This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Meter - ACL - Policy : "rate-limit" Protocol based traffic ? eg. port 80

Meter - ACL - Policy : "rate-limit" Protocol based traffic ? eg. port 80

Dewald_Botha1
New Contributor

ā€Ž01-12-2016 08:15 AM

Good day all,

Need some advice if you may - I have an X440 and I would like to create ACLs that limit certain protocol ports, like port 80 (http).

Please check my config below:

vlan 2 created
ports 1-10 added to vlan 2 untagged
meter created:
"create meter HTTP-limit
configure meter HTTP-limit committed-rate 1024 Kbps max-burst-size 128 Kb out-actions drop
configure access-list Limits ports 10 ingress"ACL created and applied to port 10 (port where user is connected):
"configure access-list Limits vlan "DATA" ingress"
Policy created:
"Policies at Policy Server:
Policy: Limits
entry 1 {
if match all {
protocol TCP ;
destination-port 80 ;
}
then {
meter HTTP-limit ;
count HTTP-limit-count ;
}
}
Number of clients bound to policy: 1
Client: acl bound once"Access-List counter:
"show acce count
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
Limits * 10 ingress
HTTP-limit-count 1638"

With the above config - there is NO meter limiting on the traffic.

BUT - when I remove:
"protocol TCP ; destination-port 80 " and have the brackets empty - it works beautifully.

From my understanding and reading through the ACL Solutions Guide - the above should work ?

If I enter :
check policy Limitsit returns successful..

I think I am missing a command or expression somewhere. Can anyone provide some guidance ?

thanks !

0 Kudos
16 REPLIES 16

Dewald_Botha1
New Contributor

ā€Ž01-18-2016 11:38 AM

The ISP is on port 10.
Policy "ISP-limit" is applied to this port.
The IP address is the host address of the user located on port 6

The user is on port 6
Policy "Limit" is applied to this port.
0 Kudos

Jarek
New Contributor II

ā€Ž01-18-2016 11:31 AM

Hi,

ISP is on port 10, user is on port 6, where is this IP 196.25.104.239 on port 6 and this is user IP address or on port 10 and this is ISP address?

Regards
--
Jarek
0 Kudos

Dewald_Botha1
New Contributor

ā€Ž01-18-2016 11:06 AM

Hi,

The rate limiting is still not working. I am getting hits on the ACL with the abovementioned configuration.

I have changed the speed of the ports to 100mb to get a better % read-out. They stay the same both ways - inbound and outbound traffic is the same

X440-48p.4 # show port 6 10 ut bandPort Link Link Rx Peak Rx Tx Peak Tx
State Speed % bandwidth % bandwidth % bandwidth % bandwidth
================================================================================
6 A 100 0.59 0.59 18.88 18.88
10 A 100 18.94 18.94 0.59 0.59
================================================================================X440-48p.12 # show acce meter "HTTP-limit" ports 6 10Policy Name Vlan Name Port
Committed Max Burst Out-of-Profile Out-of-Profile
Meter Rate (Kbps) Size (K) Action DSCP Packet Count
===============================================================================
Limits * 6
HTTP-limit 1024 128 Drop 48
ISP-limit * 10
HTTP-limit 1024 128 Drop 935
X440-48p.13 # show acce coun ports 6 10Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
Limits * 6 ingress
HTTP-limit-count 18793
ISP-limit * 10 ingress
HTTP-limit-count 29382
User is on port 6
ISP is on port 10

The user traffic should be 'shaped' to only 1024 Kbps (as per meter), however, no matter how I change this - it does not happen.
I am not seeing the same bandwidth count as you did where it was clear that the one side is "limited".

Here are my polcies :
Policies at Policy Server:Policy: Limits
entry 1 {
if match all {
protocol TCP ;
destination-port 80 ;
}
then {
meter HTTP-limit ;
count HTTP-limit-count ;
}
}
Number of clients bound to policy: 1
Policies at Policy Server:Policy: ISP-limit
entry 1 {
if match all {
protocol TCP ;
source-port 80 ;
destination-address 196.25.104.239/32 ;
}
then {
meter HTTP-limit ;
count HTTP-limit-count ;
}
}
Number of clients bound to policy: 1 Am I missing something ? Is it the wrong way around ? The outcome that I am expecting is that the user's web traffic is slow.

appreciate your patience with this query,

BR

Dewald
0 Kudos

Prashanth_KG
Extreme Employee

ā€Ž01-15-2016 09:52 AM

a correction in the policy file:

entry 1 {
if match all {
protocol TCP ;
source-port 80 ;
destination-address ;
}
then {
meter HTTP-limit ;
count HTTP-limit-count ;
}
}
port number 80 would be source from the ISP. Also, ensure if the traffic is hitting the policy by checking the access-list counter.
0 Kudos

Prashanth_KG
Extreme Employee

ā€Ž01-15-2016 09:28 AM

Hi Dewald,

Thanks a lot for sharing the outputs. We use the packet generators to match the http traffic. That is why, I could simulate the high amount of traffic.

I see that you are applying the ACL on the port where the PC is connected. While downloading, the PC would be sending only minimal amount of traffic.

Only the traffic from the ISP should be rate-limited.

Try applying the following policy on the port 10.

entry 1 {
if match all {
protocol TCP ;
destination-port 80 ;
destination-address ;
}
then {
meter HTTP-limit ;
count HTTP-limit-count ;
}
}Let me know if this helps you!

0 Kudos
GTM-P2G8KFN