peak Tx
State Speed % bandwidth % bandwidth % bandwidth % bandwidth
================================================================================
4 A 1000 0.02 2.12 0.24 1.99
10 A 1000 0.24 1.99 0.02 2.12
================================================================================
> indicates Port Display Name truncated past 8 characters
Link State: A-Active, R-Ready, NP-Port Not Present, L-Loopback
* X440-48p.39 # sh port 4 10 uti band
Port Link Link Rx Peak Rx Tx Peak Tx
State Speed % bandwidth % bandwidth % bandwidth % bandwidth
================================================================================
4 A 1000 0.01 2.12 0.10 1.99
10 A 1000 0.10 1.99 0.01 2.12
================================================================================
> indicates Port Display Name truncated past 8 characters
Link State: A-Active, R-Ready, NP-Port Not Present, L-Loopback
This is done by downloading a 100mb file over HTTP. Also, the user-experience is unchanged. Speedtest.net is unchanged. webpages are loading fine....
Surely there must be something that I am missing - my config is exactly like yours. I need to present this as a working solution. Please let me know if there are any changes that you would like me to make. If it works on your end - why not on mine ?
thanks a mil !
I am not seeing any changes on my side. In fact - I have used the config you used on top.
I have changed the committed-rate to 56 Kbps to see if it has any effect. Nothing.
My PC is plugged into port 4, and the link to the internet on port 10. I applied the ACL to port 4 and the ACL counter increases its hits. But nothing else.
* X440-48p.40 # show conf acl # # Module acl configuration. # create meter HTTP-limit configure meter HTTP-limit committed-rate 56 Kbps max-burst-size 56 Kb out-actions drop configure access-list Limits ports 4 ingress
Policy Name Vlan Name Port Direction Counter Name Packet Count Byte Count
==================================================================
Limits * 4 ingress
HTTP-limit-count 6072
See below output:
* X440-48p.35 # unconf acce Limits. done!
* X440-48p.36 # sh port 4 10 uti band
Port Link Link Rx Peak Rx Tx Peak Tx
State Speed % bandwidth % bandwidth % bandwidth % bandwidth
================================================================================
4 A 1000 0.01 2.12 0.18 1.99
10 A 1000 0.18 1.99 0.01 2.12
================================================================================
> indicates Port Display Name truncated past 8 characters
Link State: A-Active, R-Ready, NP-Port Not Present, L-Loopback
* X440-48p.37 # conf acce Limits port 4 ingr
done!
* X440-48p.38 # sh port 4 10 uti band
Port Link Link Rx Peak Rx Tx Peak Tx
State Speed % bandwidth % bandwidth % bandwidth % bandwidth
================================================================================
4 A 1000 0.02 2.12 0.24 1.99
10 A 1000 0.24 1.99 0.02 2.12
================================================================================
> indicates Port Display Name truncated past 8 characters
Link State: A-Active, R-Ready, NP-Port Not Present, L-Loopback
* X440-48p.39 # sh port 4 10 uti band
Port Link Link Rx Peak Rx Tx Peak Tx
State Speed % bandwidth % bandwidth % bandwidth % bandwidth
================================================================================
4 A 1000 0.01 2.12 0.10 1.99
10 A 1000 0.10 1.99 0.01 2.12
================================================================================
> indicates Port Display Name truncated past 8 characters
Link State: A-Active, R-Ready, NP-Port Not Present, L-Loopback
This is done by downloading a 100mb file over HTTP. Also, the user-experience is unchanged. Speedtest.net is unchanged. webpages are loading fine....
Surely there must be something that I am missing - my config is exactly like yours. I need to present this as a working solution. Please let me know if there are any changes that you would like me to make. If it works on your end - why not on mine ?
thanks a mil !
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā01-14-2016 02:08 PM
Thanks - I will test this again now - but with my HTTP downloads, it is not getting limited.
How are you testing the HTTP traffic so that the port's utilization spikes so high ? mine stay the same..
How are you testing the HTTP traffic so that the port's utilization spikes so high ? mine stay the same..
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā01-13-2016 05:31 AM
Just did a quick test in the lab with the exact version and the hardware. I am able to limit the traffic with the same policy file and the configuration you have provided above.
Sharing my lab outputs so that you can verify if you are missing something.
