Rate Limit Filter Action

This chapter provides information about Rate Limit Filter Action.

Topics in this chapter include:

Applicability

This chapter is applicable to SR OS routers and is based on SR OS Release 24.3.R1.

Overview

Filter-based rate limiting can be used by operators for security reasons to protect their network resources or mitigate DDoS attacks; see Filter Based Rate Limiting.

Figure 1. Filter Based Rate Limiting

SR OS supports filter-based rate limiting on ingress (SR OS Release 14.0.R1) and on egress (SR OS Release 14.0.R4) for IPv4, IPv6, and MAC filter policies

The rate-limit value is configurable in kilobits per second and applicable to traffic matching the filter condition. Packets matching the filter condition are dropped when the traffic rate is above the configured policer rate value and forwarded when the traffic rate is below the configured policer rate value.

QoS Interaction

On ingress, if the MAC or IPv4/IPv6 filter action indicates that traffic must be rate limited, this traffic is redirected to a rate-limiting filter policer before delivery to the switching fabric. Traffic not matching the MAC or IP filter will pass through the regular packet processing chain, and can be limited through SAP-ingress policies. Control traffic that is extracted to the CPM is not rate limited. Rate-limiting filter policies can coexist with the cflowd, log, and mirror features.

On egress, control and data traffic matching an egress rate-limiting filter policy bypasses egress QoS policing, but the usual egress QoS queueing still applies.

Rate-Limiting with Single or Multiple FlexPaths

Filter-based rate limiting can be applied to Layer 2 and Layer 3 services, and is supported on following items, including but not limited to:

  • SAPs

  • Network interface

  • Spoke-SDPs

  • group interfaces

  • ESM subscribers

Filter-based rate limiting can also be used when the underlying infrastructure uses link aggregation.

If multiple interfaces use the same rate-limiting filter policy on the same FP, the system will allocate a single rate-limiter resource to the FP; a common aggregate rate limit is applied to those interfaces.

If multiple interfaces use the same rate-limiting filter policy on different FPs, the system will allocate a rate-limiter resource for each FP; an independent rate limit applies to each FP.

The example to the left in Rate Limit Filters and FlexPaths has two interfaces with the same filter applied, and terminated on the same FP. Therefore, there is only one policer, and the aggregate traffic is topped at the rate defined in the filter. The example to the right has two interfaces with different filters, again terminated on the same FP. Because the interfaces have distinct filters, two different rate-limiting policers are created, which could (but not necessarily) define the same rate.

The actual packet length is used for the rate limit, not factoring in the encapsulation.

Figure 2. Rate Limit Filters and FlexPaths

Use caution when applying filter-based rate limiting to SAPs on group interfaces, because group interfaces can host many ESM subscribers, which could defeat per-subscriber and per-ESM host rate limiting.

Syntax

The following syntax defines an IPv4/IPv6 filter or a MAC filter with rate-limiting action:

# on PE-1:
[ex:/configure filter]
A:admin@PE-1#         info
    ip-filter | ipv6-filter | mac-filter "<filter-name>" {
        description "<filter-description>"
        default-action accept | forward | drop
        filter-id <filter-id>
        entry <entry-id> {
            match {
                ** match criteria, e.g.: IP/Port/MAC **
            }
            action {
                accept
                rate-limit {
                    pir <value-Kbps>
                }
            }
        }
    }

All regular IP and MAC match criteria are supported with the action rate-limit.

Configuration

Example Configuration shows the example configuration. Traffic is sourced on Tester T1, port //8/1, passes through VPRN 1, and is received on port //8/5 of Tester T2.

Ingress IPv4 filtering applies at the ingress SAP in VPRN 1. Ingress IPv6 filtering and ingress MAC filtering are similar to ingress IPv4 filtering and are not shown in this chapter.

Figure 3. Example Configuration

The configuration of VPRN 1 on PE-1 is as follows:

# on PE-1:
configure {
    service {
        vprn "VPRN 1" {
            admin-state enable
            description "rate limit action for ip filter"
            service-id 1
            customer "1"
            bgp-ipvpn {
                mpls {
                    admin-state enable
                    route-distinguisher "65536:1"
                }
            }
            interface "int-TST-receiver" {
                ipv4 {
                    primary {
                        address 10.10.2.1
                        prefix-length 24
                    }
                }
                sap 1/1/c20/1 { }
            }
            interface "int-TST-source" {
                ipv4 {
                    primary {
                        address 10.10.1.1
                        prefix-length 24
                    }
                }
                sap 1/1/c18/1 {
                    ingress {
                        filter {
                            ip "ip-filter-1M"
                        }
                    }
                }
            }
        }

The filter configuration is as follows:

