Icmp Rate-Limiting - HP Aruba JL253A Management And Configuration Manual

NOTE: Rate-limiting is applied to the available bandwidth on a port and not to any specific
applications running through the port. If the total bandwidth requested by all applications is less than
the configured maximum rate, then no rate-limit can be applied. This situation occurs with a number
of popular throughput-testing applications, as well as most regular network applications. Consider the
following Example: that uses the minimum packet size:
The total available bandwidth on a 100 Mbps port "X" (allowing for Inter-packet Gap—IPG), with no
rate-limiting restrictions, is:
(((100,000,000 bits) / 8 ) / 84) × 64 = 9,523,809 bytes per second
where:
•
•
Suppose port "X" is configured with a rate limit of 50% (4,761,904 bytes). If a throughput-testing
application is the only application using the port and transmits 1 Mbyte of data through the port, it
uses only 10.5% of the port's available bandwidth, and the rate-limit of 50% has no effect. This is
because the maximum rate permitted (50%) exceeds the test application's bandwidth usage
(126,642-164,062 bytes, depending upon packet size, which is only 1.3% to 1.7% of the available
total). Before rate-limiting can occur, the test application's bandwidth usage must exceed 50% of the
port's total available bandwidth. That is, to test the rate-limit setting, the following must be true:
bandwidth usage (0.50 × 9,523,809)

ICMP rate-limiting

In IP networks, ICMP messages are generated in response to either inquiries or requests from routing and
diagnostic functions. These messages are directed to the applications originating the inquiries. In unusual
situations, if the messages are generated rapidly with the intent of overloading network circuits, they can threaten
network availability. This problem is visible in denial-of-service (DoS) attacks or other malicious behaviors where a
worm or virus overloads the network with ICMP messages to an extent where no other traffic can get through.
(ICMP messages themselves can also be misused as virus carriers). Such malicious misuses of ICMP can
include a high number of ping packets that mimic a valid source IP address and an invalid destination IP address
(spoofed pings), and a high number of response messages (such as Destination Unreachable error messages)
generated by the network.
ICMP rate-limiting provides a method for limiting the amount of bandwidth that may be used for inbound ICMP
traffic on a switch port. This feature allows users to restrict ICMP traffic to percentage levels that permit necessary
ICMP functions, but throttle additional traffic that may be caused by worms or viruses (reducing their spread and
effect). In addition, ICMP rate-limiting preserves inbound port bandwidth for non-ICMP traffic.
CAUTION:
ICMP is necessary for routing, diagnostic, and error responses in an IP network. ICMP rate-limiting is
primarily used for throttling worm or virus-like behavior and should normally be configured to allow
one to five percent of available inbound bandwidth (at 10 Mbps or 100 Mbps speeds) or 100 to
10,000 kbps (1Gbps or 10 Gbps speeds) to be used for ICMP traffic. This feature should not be
used to remove all ICMP traffic from a network.
Chapter 6 Port Traffic Controls
The divisor (84) includes the 12-byte IPG, 8-byte preamble, and 64-bytes of data required to
transfer a 64-byte packet on a 100 Mbps link.
Calculated "bytes-per-second" includes packet headers and data. This value is the maximum
"bytes-per-second" that 100 Mbps can support for minimum-sized packets.
157