Rate Limit Filter Action
This chapter provides information about Rate Limit Filter Action.
Topics in this chapter include:
Applicability
This chapter is applicable to SR OS routers and is based on SR OS Release 14.0.R7.
Overview
Filter-based rate limiting can be used by operators for security reasons to protect their network resources or mitigate DDoS attacks; see Filter Based Rate Limiting.
SR OS supports filter-based rate limiting on ingress (Release 14.0.R1) and on egress (Release 14.0.R4) for IPv4, IPv6, and MAC filter policies
The rate-limit value is configurable in kilobits per second and applicable to traffic matching the filter condition. Packets matching the filter condition are dropped when the traffic rate is above the configured policer rate value and forwarded when the traffic rate is below the configured policer rate value.
QoS Interaction
On ingress, if the MAC or IPv4/IPv6 filter action indicates that traffic must be rate limited, this traffic is redirected to a rate-limiting filter policer before delivery to the switching fabric. Traffic not matching the MAC or IP filter will pass through the regular packet processing chain, and can be limited through SAP-ingress policies. Control traffic that is extracted to the CPM is not rate limited. Rate-limiting filter policies can coexist with the cflowd, log, and mirror features.
On egress, control and data traffic matching an egress rate-limiting filter policy bypasses egress QoS policing, but the usual egress QoS queueing still applies.
Rate-Limiting with Single or Multiple FlexPaths
Filter-based rate limiting can be applied to Layer 2 and Layer 3 services, and is supported on following items, including but not limited to:
SAPs
Network interface
Spoke-SDPs
group interfaces
ESM subscribers
Filter-based rate limiting can also be used when the underlying infrastructure uses link aggregation.
If multiple interfaces use the same rate-limiting filter policy on the same FP, the system will allocate a single rate-limiter resource to the FP; a common aggregate rate limit is applied to those interfaces.
If multiple interfaces use the same rate-limiting filter policy on different FPs, the system will allocate a rate-limiter resource for each FP; an independent rate limit applies to each FP.
The example to the left in Rate Limit Filters and FlexPaths has two interfaces with the same filter applied, and terminated on the same FP. Therefore, there is only one policer, and the aggregate traffic is topped at the rate defined in the filter. The example to the right has two interfaces with different filters, again terminated on the same FP. Because the interfaces have distinct filters, two different rate-limiting policers are created, which could (but not necessarily) define the same rate.
The actual packet length is used for the rate limit, not factoring in the encapsulation.
Use caution when applying filter-based rate limiting to SAPs on group interfaces, because group interfaces can host many ESM subscribers, which could defeat per-subscriber and per-ESM host rate limiting.
Syntax
The following syntax defines an IPv4/IPv6 filter or a MAC filter with rate-limiting action:
A:7750-A>config>filter# info
ip-filter | ipv6-filter | mac-filter <filter-id> create
entry <entry-id> create
match
** match criteria, e.g.: IP/Port **
action
rate-limit {<value-Kps> | max}
exit
All regular IP and MAC match criteria are supported with the action rate-limit.
Configuration
Example Configuration shows the example configuration. Traffic is sourced on Tester T1, port 8/2, passes through VPRN-1, and is received on port 8/3 of Tester T2.
Ingress IPv4 filtering applies at the ingress SAP in VPRN-1. Ingress IPv6 filtering and ingress MAC filtering are similar to ingress IPv4 filtering and are not shown in this chapter.
The configuration of VPRN-1 on PE-1 is as follows:
# R1
configure
service
vprn 1 customer 1 create
description "rate limit action for ip filter"
route-distinguisher 65536:1
interface "int-TST-1" create
address 10.10.1.1/24
sap 3/2/13 create
ingress
filter ip 1
exit
no shutdown
exit
exit
interface "int-TST-2" create
address 10.10.2.1/24
sap 3/2/14 create
exit
exit
no shutdown
exit
exit
exit
The filter configuration is as follows:
configure
filter
ip-filter 1 create
filter-name "ip-filter-2M"
default-action forward
description "IP filter test for rate limit action"
entry 10 create
match
dst-ip 10.10.2.2/32
src-ip 10.10.1.2/32
exit
action
rate-limit 2048
exit
exit
exit
exit
exit
A stream of UDP packets with a fixed size of 128 bytes is sent out of Tester T1 at a rate of 1000 packets/sec, accounting for a data rate of 128 x 8 x 1000 = 1.024 Mbit/s. At this rate, all packets pass through because the actual rate is lower than the rate-limit, as follows:
*A:PE1# monitor filter ip 1 entry 10 rate repeat 1
===============================================================================
Monitor statistics for IP filter 1 entry 10
===============================================================================
-------------------------------------------------------------------------------
At time t = 0 sec (Base Statistics)
-------------------------------------------------------------------------------
Ing. Matches : 14170 pkts (1813760 bytes)
Egr. Matches : 0 pkts
Ing. Rate-limiter
Offered : 14160 pkts (1812480 bytes)
Forwarded : 14160 pkts (1812480 bytes)
Dropped : 0 pkts
Egr. Rate-limiter
Offered : 0 pkts
Forwarded : 0 pkts
Dropped : 0 pkts
-------------------------------------------------------------------------------
At time t = 10 sec (Mode: Rate)
-------------------------------------------------------------------------------
Ing. Matches : 1001 pkts (128090 bytes)
Egr. Matches : 0 pkts
Ing. Rate-limiter
Offered : 1002 pkts (128218 bytes)
Forwarded : 1002 pkts (128218 bytes)
Dropped : 0 pkts
Egr. Rate-limiter
Offered : 0 pkts
Forwarded : 0 pkts
Dropped : 0 pkts
===============================================================================
Increasing the actual rate to 3000 packets/s without changing the frame size corresponds to a data rate of 128 x 8 x 3000 = 3.072 Mbit/s, so part of the traffic is dropped as 3.072 Mbit/s > 2.048 Mbit/s, as follows:
*A:PE1# monitor filter ip 1 entry 10 rate repeat 1
===============================================================================
Monitor statistics for IP filter 1 entry 10
===============================================================================
-------------------------------------------------------------------------------
At time t = 0 sec (Base Statistics)
-------------------------------------------------------------------------------
Ing. Matches : 3222085 pkts (412426880 bytes)
Egr. Matches : 0 pkts
Ing. Rate-limiter
Offered : 3222046 pkts (412421888 bytes)
Forwarded : 2147991 pkts (274942848 bytes)
Dropped : 1074055 pkts (137479040 bytes)
Egr. Rate-limiter
Offered : 0 pkts
Forwarded : 0 pkts
Dropped : 0 pkts
-------------------------------------------------------------------------------
At time t = 10 sec (Mode: Rate)
-------------------------------------------------------------------------------
Ing. Matches : 3000 pkts (383974 bytes)
Egr. Matches : 0 pkts
Ing. Rate-limiter
Offered : 3004 pkts (384473 bytes)
Forwarded : 2002 pkts (256307 bytes)
Dropped : 1001 pkts (128166 bytes)
Egr. Rate-limiter
Offered : 0 pkts
Forwarded : 0 pkts
Dropped : 0 pkts
===============================================================================
When sending traffic at a rate of 1000 packets/s with a 256 bytes packet-size and monitoring at entry-point SAP 3/2/13 over 20 s intervals, then 20,000 packets are received on interface int-TST-1 accounting for 5,120,000 bytes, as follows:
*A:PE1# monitor service id 1 sap 3/2/13 interval 20
===============================================================================
Monitor statistics for Service 1 SAP 3/2/13
===============================================================================
-------------------------------------------------------------------------------
At time t = 0 sec (Base Statistics)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Sap Statistics
