Rate limiting

The traffic received and sent on network interfaces can be rate limited in order to prevent the device or the network to be overloaded, or to enforce maximum bit rate agreements.

Rate limiting is available on all physical and logical interfaces, in both ingress and egress of the device.

Policers

The rate limit of an interface is controlled by a policer, in charge of dropping traffic that does not fulfill a given traffic profile.

The policer specifies the maximum commited bandwidth of the regular traffic. It may optionally specify an authorized excess bandwidth, to accommodate temporary excess use.

  • the traffic profile is measured by a three-color marker (see RFC 4115), composed of a regular-traffic token bucket and an optional excess-traffic token bucket.
  • packets are then either granted access or dropped, whether they conform to the traffic profile or not:
    • if a packet fulfills the bandwidth/burst specification (green packet), it can pass.
    • else if the excess-bandwidth is non-zero and the packet fulfills the excess-bandwidth/excess-burst specification (yellow packet), it can pass.
    • otherwise the packet is out of profile (red packet), it is dropped.

Up to 4 parameters may be defined:

  • bandwidth: maximum frame bit rate of regular traffic, a.k.a. CIR (Committed Information Rate), in bits per second (mandatory),
  • burst: maximum burst size of regular traffic, a.k.a. CBS (Committed Burst Size), in bytes (default 1500),
  • excess-bandwidth: maximum frame bit rate of excess traffic, a.k.a. EIR (Excess Information Rate), in bits per second (default 0),
  • excess-burst: maximum burst size of excess traffic, a.k.a. EBS (Excess Burst Size), in bytes (default 1500).

Policers are created in the global qos context. They can then be referenced in an interface qos context.

Enter the global qos context:

vrouter running config# qos
vrouter qos#

Create a policer with no authorized excess traffic:

vrouter running config# qos
vrouter running qos#
vrouter running qos# policer pol1
vrouter running policer pol1#! bandwidth 1G
vrouter running policer pol1# burst 2K
vrouter running policer pol1# ..
vrouter running qos#

Interfaces that use this policer will have their frame rate limited to 1 Gbps, with bursts up to 2 Kbytes. Frames that would cause this profile to be exceeded will be dropped.

Create a policer with authorized excess traffic:

vrouter running qos# policer pol2
vrouter running policer pol2#! bandwidth 2G
vrouter running policer pol2# excess-bandwidth 15M
vrouter running policer pol2# ..

Interfaces that use this policer will have their frame rate limited to 2 Gbps, with bursts up to the default 1500 bytes. Excess traffic is autorized up to 15 Mbps with bursts up to the default 1500 bytes. Frames that would cause this profile to be exceeded will be dropped.

Show the qos configuration:

vrouter running qos# show config
qos
    policer pol1
        bandwidth 1G
        burst 2K
        excess-bandwidth 0
        excess-burst 1500
        ..
    policer pol2
        bandwidth 2G
        burst 1500
        excess-bandwidth 15M
        excess-burst 1500
        ..
    ..

The same configuration can be made using this NETCONF XML configuration:

vrouter running config# show config xml absolute
<config xmlns="urn:6wind:vrouter">
  <qos xmlns="urn:6wind:vrouter/qos">
    <policer>
      <name>pol1</name>
      <burst>2000</burst>
      <excess-bandwidth>0</excess-bandwidth>
      <excess-burst>1500</excess-burst>
      <bandwidth>1000000000</bandwidth>
    </policer>
    <policer>
      <name>pol2</name>
      <burst>1500</burst>
      <excess-bandwidth>15000000</excess-bandwidth>
      <excess-burst>1500</excess-burst>
      <bandwidth>2000000000</bandwidth>
    </policer>
  </qos>
</config>

Note

Policers define traffic profile templates. They can be used by one or more network interfaces. Each use of a policer instanciates a new three color marker, it is not shared by the interfaces using it.

Note

Bandwidth and burst values can be typed as plain integers (e.g. 2000000), or with a standard power-of-1000 multiplier letter to write the value in a more compact way (e.g. 2M):

  • K (for kilo): multiply by 1000
  • M (for mega): multiply by 10002
  • G (for giga): multiply by 10003
  • T (for tera): multiply by 10004

The output of show config and show state will always use the most compact form (e.g. 2M, regardless if you typed 2M, 2000K or 2000000).

This compact notation is only used in the CLI. The NETCONF XML configuration uses plain integers.

Rate limit an interface with a policer

Physical and logical interfaces can rate limit their ingress and egress traffic by attaching a policer, defined in the qos context.

Enter the qos context of physical interface eth0:

vrouter running config# vrf main
vrouter running vrf main# interface physical eth0
vrouter running physical eth0# qos

Configure rate limiting of egress traffic by policer pol1:

vrouter running qos# egress rate-limit policer pol1
vrouter running qos# ..
vrouter running physical eth0#

Show interface eth0 configuration:

vrouter running physical eth0# show config
physical eth0
    (...)
    qos
        egress
            rate-limit
                policer pol1
                ..
            ..
        ..
    ..
vrouter running physical eth0# /
dut-vm running config#

Show interface qos state:

vrouter running config# show state vrf main interface physical eth0 qos
qos
    egress
        rate-limit
            policer
                bandwidth 1500M
                burst 1500
                excess-bandwidth 0
                excess-burst 1500
                stats
                    pass-packets 0
                    pass-bytes 0
                    pass-excess-packets 0
                    pass-excess-bytes 0
                    drop-packets 0
                    drop-bytes 0
                    ..
                ..
            ..
        ..
    ..

The same configuration can be made using this NETCONF XML configuration:

vrouter running config# show config xml absolute
<config xmlns="urn:6wind:vrouter">
  <vrf>
    <name>main</name>
    <interface xmlns="urn:6wind:vrouter/interface">
      <physical>
        <name>eth0</name>
        (...)
        <qos>
          <egress>
            <rate-limit>
              <policer>pol1</policer>
            </rate-limit>
          </egress>
        </qos>
      </physical>
    </interface>
  </vrf>
</config>