Configuring ACL-Based Fixed Rate Limiting Using Traffic Policies

Use the procedure in this section to configure ACL-based fixed rate limiting.

Note: Before configuring this feature, see what to consider in “Configuration notes and feature limitations for traffic policies.”
These commands:
  • Set the maximum number of traffic policies.
  • Create a fixed traffic policy that enables ACL statistics (counting).
  • Create a new extended ACL entry and bind the ACL to an interface.
  • Verify the configuration.
  1. Enter global configuration mode.
    
    device# configure terminal
    
  2. Create a traffic policy and set parameters.
    • Create a policy that drops packets or bytes that exceed the CIR (committed information rate) limit. The following examples use a packet-based fixed CIR.

      
      device(config)# traffic-policy TPDF1 rate-limit packet-based fixed cir 10000 exceed-action drop count
      
    • Create a policy that permits packets or bytes that exceed the CIR limit.

      
      device(config)# traffic-policy TPDF1 rate-limit packet-based fixed cir 10000 exceed-action permit-at-low-pri count
      
    The command sets the fragment threshold at 10,000 packets per second. If the port receives more than 10,000 packets in a one-second interval, the device takes the specified action. If the port receives additional bits during a given one-second interval, the port either drops all packets on the port until the next one-second interval starts or permits packets that exceed the limit.
    Use the keyword byte-based if you want to specify a CIR based on byte count rather than a packet count.
  3. Create an extended ACL entry or modify an existing extended ACL entry that references the traffic policy.
    
    device(config)# ip access-list extended 101 
    device(config-ext-ipacl-101)# permit ip host 10.10.12.2 any traffic-policy TPDF1
    
  4. Bind the ACL to an interface.
    1. Enter interface configuration mode.
      
      device(config-ext-ipacl-101)# interface ethernet 1/1/5
      
    2. Bind the ACL to the interface.
      
      device(config-if-e1000-1/1/5)# ip access-group 101 in
      
    3. Exit interface configuration mode.
      
      device(config-if-e1000-1/1/5)# exit
      
    These commands allow port 1/1/5 to receive a maximum traffic rate of 100 kbps. If the port receives additional bits during a given one-second interval, the port drops the additional inbound packets that are received within that one-second interval.

    The software allows you to add a reference to a non-existent TPD in an ACL statement and to bind that ACL to an interface. The software does not issue a warning or error message for non-existent TPDs.

  5. Verify the configuration.
    
    device(config)# show traffic-policy TPDF1
    Traffic Policy - TPDF1:
    Metering Enabled, Parameters:
         Mode: Fixed Rate-Limiting
          cir: 100 kbps, cbs: 2000 bytes, pir: 200 kbps, pbs: 4000 bytes
    Counting Not Enabled
    Number of References/Bindings:1
    
  6. View the ACL and rate limit counters.
    
    device(config)# show access-list accounting ethernet 1/1/5 in
    MAC Filters Accounting Information
        0: DA ANY SA 0000.0000.0001 - MASK FFFF.FFFF.FFFF
           action to take : DENY
         Hit Count:   (1Min)       			0    (5Sec)                  0
                      (PktCnt)    			 0  (ByteCnt)                 0
        --------------------------------------------------------------
    65535: Implicit Rule deny any any
         Hit Count:   (1Min)         5028   (5Sec)               2129
                      (PktCnt)       5028 (ByteCnt)             643584
        --------------------------------------------------------------
    
  7. Clear the ACL and rate limit counters.
    1. Clear the ACL counters.
      
      device(config)# clear access-list accounting all
      
    2. Clear the rate limit counters.
      
      device(config)# clear statistics traffic-policy TPDF1 
      

ACL-Based Fixed Rate Limiting Using Traffic Policies Configuration Example


device# configure terminal
device(config)# traffic-policy TPDF1 rate-limit fixed packet-based cir 10000 exceed-action drop
device(config)# ip access-list extended 101 
device(config-ext-ipacl-101)# permit ip host 10.10.12.2 any traffic-policy TPDF1
device(config-ext-ipacl-101)# interface ethernet 1/1/5
device(config-if-e1000-1/1/5)# ip access-group 101 in
device(config-if-e1000-1/1/5)# exit
device(config)# show traffic-policy TPDF1
device(config)# clear access-list accounting all
device(config)# clear statistics traffic-policy TPDF1