-------------------------------------------------------------------------------
Last Cleared Time : N/A
Packets Octets
CPM Ingress : 25 1614
Forwarding Engine Stats
Dropped : 128590687 8338701952
Received Valid : 331812178 23060748680
Off. HiPrio : 0 0
Off. LowPrio : 311643389 20030922920
Off. Uncolor : 0 0
Off. Managed : 0 0
Queueing Stats(Ingress QoS Policy 1)
Dro. HiPrio : 0 0
Dro. LowPrio : 0 0
For. InProf : 0 0
For. OutProf : 311643389 20030922920
---snip---
-------------------------------------------------------------------------------
At time t = 20 sec (Mode: Delta)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Sap Statistics
-------------------------------------------------------------------------------
Last Cleared Time : N/A
Packets Octets
CPM Ingress : 0 0
Forwarding Engine Stats
Dropped : 0 0
Received Valid : 19901 5094656
Off. HiPrio : 0 0
Off. LowPrio : 0 0
Off. Uncolor : 0 0
Off. Managed : 0 0
---snip---
-------------------------------------------------------------------------------
At time t = 40 sec (Mode: Delta)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Sap Statistics
-------------------------------------------------------------------------------
Last Cleared Time : N/A
Packets Octets
CPM Ingress : 0 0
Forwarding Engine Stats
Dropped : 0 0
Received Valid : 20000 5120000
Off. HiPrio : 0 0
Off. LowPrio : 0 0
Off. Uncolor : 0 0
Off. Managed : 0 0
---snip---
When sending at a rate of 3000 packets/sec a with a 256 bytes packet-size and monitoring at exit-point SAP 3/2/14 over 20 s intervals, then 10,000 packets are sent out of interface int-TST-2 accounting for 2,560,000 bytes, as follows:
*A:PE1# monitor service id 1 sap 3/2/14 interval 20
===============================================================================
Monitor statistics for Service 1 SAP 3/2/14
===============================================================================
-------------------------------------------------------------------------------
At time t = 0 sec (Base Statistics)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Sap Statistics
-------------------------------------------------------------------------------
Last Cleared Time : N/A
Packets Octets
CPM Ingress : 3544 212716
Forwarding Engine Stats
Dropped : 0 0
Received Valid : 312516277 20001041728
Off. HiPrio : 0 0
Off. LowPrio : 312516277 20001041728
Off. Uncolor : 0 0
Off. Managed : 0 0
Queueing Stats(Ingress QoS Policy 1)
Dro. HiPrio : 0 0
Dro. LowPrio : 0 0
For. InProf : 0 0
For. OutProf : 312516277 20001041728
Queueing Stats(Egress QoS Policy 1)
Dro. In/InplusProf : 0 0
Dro. Out/ExcProf : 0 0
For. In/InplusProf : 10360173 1590874396
For. Out/ExcProf : 311585647 20027227432
-------------------------------------------------------------------------------
Sap per Queue Stats
-------------------------------------------------------------------------------
Packets Octets
Ingress Queue 1 (Unicast) (Priority)
Off. HiPrio : 0 0
Off. LowPrio : 312516277 20001041728
Dro. HiPrio : 0 0
Dro. LowPrio : 0 0
For. InProf : 0 0
For. OutProf : 312516277 20001041728
Egress Queue 1
For. In/InplusProf : 10360173 1590874396
For. Out/ExcProf : 311585647 20027227432
Dro. In/InplusProf : 0 0
Dro. Out/ExcProf : 0 0
-------------------------------------------------------------------------------
At time t = 20 sec (Mode: Delta)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Sap Statistics
-------------------------------------------------------------------------------
Last Cleared Time : N/A
Packets Octets
CPM Ingress : 0 0
---snip---
Queueing Stats(Egress QoS Policy 1)
Dro. In/InplusProf : 0 0
Dro. Out/ExcProf : 0 0
For. In/InplusProf : 10016 2564096
For. Out/ExcProf : 0 0
---snip---
-------------------------------------------------------------------------------
At time t = 40 sec (Mode: Delta)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Sap Statistics
-------------------------------------------------------------------------------
Last Cleared Time : N/A
Packets Octets
CPM Ingress : 0 0
---snip---
Queueing Stats(Egress QoS Policy 1)
Dro. In/InplusProf : 0 0
Dro. Out/ExcProf : 0 0
For. In/InplusProf : 10005 2561280
For. Out/ExcProf : 0 0
---snip---
Conclusion
Rate-limiting filter actions can be used by network operators for security purposes to protect network resources and can also be used to mitigate DDoS attacks.