Tuesday, December 23, 2008

Policing: MQC vs Rate Limiting

Suppose the lab requirement is to restrict traffic with IP precedence 3,4 and 5 to a max throughput of 500,000 mps. As ever with the CCIE there is more than one method to crack this nut. I guess it depends on your preferred method versus what the actual requirements and restrictions of the task are.

My personal preference would be to use MQC. The above requirement could be achieved as follows.....

ip access-list extended 101
permit ip any any prec 3
permit ip any any prec 4
permit ip any any prec 5

class-map PREC345
match access-group 101

policy-map POLICE
class PREC345
police 500000 93750 187500 conform-action transmit exceed-action drop

int fa0/0
service-policy output POLICE

For verification use the 'show policy-map int fa0/0' command.

Another method of achieving the same result is to use the older rate-limit command.....

rate-limit output access-group 101 496000 93750 187500 conform-action transmit exceed- action drop

There is a 3rd method of achieving the above. This is another variation on the rate-limit command. If the lab requirement specified the solution must be achieved using an ACL with only 1 line this may be one scenario where such a solution would come to the rescue.

There is a special access-list type named 'rate-limit'. This allows traffic to be selected based on MAC address, precedence or MPLS markings.

Router_2(config)#access-list rate-limit ?
<0-99> Precedence ACL index
<100-199> MAC address ACL index
<200-299> mpls exp ACL index

The requirement here is to use IP precedence 3,4 and 5.

access-list rate-limit 0 ?
Router_2(config)#access-list rate-limit 0 ?
<0-7> Precedence
mask Use precedence bitmask

As with an ACL only 1 precedence value can be configured per line. To allow multiple precedence values to be configured with one 'hit' requires the use of the mask option.

To make use of this the coding of the precedence values needs to first be recalled...

IP Precedence 0 = 00000001
IP Precedence 1 = 00000010
IP Precedence 2 = 00000100
IP Precedence 3 = 00001000
IP Precedence 4 = 00010000
IP Precedence 5 = 00100000
IP Precedence 6 = 01000000
IP Precedence 7 = 10000000

A packet with ip precedence of either 3,4 or 5 can be matched with bit pattern 00111000. The mask parameter expects this bit pattern in 2 HEX digits, so this has the equivalent value 38. (Note.. this is the 2 byte HEX equivalent and not the HEX value of the full byte which would be 56!!).

So bringing this all together the 1 line solution to the question would be

rate-limit output access-group rate-limit 0 1000000 93750 187500 conform-action
transmit exceed-action drop

Verification with rate-limiting can be done with 'show int fa0/0 rate-limit'

No comments: