Rate limiting¶
The traffic received and sent on network interfaces can be rate limited in order to prevent the device or the network to be overloaded, or to enforce maximum bit rate agreements.
Rate limiting is available on all physical and logical interfaces, in both ingress and egress of the device.
Rate limiting algorithm¶
The rate limit of an interface is controlled by a policer, in charge of dropping traffic that does not fulfill a given traffic profile.
The policer specifies the maximum commited bandwidth of the regular traffic. It may optionally specify an authorized excess bandwidth, to accommodate temporary excess use.
the traffic profile is measured by a three-color marker (see RFC 4115), composed of a token bucket for regular traffic and an optional token bucket for excess traffic.
packets are then either granted access or dropped, whether they conform to the traffic profile or not:
if a packet fulfills the bandwidth/burst specification (green packet), it can pass.
else if the excess-bandwidth is non-zero and the packet fulfills the excess-bandwidth/excess-burst specification (yellow packet), it can pass.
otherwise the packet is out of profile (red packet), it is dropped.
Up to 4 parameters may be defined:
bandwidth
: maximum frame bit rate of regular traffic, a.k.a. CIR (Committed Information Rate), in bits per second (mandatory),burst
: maximum burst size of regular traffic, a.k.a. CBS (Committed Burst Size), in bytes (defaults to bandwidth/80, so that the system is able to handle a burst of 100 ms at the targeted bandwidth),excess-bandwidth
: maximum frame bit rate of excess traffic, a.k.a. EIR (Excess Information Rate), in bits per second (default 0),excess-burst
: maximum burst size of excess traffic, a.k.a. EBS (Excess Burst Size), in bytes (defaults to bandwidth/80, so that the system is able to handle a burst of 100 ms at the targeted bandwidth).
Rate limiting can be configured in two ways:
a dedicated policer is attached to an interface ingress or egress,
a shared policer is created, then several interfaces may bind their ingress or egress to this shared policer. All interfaces bound to this shared policer consume tokens of the same three-color marker.
Policer templates¶
Policer templates are created in the global qos
context with the policer
command. They can then be referenced by interfaces or by shared policers.
Enter the global qos
context:
vrouter running config# qos
vrouter qos#
Create a policer template with no authorized excess traffic:
vrouter running config# qos
vrouter running qos#
vrouter running qos# policer pol1
vrouter running policer pol1#! bandwidth 1G
vrouter running policer pol1# burst 2K
vrouter running policer pol1# ..
vrouter running qos#
Interfaces that use this policer will have their frame rate limited to 1 Gbps, with bursts up to 2 Kbytes. Frames that would cause this profile to be exceeded will be dropped.
Create a policer template with authorized excess traffic:
vrouter running qos# policer pol2
vrouter running policer pol2#! bandwidth 2G
vrouter running policer pol2# excess-bandwidth 15M
vrouter running policer pol2# ..
Interfaces that use this policer will have their frame rate limited to 2 Gbps, with bursts up to the default bandwidth/80 bytes. Excess traffic is authorized up to 15 Mbps with bursts up to the default excess-bandwidth/80 bytes. Frames that would cause this profile to be exceeded will be dropped.
Show the qos configuration:
vrouter running qos# show config
qos
policer pol1
bandwidth 1G
burst 2K
excess-bandwidth 0
..
policer pol2
bandwidth 2G
excess-bandwidth 15M
..
..
The same configuration can be made using this NETCONF XML configuration:
vrouter running config# show config xml absolute
<config xmlns="urn:6wind:vrouter">
<qos xmlns="urn:6wind:vrouter/qos">
<policer>
<name>pol1</name>
<burst>2000</burst>
<excess-bandwidth>0</excess-bandwidth>
<bandwidth>1000000000</bandwidth>
</policer>
<policer>
<name>pol2</name>
<excess-bandwidth>15000000</excess-bandwidth>
<bandwidth>2000000000</bandwidth>
</policer>
</qos>
</config>
Note
The policer
command defines traffic profile templates. They can be used
by one or more network interfaces or shared-policers. Each use of a
policer
instanciates a new three color marker.
Note
Bandwidth and burst values can be typed as plain integers (e.g. 2000000), or with a standard power-of-1000 multiplier letter to write the value in a more compact way (e.g. 2M):
K
(for kilo): multiply by 1000M
(for mega): multiply by 10002G
(for giga): multiply by 10003T
(for tera): multiply by 10004
The output of show config
and show state
will always use the most compact
form (e.g. 2M, regardless if you typed 2M, 2000K or 2000000).
This compact notation is only used in the CLI. The NETCONF XML configuration uses plain integers.
Rate limit an interface with a dedicated policer¶
Physical and logical interfaces can rate limit their ingress and egress traffic
by attaching a dedicated policer, defined in the qos
context.
Enter the qos
context of physical interface eth0:
vrouter running config# vrf main
vrouter running vrf main# interface physical eth0
vrouter running physical eth0# qos
Configure rate limiting of egress traffic by policer pol1:
vrouter running qos# egress rate-limit policer pol1
vrouter running qos# ..
vrouter running physical eth0#
Show interface eth0 configuration:
vrouter running physical eth0# show config nodefault
physical eth0
(...)
qos
egress
rate-limit
policer pol1
..
..
..
..
Commit the configuration:
vrouter running physical eth0# commit
Configuration committed.
vrouter running physical eth0# /
vrouter running config#
Show interface qos state:
vrouter running config# show state vrf main interface
qos
egress
rate-limit
policer
bandwidth 1500M
burst 1500
excess-bandwidth 0
excess-burst 1
stats
pass-packets 0
pass-bytes 0
pass-excess-packets 0
pass-excess-bytes 0
drop-packets 0
drop-bytes 0
..
..
..
..
..
The same settings can be made using the following NETCONF XML configuration:
vrouter running config# show config xml absolute
<config xmlns="urn:6wind:vrouter">
<vrf>
<name>main</name>
<interface xmlns="urn:6wind:vrouter/interface">
<physical>
<name>eth0</name>
(...)
<qos>
<egress>
<rate-limit>
<policer>pol1</policer>
</rate-limit>
</egress>
</qos>
</physical>
</interface>
</vrf>
</config>
Each interface that specifies rate-limit policer pol1
instanciates a new
policer dedicated to the interface in the specified direction (ingress or
egress).