Incoming port 2, egress port 4
# sh poli "Limits"
Policies at Policy Server:
Policy: Limits
entry 1 {
if match all {
protocol TCP ;
destination-port 80 ;
}
then {
meter HTTP-limit ;
count HTTP-limit-count ;
}
}
sh conf acl
#
# Module acl configuration.
#
create meter HTTP-limit
configure meter HTTP-limit committed-rate 1024 Kbps max-burst-size 128 Kb out-actions drop
configure access-list Limits ports 2 ingress
With ACL, the traffic flow:
sh port 2 4 utilization bandwidth
Port Link Link Rx Peak Rx Tx Peak Tx
State Speed % bandwidth % bandwidth % bandwidth % bandwidth
================================================================================
2 A 1000 20.03 21.41 0.00 0.00
4 A 1000 0.00 0.00 0.10 0.11
================================================================================
> indicates Port Display Name truncated past 8 characters
Link State: A-Active, R-Ready, NP-Port Not Present, L-Loopback
Without ACL, the traffic utilization:
EDGE-Sw.8 # sh port 2 4 utilization bandwidth
Port Link Link Rx Peak Rx Tx Peak Tx
State Speed % bandwidth % bandwidth % bandwidth % bandwidth
================================================================================
2 A 1000 19.58 21.41 0.00 0.00
4 A 1000 0.00 0.00 19.58 19.58
================================================================================
> indicates Port Display Name truncated past 8 characters
Link State: A-Active, R-Ready, NP-Port Not Present, L-Loopback
Hope this helps to verify what is missed in your configuration/testing.
Sharing my lab outputs so that you can verify if you are missing something.
Incoming port 2, egress port 4
# sh poli "Limits"
Policies at Policy Server:
Policy: Limits
entry 1 {
if match all {
protocol TCP ;
destination-port 80 ;
}
then {
meter HTTP-limit ;
count HTTP-limit-count ;
}
}
sh conf acl
#
# Module acl configuration.
#
create meter HTTP-limit
configure meter HTTP-limit committed-rate 1024 Kbps max-burst-size 128 Kb out-actions drop
configure access-list Limits ports 2 ingress
With ACL, the traffic flow:
sh port 2 4 utilization bandwidth
Port Link Link Rx Peak Rx Tx Peak Tx
State Speed % bandwidth % bandwidth % bandwidth % bandwidth
================================================================================
2 A 1000 20.03 21.41 0.00 0.00
4 A 1000 0.00 0.00 0.10 0.11
================================================================================
> indicates Port Display Name truncated past 8 characters
Link State: A-Active, R-Ready, NP-Port Not Present, L-Loopback
Without ACL, the traffic utilization:
EDGE-Sw.8 # sh port 2 4 utilization bandwidth
Port Link Link Rx Peak Rx Tx Peak Tx
State Speed % bandwidth % bandwidth % bandwidth % bandwidth
================================================================================
2 A 1000 19.58 21.41 0.00 0.00
4 A 1000 0.00 0.00 19.58 19.58
================================================================================
> indicates Port Display Name truncated past 8 characters
Link State: A-Active, R-Ready, NP-Port Not Present, L-Loopback
Hope this helps to verify what is missed in your configuration/testing.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā01-12-2016 10:58 AM
ExtremeXOS version 15.3.1.4 v1531b4-patch1-19 by release-manager on Fri Sep 20 14:57:37 EDT 2013
X440-48p
If I apply it to the VLAN, or int he event that I do not use VLANs ( port based) the same thing occurs.
thanks for the reply !
X440-48p
If I apply it to the VLAN, or int he event that I do not use VLANs ( port based) the same thing occurs.
thanks for the reply !
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā01-12-2016 10:41 AM
Thank you for the response!
In the policy that you have shared with us in the first post, I could see the following line:
configure access-list Limits vlan "DATA" ingressThat is why, I wanted to be sure that the policy is applied to the VLAN or the port.
1. Please share the EXOS version that X440 is running and the exact X440 version (24t or 24p)?
In the policy that you have shared with us in the first post, I could see the following line:
configure access-list Limits vlan "DATA" ingressThat is why, I wanted to be sure that the policy is applied to the VLAN or the port.
1. Please share the EXOS version that X440 is running and the exact X440 version (24t or 24p)?