# on PE-1:
configure {
    filter {
        ip-filter "ip-filter-1M" {
            description "IP filter test for rate limit action"
            default-action accept
            filter-id 3
            entry 10 {
                match {
                    src-ip {
                        address 10.10.1.2/32
                    }
                    dst-ip {
                        address 10.10.2.2/32
                    }
                }
                action {
                    accept
                    rate-limit {
                        pir 1024    # in Kbps ; 1024000/8/128 = 1000 packets/s
                    }
                }
            }
        }

A stream of UDP packets with a fixed size of 128 bytes is sent out of Tester T1 at a rate of 500 packets/s, accounting for a data rate of 500 x 128 x 8 = 512Kbit/s. At this rate, all packets pass through because the actual rate is lower than the rate-limit 1024Kbit/s, as follows:

[/]
A:admin@PE-1# monitor filter ip "ip-filter-1M" entry 10 rate repeat 6 interval 11

===============================================================================
Monitor statistics for IP filter 3 entry 10
===============================================================================
-------------------------------------------------------------------------------
At time t = 0 sec (Base Statistics)
-------------------------------------------------------------------------------
Ing. Matches        : 2 pkts (256 bytes)
Egr. Matches        : 0 pkts
Ing. Rate-limiter
  Offered           : 0 pkts
  Forwarded         : 0 pkts
  Dropped           : 0 pkts
Egr. Rate-limiter
  Offered           : 0 pkts
  Forwarded         : 0 pkts
  Dropped           : 0 pkts

-------------------------------------------------------------------------------
At time t = 11 sec (Mode: Rate)
-------------------------------------------------------------------------------
Ing. Matches        : 500 pkts (63988 bytes)
Egr. Matches        : 0 pkts
Ing. Rate-limiter
  Offered           : 500 pkts (64012 bytes)
  Forwarded         : 500 pkts (64012 bytes)
  Dropped           : 0 pkts
Egr. Rate-limiter
  Offered           : 0 pkts
  Forwarded         : 0 pkts
  Dropped           : 0 pkts

---snip---
Note: In mode rate, pkts means pkts/s
Increasing the actual rate to 1500 packets/s without changing the frame size corresponds to a data rate of 1500 x 128 x 8 = 1536Kbit/s, so part of the traffic is dropped as 1536Kbit/s > 1024Kbit/s, as follows:
[/]
A:admin@PE-1# monitor filter ip "ip-filter-1M" entry 10 rate repeat 6 interval 11

===============================================================================
Monitor statistics for IP filter 3 entry 10
===============================================================================
-------------------------------------------------------------------------------
At time t = 0 sec (Base Statistics)
-------------------------------------------------------------------------------
Ing. Matches        : 7 pkts (896 bytes)
Egr. Matches        : 0 pkts
Ing. Rate-limiter
  Offered           : 0 pkts
  Forwarded         : 0 pkts
  Dropped           : 0 pkts
Egr. Rate-limiter
  Offered           : 0 pkts
  Forwarded         : 0 pkts
  Dropped           : 0 pkts

-------------------------------------------------------------------------------
At time t = 11 sec (Mode: Rate)
-------------------------------------------------------------------------------
Ing. Matches        : 1500 pkts (191965 bytes)
Egr. Matches        : 0 pkts
Ing. Rate-limiter
  Offered           : 1500 pkts (192047 bytes)
  Forwarded         : 996 pkts (127523 bytes)
  Dropped           : 504 pkts (64524 bytes)
Egr. Rate-limiter
  Offered           : 0 pkts
  Forwarded         : 0 pkts
  Dropped           : 0 pkts

---snip---
Note: In mode rate, pkts means pkts/s
When sending traffic at a rate of 500 packets/s with a 128 bytes packet-size and monitoring at entry-point SAP 1/1/c18/1 over 11 s intervals, 500 packets/s should be received on interface int-TST-source, accounting for 500 x 128 = 64000 octets/s. The output shows:
[/]
A:admin@PE-1# monitor service id "VPRN 1" sap "1/1/c18/1" rate repeat 6 interval 11

===============================================================================
Monitor statistics for Service 1 SAP 1/1/c18/1
===============================================================================
-------------------------------------------------------------------------------
At time t = 0 sec (Base Statistics)
-------------------------------------------------------------------------------
---snip---                      
 
-------------------------------------------------------------------------------
At time t = 11 sec (Mode: Rate)
-------------------------------------------------------------------------------
---snip---
-------------------------------------------------------------------------------
At time t = 22 sec (Mode: Rate)
-------------------------------------------------------------------------------
---snip---
-------------------------------------------------------------------------------
At time t = 33 sec (Mode: Rate)
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Sap Aggregate Stats
-------------------------------------------------------------------------------
                        Packets                 Octets
Ingress
Aggregate Offered     : 0                       0                       
Aggregate Forwarded   : 0                       0                       
Aggregate Dropped     : 0                       0                       

Egress
Aggregate Forwarded   : 0                       0                       
Aggregate Dropped     : 0                       0                       
-------------------------------------------------------------------------------
Sap Statistics
-------------------------------------------------------------------------------
Last Cleared Time     : 04/12/2024 18:53:07

