Traffic Control Using ACL- Maipu Switches

As we use rate limit feature to restrict bandwidth in switch.Today we will see how to control bandwidth with ACL.

For this we need to understand some more related concepts with ACL.

Action Group –

• To support the packet classification and traffic control, the switch extends the traditional ACL, so that the ACL and each permit rule in the ACL can be bound with one action group
• It will take the corresponding action for the matching packet. The action group is the set of actions
• One action group can contain packet mirroring, packet re-direction, packet modification, packet traffic control, and packet counting.
• Each entry of the ACL can be bound to one action group. Execute the corresponding action for the matching packet.
• The action group can only be bound with the IP ACL and can only be bound with the permit rule.

Hope now you have fair enough information about Action group used with ACL. Let’s see how to use it for our requirement.For that, need to understand Traffic meter.

Traffic Meter

It’s a traffic meter, which you define separately in global configuration in Maipu switch for bandwidth control and bind it with action group and then action group will be configured with permit ACL rule. So that as ACL will get match it should apply the action group for matched packets.  

Let’s start with some well known terms used in traffic meter.

Related Terms:

CIR: Committed Information Rate

CBS: Committed Burst Size

EBS: Excess Burst Size

PIR: Peak Information Rate

PBS: Peak Burst Size

SRTCM (Single Rate Three Color Marker): It is defined in RFC2697. Use the three parameters (CIR, CBS, and EBS) to realize the single rate control and packet coloring function. It includes color bind mode and color –sensing mode.

Details - The Single Rate Three Color Marker (srTCM) meters an IP packet stream and marks its packets either green, yellow, or red.  Marking is based    on a Committed Information Rate (CIR) and two associated burst sizes,   a Committed Burst Size (CBS) and an Excess Burst Size (EBS).  A   packet is marked green if it doesn't exceed the CBS, yellow if it    does exceed the CBS, but not the EBS, and red otherwise.  The srTCM    is useful, for example, for ingress policing of a service, where only  the length, not the peak rate, of the burst determines service  eligibility.

TRTCM (Two Rate Three Color Marker): It is defined in RFC2698. Use CIR, CBS, PIR, and PBS to realize the two rate control and the coloring for packets. It includes the color bind mode and color –sensing mode.

Details: The Two Rate Three Color Marker (trTCM) meters an IP packet stream and marks its packets either green, yellow, or red.  A packet is marked red if it exceeds the Peak Information Rate (PIR).  Otherwise it is marked either yellow or green depending on whether it exceeds or doesn't exceed the Committed Information Rate (CIR).  The trTCM is    useful, for example, for ingress policing of a service, where a peak rate needs to be enforced separately from a committed rate.

Working flow of Traffic meter:

• To support the packet based traffic control, you can specify one meter name in the action group.
• The meter supports two modes, including SRTCM and TRTCM. The function of the meter is to remark or drop the packet according to the traffic.
• The meter has the processing action for the coloured packet. When being configured as drop the colored packet, it is used to complete the packet traffic limitation function; when being configured as remark the colored packet, it is used to complete the packet classification according to the traffic so that the user takes different QoS policies in the later data path.
• After the meter is configured to color the packets, the counter in the action group can count the packets.

Below is one configuration example, It will help for better understanding...

Topology:

PC1 sender(192.168.1.9)------- port0/0 swtich port 0/1----------PC2 receiver (192.168.1.15)

Configuration:

Traffic meter: (It is configured with 5Mb)

traffic-meter TEST_VLAN100

 meter mode trtcm 5120 160000 5120 512000

 meter action red drop

 meter action yellow drop

 exit

l3-action-group TRAFFIC_LIMIT

 meter TEST_VLAN100

 exit

ip access-list extended MATCH_TRAFFIC

 10 permit ip any any l3-action-group TRAFFIC_LIMIT

 exit

vlan 100

 ip access-group MATCH_TRAFFIC in

 exit

Port  configuration:

port 0/0

 port-type uni

 uni-isolate community

 port access vlan 100

load-interval 30

 exit

port 0/1

 port-type uni

 uni-isolate community

 port access vlan 100

load-interval 30

 exit

You can see, the results in below screenshots.

