Cabletron Systems SmartSwitch manual Using Profile ACLs with the Traffic Rate Limiting Facility

Chapter 17: Access Control List Configuration Guide

15.1.1.0/24). Then you use an ip-policycommand to specify what happens to packets that match the selection criteria (in this example, forward them to address 10.10.10.10). The following commands illustrate this example.

This command creates a Profile ACL called prof1 that uses as its selection criteria all telnet packets travelling from source network 9.1.1.0/24 to destination network 15.1.1.0/24:

ssr(config)# acl prof1 permit ip 9.1.1.0/24 15.1.1.0/24 any any telnet 0

This Profile ACL is then used in conjunction with the ip-policycommand to cause packets matching prof1’s selection criteria (that is, telnet packets travelling from 9.1.1.0/24 to 15.1.1.0/24) to be forwarded to 10.10.10.10:

ssr(config)# ip-policy p5 permit profile prof1 next-hop-list 10.10.10.10

See “IP Policy-Based Forwarding Configuration Guide” on page 209 for more information on using the ip-policycommand.

Using Profile ACLs with the Traffic Rate Limiting Facility

Traffic rate limiting is a mechanism that allows you to control bandwidth usage of incoming traffic on a per-flow basis. A flow meeting certain criteria can have its packets re-prioritized or dropped if its bandwidth usage exceeds a specified limit.

For example, you can cause packets in flows from source address 1.2.2.2 to be dropped if their bandwidth usage exceeds 10 Mbps. You use a Profile ACL to define the selection criteria (in this case, flows from source address 1.2.2.2). Then you use a rate-limitcommand to specify what happens to packets that match the selection criteria (in this example, drop them if their bandwidth usage exceeds 10 Mbps). The following commands illustrate this example.

This command creates a Profile ACL called prof2 that uses as its selection criteria all packets originating from source address 1.2.2.2:

ssr(config)# acl prof2 permit ip 1.2.2.2

The following command creates a rate limit definition that causes flows matching Profile ACL prof2’s selection criteria (that is, traffic from 1.2.2.2) to be restricted to 10 Mbps for each flow. If this rate limit is exceeded, the packets are dropped.

ssr(config)# rate-limit client1 input acl prof2 rate-limit 10000000 exceed-action drop-packets

When the rate limit definition is applied to an interface (with the rate-limit apply interface command), packets in flows originating from source address 1.2.2.2 are dropped if their bandwidth usage exceeds 10 Mbps.