                        Packets                 Octets                  % Port
                                                                        Util.
CPM Ingress           : 0                       0                       0.00

Forwarding Engine Stats
Dropped               : 0                       0                       0.00
Received Valid        : 455                     58193                   ~0.00
Off. HiPrio           : 0                       0                       0.00
Off. LowPrio          : 0                       0                       0.00
Off. Uncolor          : 0                       0                       0.00
Off. Managed          : 0                       0                       0.00
 
---snip---
Note: In mode rate, Packets means Packets/s and Octets means Octets/s
Note: There may be an error in the computation: 455 = <rate> / 11 x 10, should be 500 = <rate>

When sending traffic at a rate of 1500 packets/s with a 128 bytes packet-size and monitoring at exit-point SAP 1/1/c20/1 over 11 s intervals, only 1000 packets/s are sent out of interface int-TST-receiver, accounting for 128000 octets/s. The output shows:

[/]
A:admin@PE-1# monitor service id "VPRN 1" sap "1/1/c20/1" rate repeat 6 interval 11

===============================================================================
Monitor statistics for Service 1 SAP 1/1/c20/1
===============================================================================
-------------------------------------------------------------------------------
At time t = 0 sec (Base Statistics)
-------------------------------------------------------------------------------
---snip--- 
-------------------------------------------------------------------------------
At time t = 11 sec (Mode: Rate)
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Sap Aggregate Stats
-------------------------------------------------------------------------------
                        Packets                 Octets
Ingress
Aggregate Offered     : 0                       0                       
Aggregate Forwarded   : 0                       0                       
Aggregate Dropped     : 0                       0                       

Egress
Aggregate Forwarded   : 996                     127488                  
Aggregate Dropped     : 0                       0                       
-------------------------------------------------------------------------------
Sap Statistics
-------------------------------------------------------------------------------
Last Cleared Time     : 04/12/2024 18:58:38

                        Packets                 Octets                  % Port
                                                                        Util.
CPM Ingress           : 0                       0                       0.00

Forwarding Engine Stats
Dropped               : 0                       0                       0.00
Received Valid        : 0                       0                       0.00
Off. HiPrio           : 0                       0                       0.00
Off. LowPrio          : 0                       0                       0.00
Off. Uncolor          : 0                       0                       0.00
Off. Managed          : 0                       0                       0.00

Queueing Stats(Ingress QoS Policy 1)
Dro. HiPrio           : 0                       0                       0.00
Dro. LowPrio          : 0                       0                       0.00
For. InProf           : 0                       0                       0.00
For. OutProf          : 0                       0                       0.00

Queueing Stats(Egress QoS Policy 1)
Dro. In/InplusProf    : 0                       0                       0.00
Dro. Out/ExcProf      : 0                       0                       0.00
For. In/InplusProf    : 996                     127488                  ~0.00
For. Out/ExcProf      : 0                       0                       0.00
-------------------------------------------------------------------------------
Sap per Queue Stats
-------------------------------------------------------------------------------
                        Packets                 Octets                  % Port
                                                                        Util.
 
Ingress Queue 1 (Unicast) (Priority)
Off. HiPrio           : 0                       0                       0.00
Off. LowPrio          : 0                       0                       0.00
Dro. HiPrio           : 0                       0                       0.00
Dro. LowPrio          : 0                       0                       0.00
For. InProf           : 0                       0                       0.00
For. OutProf          : 0                       0                       0.00
 
Ingress Queue 11 (Multipoint) (Priority)
Off. Combined         : 0                       0                       0.00
Off. Managed          : 0                       0                       0.00
Dro. HiPrio           : 0                       0                       0.00
Dro. LowPrio          : 0                       0                       0.00
For. InProf           : 0                       0                       0.00
For. OutProf          : 0                       0                       0.00
 
Egress Queue 1
For. In/InplusProf    : 996                     127488                  ~0.00
For. Out/ExcProf      : 0                       0                       0.00
Dro. In/InplusProf    : 0                       0                       0.00
Dro. Out/ExcProf      : 0                       0                       0.00
 
---snip---
Note: In mode rate, Packets means Packets/s and Octets means Octets/s
Other commands to verify the rate limiting operation within a counting period are:
  • clear service statistics id "<service-name>" counters, or clear service statistics sap "<sap-id>" all or clear service statistics sap "<sap-id>" counters, followed by: show service id "<service-name>" sap "<sap-id>" base, show service id "<service-name>" sap "<sap-id>" stats and show service id "<service-name>" sap "<sap-id>" sap-stats after the end of the counting period
  • clear filter ip|ipv6|mac "<filter-name>", followed by: show filter ip|ipv6|mac "<filter-name>" counters [detail] after the end of the counting period
They show absolute values, no rates.

Conclusion

Rate-limiting filter actions can be used by network operators for security purposes to protect network resources and can also be used to mitigate DDoS attacks.