Screenshots:

BEFORE APPLYING

PC-1 : (Sender- 192.168.1.9) – PC1 in sending 7 MB of traffic to PC 2.

Before Traffic meter:

PC-2 Receiver (192.168.1.15)

Before applying Traffic meter :

After applying traffic meter:

AFTER APPLYING

PC-1 (Sender - 192.168.1.9)

When you apply traffic meter, then also sender will not get affected, it will send the traffic as usual. But you can see the effects in receiver end.

PC-2 (Receiver – 192.168.1.15)
you can see here our ACL is working. After applying traffic meter, the receiver is only receiving 5 MB.

I was doing one testing, Where I used traffic meter. So I shared this testing and traffic meter concepts. 

Device used: Maipu 3400 switch

IOS: sp1-g-6.2.17.pck

Plz check the command explanations: 

meter mode srtcm cir cbs ebs

meter mode trtcm cir cbs bps pir

Command	Description
meter mode srtcm	Configure the traffic meter as srtcm mode. The configuration is colored according to the metering result of the traffic meter.
meter mode trtcm	Configure the traffic meter as trtcm mode. The configuration is colored according to the metering result of the traffic meter.
Cir	Commitment information rate
Cbs	Commitment burst size
Ebs	Exceeding burst size
Pbs	Peak burst size
Pir	Peak information rate

You can use this feature for VLAN based traffic control using ACL.

Hope this information is informative for you.

For feedback, Plz comment with your name and mail id. For new users you can use Name/URL option.

Thanks for reading… 

PIM – Assert Mechanism

As in last post, I discussed about Multicast DR and querier. In this post I would like to discuss about PIM assert messages.  When it is important ?

Coming to this subject – In shared LAN networks, There may be more than one routers for redundancy and they can have reachability to RP. But as the redundancy is important same time need to know, how the PIM messages will be handled ?  The topology would be similar to below figure.

        

In this topology, the Multicast group hosts will receive duplicate packets from multicast Routers. To overcome this issue PIM have assert messages mechanism. This will help to decide PIM designated forwarder.

In this example,

1. Router 1 is the RP, forwards multicast traffic to entire network.
2. Routers 2 and 3 are redundant routers in a enterprise location. These routers forward the multicast traffic to LAN Router.
3. Assume Router 3 transmits first multicast packet. Router 2 receives the same multicast packet in its outgoing interface, In R2 multicast routing table this group is destined to go out from outgoing interface.
4. Router 2 then forwards multicast packet to LAN and Router 3 receives it, which means that Router 3 has also received data on an outgoing interface.
5. Receiving an unexpected packet on an outgoing interface of Routers. Both Routers get alerted to the fact that other PIM-SM neighbors on the LAN are also forwarding traffic to the group.
6. This means group hosts will receive duplicate data.

 This will big issue in big enterprise network, To overcome this problem,

1. Routers generate Assert messages to select a single router to forward traffic. Here Downstream routers can see the Assert messages so that they know which one was elected and where to send subsequent Join messages afterwards.
2. In our example, LAN Router sent Join messages to both gateway Router 2 and Router 3. That means as Local router received query from 2 routers, It replied to both. This means in return it will duplicate packets.
3. After the election of PIM forwarder using Assert messages, all Join messages will go to either Router 2 or Router 3, depending on which becomes the designated forwarder.

Election using Assert Messages

1. The router generating an Assert message with the lowest Administrative distance is elected  as the forwarder.  If all the routers are running the same unicast protocol.
2. Then router assert message with the best unicast routing metric will be elected. For example, if all the routers are using RIP, the router with the smallest hop count is elected. If the metrics are equal.
3. The router with the highest IP address is elected.

4.      After selection of PIM designated forwarded, The other router will prune its interface on physical media. So that elected members should send join messages to elected Router.

Hope this explanation will help you to understand the use of PIM assert messages in network. It is used to select a PIM forwarder to avoid duplicate multicast packets generation in network.  

Hope this post is informative for you. 

For any feedback, Plz comment with your Name and mail id, you can use Name/ URL for new users.