tc qdisc add dev zre1 ingress //ingress qdisc for zre1 tc qdisc add dev zhp2 ingress //ingress qdisc for vlan

The filter add command changes slightly, the parent is now a special handle ffff:fff1, so using the same filter as the first example:

tc filter add dev zre1 parent ffff:fff1 protocol ip u32 match ip dst 10.91.100.5/32 classid 105:2

This filter will match packets arriving on port zre1, destined for port zre5, with destination IP address 10.91.100.5. The packets will be put in cos queue 1 on port zre5.

If the filter was defined for dev zhp2 it would be applied to packets arriving on any port which is included in zhp 2, and require that they be in the VLAN associated with zhp2.

tc filter add dev zhp2 parent ffff:fff1 protocol ip u32 match ip protocol 6 0xff match tcp src 0 0xf000 classid 105:3

This filter illustrates matching a range of values; any tcp packet on the VLAN associated with zhp2 with a source port below 4096 will be matched.

Advanced Filtering – Policing

In addition to using filters to direct packets into particular egress queues, it is possible to measure the rate at which matching packets are arriving and specify actions to take place if the rate is “out of profile” or “in profile”. This is called policing. It provides a means for limiting the bandwidth used by matching packets.

The rate threshold is specified in bytes per second, with a burst size which is to be allowed when the previous rate has been below the threshold. An action is specified to be taken only if the packet is “out of profile”, that is, the rate has exceeded the threshold and burst size. A second action can be specified if the packet is “in profile”; the default is to accept the packet. A separate set of meters are used for policing on each ingress port. This means that the rates given are for each ingress port, even if the matching packets are going into a single COS queue.

A policing specification follows the match rules in a filter, and precedes the classid. The following policing specification will drop matching packets when the rate exceeds 10 million bytes per second after a burst of 20 kilobytes:

police rate 10mbps burst 20kb drop

To specify actions for in-profile packets as well as those out-of-profile, separate the actions by a “/”:

police rate 100mbit burst 10mbit action drop/reclassify

The reclassify action marks the packet for dropping if the cos queue is above its congestion threshold. It would apply in this case to packets which were in profile, the out of profile packets would be dropped immediately.

The classid parameter is not required, and may not be needed for some policing filters. If it is

Ethernet Switch Blade User's Guide

release 3.2.2j

page 117

Page 117
Image 117
Znyx Networks bh5700 manual Advanced Filtering Policing