Using Committed Access Rate

Problem

You want to use Committed Access Rate to control the flow of traffic through an interface.

Solution

Committed Access Rate (CAR) provides a useful method for policing the traffic rate through an interface. The main features of CAR are functionally similar to traffic shaping, but it also allows several extremely useful extensions. This first example shows the simplest application. We have configured CAR here to do basic rate limiting. The interface will transmit packets at an average rate of 500,000 bps, allowing bursts of 4500 bytes. If there is a burst of longer than 9000 bytes, the router will drop the excess packets:

Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface HSSI0/0 Router(config-if)#rate-limit output 500000 4500 9000 conform-action transmit exceed-action drop Router(config-if)#exit Router(config)#end Router#

This next example defines three different traffic classifications using access-lists, and separately limits the rates of these applications:

Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 101 permit tcp any eq www any Router(config)#access-list 101 permit tcp any any eq www Router(config)#access-list 102 permit tcp any eq ftp any Router(config)#access-list 102 permit tcp any any eq ftp Router(config)#access-list 102 permit tcp any eq ftp-data any Router(config)#access-list 102 permit tcp any any eq ftp-data Router(config)#access-list 103 permit ip any any Router(config)#interface HSSI0/0 Router(config-if)#rate-limit output access-group 101 50000 4500 9000 conform-action transmit exceed-action drop Router(config-if)#rate-limit output access-group 102 50000 4500 9000 conform-action transmit exceed-action drop Router(config-if)#rate-limit output access-group 103 400000 4500 9000 conform-action transmit exceed-action drop Router(config-if)#exit Router(config)#end Router#

CAR also includes a useful option to match DSCP in the rate-limit command without needing to resort to an access-group. In the following example, the DSCP values with the highest drop precedence values are rate limited. Note that unlike several other Cisco commands, here you must specify the decimal value of the DSCP field. Please refer to Table B-3 in Appendix B for a list of these values:

Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface HSSI0/0 Router(config-if)#rate-limit output dscp 14 50000 4500 9000 conform-action transmit exceed-action drop Router(config-if)#rate-limit output dscp 22 50000 4500 9000 conform-action transmit exceed-action drop Router(config-if)#rate-limit output dscp 30 50000 4500 9000 conform-action transmit exceed-action drop Router(config-if)#exit Router(config)#end Router#

And, finally, CAR also allows you to define a new kind of access-list called a rate-limiting access-list:

Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list rate-limit 55 5 Router(config)#interface HSSI0/0 Router(config-if)#rate-limit output access-group rate-limit 55 50000 4500 9000 conform-action transmit exceed-action drop Router(config-if)#exit Router(config)#end Router#

 

Discussion

People are often confused about the difference between CAR and traffic shaping because they appear to perform extremely similar functions. However, there is one very important difference. When a traffic shaping interface experiences a burst of data, it attempts to buffer the excess. But CAR just does whatever exceed-action you have specified:

Router(config-if)#rate-limit output 500000 4500 9000 conform-action transmit exceed-action drop

In this example, the exceed-action is to simply drop the packet. Meanwhile, the conform-action in each example is to simply transmit the packet. Any traffic that falls below the configured rate is said to conform. CAR includes several other possibilities besides simply transmitting or dropping the packet:

 

drop

CAR drops the packet.

 

transmit

CAR transmits the packet unchanged.

 

set-prec-transmit

CAR changes the IP Precedence of the packet and then transmits it.

 

continue

CAR moves on to evaluate the next rate-limit command on this interface

 

set-prec-continue

CAR changes the IP Precedence and then evaluates the next rate-limit command.

Cisco has added several additional options to IOS Versions 12.0(14)ST and higher:

 

set-dscp-continue

CAR changes the DSCP field and then evaluates the next rate-limit command.

 

set-dscp-transmit

CAR changes DSCP field and then transmits the packet.

 

set-qos-continue

CAR sets the qos-group and then evaluates next command.

 

set-qos-transmit

CAR sets the qos-group and then transmits the packet.

And two additional commands that you can use with MPLS to alter the MPLS Experimental field:

 

set-mpls-exp-continue

This sets the experimental field and then continues.

 

set-mpls-exp-transmit

This option sets the experimental field and transmits the packet.

The various continue options allow you to string together a series of CAR commands on an interface to do more sophisticated things:

Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 101 permit tcp any eq www any Router(config)#access-list 101 permit tcp any any eq www Router(config)#access-list 103 permit ip any any Router(config)#interface HSSI0/0 Router(config-if)#rate-limit output 50000 4500 4500 conform-action transmit exceed-action continue Router(config-if)#rate-limit output access-group 101 100000 4500 9000 conform-action set-prec-transmit 3 exceed-action continue Router(config-if)#rate-limit output access-group 103 100000 4500 9000 conform-action set-prec-transmit 0 exceed-action drop Router(config-if)#exit Router(config)#end Router#

In this example, the interface will transmit all packets when the rate is 50,000 bps or less. As soon as the traffic exceeds rate, however, the router starts to bump up the IP Precedence of all HTTP traffic to a value of 3, and all other traffic goes down to a precedence of 0. It will continue to transmit all of these packets until the average rate exceeds 100,000 bps. You can use this sort of technique to carefully tune how your network behaves in congestion situations.

