Monday, September 23, 2013

Policing a host using the flow mask concepts ( CAT6.5K )

In a service-provider realm, we typically had shared medium. It could a be a virtual-host webserver , a privatevlan, or a host with numerous ip_alias

In this blog we will look at flow mask concepts and rate limiting via full mask or source or destination.

1st craft acl with the specific ip_host. let's say you  have a common shared lan but need to rate limit one host;



access-list 123 permit ip host 192.0.2.1 any
#
#

2nd we craft a class-map using the ACL that we going to police


class-map badhost
 description "this cheap bastard is eating uop my shared env bandwidth"
 match access-group 123

And finally we match the class map to our policer and apply to the interface inbound

(you could also police outbound or via the ingress from the internet)


policy-map myonebadhost
 class badhost
 police flow mask src-only 128000 8000 conform-action transmit exceed action drop

#
#
int gi 8/12
  service-policy input myonebadhost


This is just one way of matching the source maskonly, maybe you want to police each flow on source and destination ( aka full mask ). So we will now rate limit on src+dst and each flow is seen unique.

The config would now look like the following;


policy-map myonebadhost
 class badhost
 police flow mask full-flow  128000 8000 conform-action transmit exceed action drop


And if you wanted to use the destination mask,

The config would now look like the following;

policy-map myonebadhost
 class badhost
 police flow mask dest-only  128000 8000 conform-action transmit exceed action drop

So keep in mind the flow mask and what they mean;

  • full-mask =  l3 source+destination
  • src-only   =  l3 source
  • dest-only =  l3 destination




So using my 192.0.2.1 host & a full-mask would rate limit on each flow, while destination or source mask would rate limit on one or the other.


e.g ( full-mask  will rate-limit each one of theses,  as unique flows to the policed value )

TCP192.0.2.1:45551----->10.10.1.1:80  ( 128kbps )
TCP192.0.2.1:45553----->10.10.1.3:80  ( 128kbps )
TCP192.0.2.1:45584----->10.10.1.4:80  ( 128kbps )
TCP192.0.2.1:45598----->10.10.1.6:80  ( 128kbps )
TCP192.0.2.1:45609----->10.10.1.8:80  ( 128kbps )



e.g ( src-mask-only  will rate-limit the host 192.0.2.1 to the contracted value 128kbps  )

TCP192.0.2.1:45551----->10.10.1.1:80    -------
TCP192.0.2.1:45553----->10.10.1.3:80            |
TCP192.0.2.1:45584----->10.10.1.4:80            | -----> 128kbps
TCP192.0.2.1:45598----->10.10.1.6:80            |
TCP192.0.2.1:45609----->10.10.1.8:80   --------


e.g ( dst-mask-only  will rate-limit the host 192.0.2.1 to the contracted value 128kbps per-destination aggregated )

TCP192.0.2.1:45551----->10.10.1.1:80 \
                                                                 ----> 128kbps
TCP192.0.2.1:45553----->10.10.1.1:80 /

TCP192.0.2.1:45584----->10.10.1.2:80  ---> 128kbps

TCP192.0.2.1:45598----->10.10.1.3:80 --->  128kbps

TCP192.0.2.1:45609----->10.10.1.4:80 --->  128kbps




Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
          o
       /     \

No comments:

Post a Comment