Limiting Traffic on an Interface

Problem

You want to throttle traffic to make sure that the Routing Engine and protocol adjacencies won't go down because the router is being overwhelmed by other types of traffic.

Solution

Create a policer to limit the rate of traffic:

[edit firewall] aviva@RouterF# set policer limit-icmp if-exceeding bandwidth-limit 1m aviva@RouterF# set policer limit-icmp if-exceeding burst-size-limit 50k aviva@RouterF# set policer limit-icmp then discard

Then apply the policer to a filter term:

[edit firewall filter incoming-to-me] aviva@RouterF# set term icmp then policer limit-icmp

 

Discussion

A more secure way to protect an interface is to rate-limit the incoming traffic, especially the nonessential traffic. Rate limiting is an additional mechanism that prioritizes which traffic is more important and which traffic should just be discarded when congestion occurs. It also provides protection against DoS attacks. You set up packet rate limiting by configuring policers that define the conditions under which traffic is dropped.

This recipe sets up rate limiting for ICMP traffic. These policers traffic can be dropped if the flow exceeds a set bandwidth or if a burst of packets exceeds a certain size. The first command accepts ICMP traffic flowing at a sustained rate of up to 1 Mbps and drops all packets when this rate is exceeded (if-exceeding bandwidth-limit 1m).

The second command accepts traffic bursts up to 50 Kbps and drops all packets when this rate is exceeded (if-exceeding burst-size-limit 50k). When the flow of ICMP packets exceeds either limit, all ICMP traffic will be discarded until the flow rate subsides. To verify the configuration and see if any traffic has been discarded, use the show firewall filter command:

aviva@RouterF> show firewall filter incoming-to-me Filter: incoming-to-me Counters: Name Bytes Packets incoming-accepted 160 2 Policers: Name Packets limit-icmp-icmp 0

The policer counters are shown at the end of the output. The policer name is a concatenation of the policer name (limit-icmp) and the term in which it is used (icmp). At this point, no congestion has occurred, so no packets have been discarded as a result of the policer.

Before configuring a policer, you need to have some idea of what normal traffic loads are on your network and on your router. You generally do this with your network traffic management tools. You can also gather some of this data from the router itself by configuring counters for each term in the firewall filter over a representative period of time, generally several days or weeks. The following command adds a counter to the icmp term:

[edit firewall filter incoming-to-me] aviva@RouterF# set term icmp then count icmp-counter

Then use the show firewall filter command to see the statistics:

aviva@RouterF> show firewall filter incoming-to-me Filter: incoming-to-me Counters: Name Bytes Packets icmp-counter 0 0 incoming-accepted 1680 25

A disadvantage of this method is that you have to log in to each router and no timestamp information is included, but it is a useful way to supplement your other management tools.

If you don't have tools to determine the size and duration of traffic bursts, as a first-order approximation you can select a value by multiplying the interface bandwidth by the burst duration. The maximum value for the burst-size limit is 100 Mbps.

How you select the thresholds at which to start dropping traffic is a function of your business and network design models. Some factors might include how variable the traffic flow is, how critical the traffic is or how damaging an excess of it could be, and how conservative or liberal you want to be about controlling the flow.

You need to define a policer for each type of traffic you want to rate-limit and then reference the policer in the proper term.

Категории