Rate limiting

The traffic received and sent on network interfaces can be rate limited in order to prevent the device or the network to be overloaded, or to enforce maximum bit rate agreements.

Rate limiting is available on all physical and logical interfaces, in both ingress and egress of the device.

Rate limiting algorithm

The rate limit of an interface is controlled by a policer, in charge of dropping traffic that does not fulfill a given traffic profile.

The policer specifies the maximum commited bandwidth of the regular traffic. It may optionally specify an authorized excess bandwidth, to accommodate temporary excess use.

  • the traffic profile is measured by a three-color marker (see RFC 4115), composed of a token bucket for regular traffic and an optional token bucket for excess traffic.

  • packets are then either granted access or dropped, whether they conform to the traffic profile or not:

    • if a packet fulfills the bandwidth/burst specification (green packet), it can pass.

    • else if the excess-bandwidth is non-zero and the packet fulfills the excess-bandwidth/excess-burst specification (yellow packet), it can pass.

    • otherwise the packet is out of profile (red packet), it is dropped.

Up to 4 parameters may be defined:

  • bandwidth: maximum frame bit rate of regular traffic, a.k.a. CIR (Committed Information Rate), in bits per second (mandatory),

  • burst: maximum burst size of regular traffic, a.k.a. CBS (Committed Burst Size), in bytes (defaults to bandwidth/80, so that the system is able to handle a burst of 100 ms at the targeted bandwidth),

  • excess-bandwidth: maximum frame bit rate of excess traffic, a.k.a. EIR (Excess Information Rate), in bits per second (default 0),

  • excess-burst: maximum burst size of excess traffic, a.k.a. EBS (Excess Burst Size), in bytes (defaults to bandwidth/80, so that the system is able to handle a burst of 100 ms at the targeted bandwidth).

../../../_images/buckets.svg

Rate limiting can be configured in two ways:

  • a dedicated policer is attached to an interface ingress or egress,

  • a shared policer is created, then several interfaces may bind their ingress or egress to this shared policer. All interfaces bound to this shared policer consume tokens of the same three-color marker.

Policer templates

Policer templates are created in the global qos context with the policer command. They can then be referenced by interfaces or by shared policers.

Enter the global qos context:

vsr running config# qos
vsr running qos#

Create a policer template with no authorized excess traffic:

vsr running config# qos
vsr running qos#
vsr running qos# policer pol1
vsr running policer pol1#! bandwidth 1G
vsr running policer pol1# burst 2K
vsr running policer pol1# ..
vsr running qos#

Interfaces that use this policer will have their frame rate limited to 1 Gbps, with bursts up to 2 Kbytes. Frames that would cause this profile to be exceeded will be dropped.

Create a policer template with authorized excess traffic:

vsr running qos# policer pol2
vsr running policer pol2#! bandwidth 2G
vsr running policer pol2# excess-bandwidth 15M
vsr running policer pol2# ..

Interfaces that use this policer will have their frame rate limited to 2 Gbps, with bursts up to the default bandwidth/80 bytes. Excess traffic is authorized up to 15 Mbps with bursts up to the default excess-bandwidth/80 bytes. Frames that would cause this profile to be exceeded will be dropped.

Show the qos configuration:

vsr running qos# show config
qos
    policer pol1
        bandwidth 1G
        burst 2K
        excess-bandwidth 0
        ..
    policer pol2
        bandwidth 2G
        excess-bandwidth 15M
        ..
    ..

The same configuration can be made using this NETCONF XML configuration:

vsr running config# show config xml absolute
<config xmlns="urn:6wind:vrouter">
  <qos xmlns="urn:6wind:vrouter/qos">
    <policer>
      <name>pol1</name>
      <burst>2000</burst>
      <excess-bandwidth>0</excess-bandwidth>
      <bandwidth>1000000000</bandwidth>
    </policer>
    <policer>
      <name>pol2</name>
      <excess-bandwidth>15000000</excess-bandwidth>
      <bandwidth>2000000000</bandwidth>
    </policer>
  </qos>
</config>

Note

The policer command defines traffic profile templates. They can be used by one or more network interfaces or shared-policers. Each use of a policer instanciates a new three color marker.

Note

Bandwidth and burst values can be typed as plain integers (e.g. 2000000), or with a standard power-of-1000 multiplier letter to write the value in a more compact way (e.g. 2M):

  • K (for kilo): multiply by 1000

  • M (for mega): multiply by 10002

  • G (for giga): multiply by 10003

  • T (for tera): multiply by 10004

The output of show config and show state will always use the most compact form (e.g. 2M, regardless if you typed 2M, 2000K or 2000000).

