Rate Limits - Extreme Networks ExtremeWare 7.2e Installation And User Manual

to compare with the incoming packets, and an action to take for packets that match. When you create
an access list, you must specify a value for each of the fields that make up the access mask used by the
list.
To create an access list, use the following command:
create access-list <name> access-mask <access-mask name> {dest-mac <dest_mac}
{source-mac <src_mac>} {vlan <name>} {ethertype [IP | ARP | <hex_value>]} {tos
<ip_precedence> | code-point <code_point>} {ipprotocol [tcp | udp | icmp | igmp |
<prococol_num>]} {dest-ip <dest_IP>/<mask length>} {dest-L4port <dest_port>}
{source-ip <src_IP>/<mask length>} {source-L4port <src_port> [permit {qosprofile
<qosprofile>} {set code-point <code_point>} {set dot1p <dot1p_value} |
permit-established | deny]
NOTE
The parameters of the create access list command must match identically to the parameters of the
create access-mask. The order of the parameters is also important. If the parameter are out-of-order,
many of the options become unavailable to the user.
For packets that match a particular access list, you can specify the following actions:
• Deny—Matching packets are not forwarded.
• Permit-established—Drop the packet if it would initiate a new TCP session (see, "The
permit-established Keyword" on page 145).
• Permit—Forward the packet. You can send the packet to a particular QoS profile, and modify the
packet's 802.1p value and/or DiffServ code point.
If a packet matches more than one access list, the switch uses the following rules to govern the actions
of the packet:
• If the actions specified by the matching ACLs do not conflict, all of the actions are carried out.
• If the actions conflict, the associated access mask precedence determines the course of action. The
access list with the highest precedence access-mask prevails.
To display information about one or more access lists, use the following command:
show access-list {<name> | port <portlist>}
To delete an access list, use the following command:
delete access-list <name>

Rate Limits

Rate limits are almost identical to access control lists. Incoming packets that match a rate limit access
control list are allowed as long as they do not exceed a pre-defined rate. Excess packets are either
dropped, or modified by resetting their DiffServ code point.
Each entry that makes up a rate limit contains a unique name and specifies a previously created access
mask. Like an access list, a rate limit includes a list of values to compare with the incoming packets and
an action to take for packets that match. Additionally, a rate limit specifies an action to take when
ExtremeWare 7.2e Installation and User Guide
IP Access Lists (ACLs)
143