In this blog we will look at flow mask concepts and rate limiting via full mask or source or destination.
1st craft acl with the specific ip_host. let's say you have a common shared lan but need to rate limit one host;
access-list 123 permit ip host 192.0.2.1 any
#
#
2nd we craft a class-map using the ACL that we going to police
class-map badhost
description "this cheap bastard is eating uop my shared env bandwidth"
match access-group 123
And finally we match the class map to our policer and apply to the interface inbound
(you could also police outbound or via the ingress from the internet)
policy-map myonebadhost
class badhost
police flow mask src-only 128000 8000 conform-action transmit exceed action drop
#
#
int gi 8/12
service-policy input myonebadhost
This is just one way of matching the source maskonly, maybe you want to police each flow on source and destination ( aka full mask ). So we will now rate limit on src+dst and each flow is seen unique.
The config would now look like the following;
policy-map myonebadhost
class badhost
police flow mask full-flow 128000 8000 conform-action transmit exceed action drop
And if you wanted to use the destination mask,
The config would now look like the following;
policy-map myonebadhost
class badhost
police flow mask dest-only 128000 8000 conform-action transmit exceed action drop
So keep in mind the flow mask and what they mean;
- full-mask = l3 source+destination
- src-only = l3 source
- dest-only = l3 destination
So using my 192.0.2.1 host & a full-mask would rate limit on each flow, while destination or source mask would rate limit on one or the other.
e.g ( full-mask will rate-limit each one of theses, as unique flows to the policed value )
TCP192.0.2.1:45551----->10.10.1.1:80 ( 128kbps )
TCP192.0.2.1:45553----->10.10.1.3:80 ( 128kbps )
TCP192.0.2.1:45584----->10.10.1.4:80 ( 128kbps )
TCP192.0.2.1:45598----->10.10.1.6:80 ( 128kbps )
TCP192.0.2.1:45609----->10.10.1.8:80 ( 128kbps )
e.g ( src-mask-only will rate-limit the host 192.0.2.1 to the contracted value 128kbps )
TCP192.0.2.1:45551----->10.10.1.1:80 -------
TCP192.0.2.1:45553----->10.10.1.3:80 |
TCP192.0.2.1:45584----->10.10.1.4:80 | -----> 128kbps
TCP192.0.2.1:45598----->10.10.1.6:80 |
TCP192.0.2.1:45609----->10.10.1.8:80 --------
e.g ( dst-mask-only will rate-limit the host 192.0.2.1 to the contracted value 128kbps per-destination aggregated )
TCP192.0.2.1:45551----->10.10.1.1:80 \
----> 128kbps
TCP192.0.2.1:45553----->10.10.1.1:80 /
TCP192.0.2.1:45584----->10.10.1.2:80 ---> 128kbps
TCP192.0.2.1:45598----->10.10.1.3:80 ---> 128kbps
TCP192.0.2.1:45609----->10.10.1.4:80 ---> 128kbps
Ken Felix
Freelance Network / Security Engineer
kfelix ----a---t---socpuppets ---d---o---t---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment