cancel
Showing results for 
Search instead for 
Did you mean: 

Disabling Ports using Inbound Rate Limiters on the N-Series

Disabling Ports using Inbound Rate Limiters on the N-Series

FAQ_User
Extreme Employee
Article ID: 11731

Products
Matrix N-Series DFE

Goals
This document provides a sample configuration using packets per second rate limiting to trigger a port disable. A policy-rule-based action will disable on the first packet seen, but this policy-cos-based action will disable upon reaching the threshold of packets per second.

If using anything other than packets per second configurations (only supported on the Platinum and Diamond series), then one-minute intervals are used for the calculations.

The real-world purpose of this configuration was originally to disable a port when registering a certain quantity of a specific type of traffic, expected on an edge port but seen entering an Inter-Switch Link (ISL) port - helping to assist in locating and disabling a flooding path in the network. Other applications and/or classifications may be used.

Solution
The policy rule drops packets destined to HTTP port 80 at IP address 10.16.19.163, and associates them with Class of Service (CoS) table entry# 8, used to feed traffic to the rate limiter. The specific traffic targeted in this manner, and the decision to drop this traffic, is purely at the discretion of the user.# policy
set policy profile 3 name CB2 cos-status enable
set policy rule admin-profile port ge.5.30 mask 16 port-string ge.5.30 admin-pid 3
set policy rule 3 tcpdestportIP 80:10.16.19.163 mask 48 drop cos 8Set cos 8 so that it maps to 802.1p priority 0 and Inbound Rate Limiter logical reference# 9.# cos settings
set cos settings 8 priority 0 irl-reference 9Map the group/index# (0.0 and 0.1 to cover both default hardware types) and reference# (9) to the hardware-based Inbound Rate Limiter (2) to be used.# cos reference
set cos reference irl 0.0 9 rate-limit 2
set cos reference irl 0.1 9 rate-limit 2Instruct that the group/index# (0.0 and 0.1) and hardware Inbound Rate Limiter (2) combo not reach or exceed 20 Packets per Second (the specified range must be within 1-100 pps), and to syslog and disable the port when the limit is violated. The determination of this rate is purely at the discretion of the user.

The 'disable-port enable' parameter is what makes the rate limiting action disable the port rather than just drop violating traffic as configured in 7537.# cos port-resource
set cos port-resource irl 0.0 2 unit pps rate 20 syslog enable disable-port enable
set cos port-resource irl 0.1 2 unit pps rate 20 syslog enable disable-port enableEnabling the cos state alllows all the issued 'set cos' commands to become active.# cos state
set cos state enableIt is important to see log messages when a rate limiter has been hit. Policy/cos messages generate at level 7, though by default they are only displayed at level 6 and lower.# logging
set logging application UPN level 7After exposing port ge.5.30 to at least 20 pps of the targeted traffic, here are some results.

Example of resulting syslog messages:<166>Mar 6 16:12:11 10.26.156.19 UPN[5]CosTable Inbound Rate Limiter 1 was violated on ge.5.30
<166>Mar 6 16:12:11 10.26.156.19 UPN[5]ge.5.30 disabled by Inbound Rate Limiter 1 violationA 'show port status' command will now show the port as operstatus down (and the Link LED remains on), and a 'show port operstatuscause' will show why.Matrix N5 Platinum(su)->show port status ge.5.30

Port Alias Oper Admin Speed Duplex Type
(truncated) Status Status (bps)
------------ ---------------- -------- ------- ------ ------- ------------------
ge.5.30 down up 1.0G full 1000-t rj45
1 of 1 ports displayed, 0 port(s) with oper status 'up' or 'dormant'.

Matrix N5 Platinum(su)->show port operstatuscause ge.5.30
+------------------------------+
| A L L D |
| D L F S I F O |
| M O L E N L P C T L |
| I S A L I O O O 1 A |
Port | N S P F T W L S X G |
----------+------------------------------+
ge.5.30 | . . . . . . . X . . |
Matrix N5 Platinum(su)->Use 'clear port operstatuscause' to regain use of this port.Matrix N5 Platinum(su)->clear port operstatuscause
Matrix N5 Platinum(su)->show port status ge.5.30

Port Alias Oper Admin Speed Duplex Type
(truncated) Status Status (bps)
------------ ---------------- -------- ------- ------ ------- ------------------
ge.5.30 up up 1.0G full 1000-t rj45
1 of 1 ports displayed, 1 port(s) with oper status 'up' or 'dormant'.

Matrix N5 Platinum(su)->
0 REPLIES 0
GTM-P2G8KFN