You can also use CAR and the exceed-action set-prec-transmit command to lower the Precedence of high-priority IP traffic when it exceeds its allocated portion of the bandwidth. Simply transmitting it with a lower Precedence represents a nice and useful intermediate step to dropping high priority packets outright. However, with real-time packets, it is better to drop than buffer or remark, because those options would introduce unwanted latency and jitter:

The other useful thing you can do with CAR is to rate-limit inbound traffic:

Router(config-if)#rate-limit input 50000 4500 4500 conform-action transmit exceed-action drop

Of course, it's never completely ideal to allow a remote device to send too many packets across the network, only to drop them as they are received. But it is sometimes useful when your network acts as a service provider to other networks. For example, you might have downstream customers who have subscribed to a sub-rate service. This would include things like selling access through an Ethernet port, but restricting the customer to some lower rate such as 100 Kbps.

Alternatively, you could use inbound rate-limit commands to ensure that your downstream customers are allowed to use your network for surfing the Web, but only if the rate is kept below some threshold:

Router(config)#access-list 101 permit tcp any eq www any Router(config)#access-list 101 permit tcp any any eq www Router(config)#access-list 103 permit ip any any Router(config)#interface HSSI0/0 Router(config-if)#rate-limit input 50000 4500 4500 conform-action transmit exceed-action continue Router(config-if)#rate-limit input access-group 101 100000 4500 9000 conform-action drop exceed-action continue Router(config-if)#rate-limit input access-group 103 100000 4500 9000 conform-action transmit exceed-action drop Router(config-if)#exit Router(config)#end Router#

Or you could even use CAR to simply rewrite the IP Precedence values of all packets received from a customer:

Router(config)#interface HSSI0/0 Router(config-if)#rate-limit input 100000 4500 9000 conform-action set-prec-transmit 0 exceed-action set-prec-transmit 0 Router(config-if)#exit Router(config)#end Router#

This same technique is also helpful in combating Internet-based Denial of Service attacks. For example, if your network is being inundated with PING flood or SYN ACK attacks, you might want to look specifically for these types of packets, and make sure that they are restricted to a low but reasonable rate. This way, the legitimate uses of these packets will not suffer, but you will reduce the service denial problem.

The last example in the Solution section of this recipe needs a little bit of explanation because some of the properties can be confusing:

Router(config)#access-list rate-limit 55 5 Router(config)#interface HSSI0/0 Router(config-if)#rate-limit output access-group rate-limit 55 50000 4500 9000 conform-action transmit exceed-action drop

The access-list rate-limit command allows you to create a new and special variety of access-lists, especially for use with CAR. There are three ranges of rate-limiting access-list index numbers. You use access-lists with values between 0 and 99 to match IP Precedence values. If the index number is between 100 and 199, it will match MAC addresses, and if it is between 200 and 299, it matches MPLS experimental field values. Please refer to Chapter 26 for more information on MPLS.

In the example above, access-list number 55 simply matches all packets with IP Precedence values of 5. You can also use a precedence bit mask to match several values in an 8-bit Precedence field that Cisco invented especially for this task. In this field, Precedence value 0 is represented by the binary number 00000001, 1 is represented as 00000010, and so forth up to IP Precedence value 7, which is 10000000. The mask is found by adding these binary values for each of the Precedence values you wish to include. For example, to match Precedence values 0, 1, and 2, you could use a mask of 00000111, which is 0x07 in hex:

Router(config)#access-list rate-limit 56 mask 07

The MPLS access-lists work in a similar way, matching the value in the MPLS experimental field:

Router(config)#access-list rate-limit 255 6 Router(config)#access-list rate-limit 256 mask 42

And the MAC address access-lists work on standard Ethernet or Token Ring 48-bit MAC addresses:

Router(config)#access-list rate-limit 155 0000.0c07.ac01

You have to be careful about how you use these rate-limiting access-lists, because it's easy to get them confused with regular access-lists. You can have a regular access-list with the same number as a rate-limiting access-list. The only difference is that you apply rate-limiting access-lists with the rate-limit keyword on the rate-limit command as follows:

Router(config)#interface HSSI0/0 Router(config-if)#rate-limit output access-group rate-limit 55 50000 4500 9000 conform-action transmit exceed-action drop

 

See Also

Chapter 26

Категории