Table of Contents
Advertisement
Security
matching packets arrive at a rate above the limit you set. When you create a rate limit, you must specify
a value for each of the fields that make up the access mask used by the list.
To create a rate limit rule, use the following command:
create rate-limit <rule_name> access-mask <access-mask name> {dest-mac <dest_mac>}
{source-mac <scr_mac>} {vlan <name>} {ethertype [IP | ARP | <hex_value>]} {tos
<ip_precedence> | code-point <code_point>} {ipprotocol [tcp | udp | icmp | igmp |
<prococol_num>]} {dest-ip <dest_IP>/<mask length>} {dest-L4port <dest_port>}
{source-ip <src_IP>/<mask length>} {source-L4port <src_port> [permit {qosprofile
<qosprofile>} {set code-point <code_point>} {set dot1p <dot1p_value} limit
<rate_in_Mbps> {exceed-action [drop | set code-point <code_point>]}
NOTE
Unlike an access list, a rate limit can only be applied to a single port. Each port will have its own rate
limit defined separately.
On a 100 Mbps port (100BASE-TX), you can configure the rate limit value in the range from 1 Mbps to
100 Mbps in 1 Mbps increments, which is to say, the rate limit value can be set at 1, 2, 3, 4 ... 100 Mbps.
On a 1000 Mbps port (Gigabit Ethernet uplink port), you can configure the rate limit value in the range
from 8 Mbps to 1000 Mbps in increments of 8 Mbps, which is to say the rate limit value can be set at 8,
16, 24, 32 ... 1000 Mbps.
NOTE
The rate limit specified in the command line does not precisely match the actual rate limit imposed by
the hardware, due to hardware constraints. See the release notes for the exact values of the actual rate
limits, if required for your implementation.
For packets that match a particular list, and arrive at a rate below the limit, you can specify the
following action:
• Permit—Forward the packet. You can send the packet to a particular QoS profile, and modify the
packet's 802.1p value and/or DiffServ code point.
For packets that match a particular list and arrive at a rate that exceeds the limit, you can specify the
following actions:
• Drop—Drop the packets. Excess packets are not forwarded.
• Permit with rewrite—Forward the packet, but modify the packet's DiffServ code point.
How Access Control Lists Work
When a packet arrives on an ingress port, the fields of the packet corresponding to an access mask are
compared with the values specified by the associated access lists to determine a match.
It is possible that a packet will match more than one access control list. If the resulting actions of all the
matches do not conflict, they will all be carried out. If there is a conflict, the actions of the access list
using the higher precedence access mask are applied. When a match is found, the packet is processed. If
the access list is of type deny, the packet is dropped. If the list is of type permit, the packet is
144
ExtremeWare 7.2e Installation and User Guide
- Quick Links:
- Spanning Tree Protocol
Hide quick links:
Advertisement
Table of Contents