This compact notation is only used in the CLI. The NETCONF XML configuration uses plain integers.

Shared Policers

Shared policer are created in the global qos context with the shared-policer command. They can then be referenced by interfaces.

Enter the global qos context:

vsr running config# qos
vsr running qos#

Create a policer template with no authorized excess traffic, as explained in the previous section:

vsr running config# qos
vsr running qos#
vsr running qos# policer pol1
vsr running policer pol1#! bandwidth 1G
vsr running policer pol1# burst 2K
vsr running policer pol1# ..
vsr running qos#

Create a shared policer that references the policer template:

vsr running qos# shared-policer shared-pol1
vsr running shared-policer shared-pol1# policer pol1
vsr running shared-policer shared-pol1# ..
vsr running qos#

Show the qos configuration:

vsr running qos# show config
qos
    policer pol1
        bandwidth 1G
        burst 2K
        excess-bandwidth 0
        ..
    shared-policer shared-pol1
        policer pol1
        ..
    ..

The same configuration can be made using this NETCONF XML configuration:

vsr running qos# show config xml absolute
<config xmlns="urn:6wind:vrouter">
  <qos xmlns="urn:6wind:vrouter/qos">
    <policer>
      <name>pol1</name>
      <burst>2000</burst>
      <excess-bandwidth>0</excess-bandwidth>
      <bandwidth>1000000000</bandwidth>
    </policer>
    <shared-policer>
      <name>shared-pol1</name>
      <policer>pol1</policer>
    </shared-policer>
  </qos>
</config>

Note

While the policer command defines traffic profile templates, that are instantiated whenever they are referenced, the shared-policer command defines unique objects.

Rate limit an interface with a dedicated policer

Physical and logical interfaces can rate limit their ingress and egress traffic by attaching a dedicated policer, defined in the qos context.

Enter the qos context of physical interface eth0:

vsr running config# vrf main
vsr running vrf main# interface physical eth0
vsr running physical eth0# qos

Configure rate limiting of egress traffic by policer pol1:

vsr running qos# egress rate-limit policer pol1
vsr running qos# ..
vsr running physical eth0#

Show interface eth0 configuration:

vsr running physical eth0# show config nodefault
physical eth0
    (...)
    qos
        egress
            rate-limit
                policer pol1
                ..
            ..
        ..
    ..

Commit the configuration:

vsr running physical eth0# commit
Configuration committed.
vsr running physical eth0# /
vsr running config#

Show interface qos state:

vsr running config# show state vrf main interface
qos
    egress
        rate-limit
            policer
                bandwidth 1500M
                burst 1500
                excess-bandwidth 0
                excess-burst 1
                stats
                    pass-packets 0
                    pass-bytes 0
                    pass-excess-packets 0
                    pass-excess-bytes 0
                    drop-packets 0
                    drop-bytes 0
                    ..
                ..
            ..
        ..
    ..

The same settings can be made using the following NETCONF XML configuration:

vsr running config# show config xml absolute
<config xmlns="urn:6wind:vrouter">
  <vrf>
    <name>main</name>
    <interface xmlns="urn:6wind:vrouter/interface">
      <physical>
        <name>eth0</name>
        (...)
        <qos>
          <egress>
            <rate-limit>
              <policer>pol1</policer>
            </rate-limit>
          </egress>
        </qos>
      </physical>
    </interface>
  </vrf>
</config>

Each interface that specifies rate-limit policer pol1 instanciates a new policer dedicated to the interface in the specified direction (ingress or egress).

Rate limit interfaces with a shared policer

Physical and logical interfaces can rate limit their ingress and egress traffic by binding to a shared policer, defined in the qos context.

Enter the qos context of physical interface eth0:

vsr running config# vrf main
vsr running vrf main# interface physical eth0
vsr running physical eth0# qos
vsr running qos#

Configure rate limiting of egress traffic by shared policer shared-pol1:

vsr running qos# egress rate-limit shared-policer shared-pol1
vsr running qos# ..
vsr running physical eth1# ..
vsr running interface#

Enter the qos context of physical interface eth1:

vsr running interface# physical eth1
vsr running physical eth1# qos
vsr running qos#

Configure rate limiting of egress traffic by shared policer shared-pol1:

vsr running qos# egress rate-limit shared-policer shared-pol1
vsr running qos# ..
vsr running physical eth1# ..
vsr running interface#

Show interface eth0 configuration:

vsr running interface# show config nodefault
interface
    physical eth0
        (...)
        qos
            egress
                rate-limit
                    shared-policer shared-pol1
                    ..
                ..
            ..
        ..
    physical eth1
        (...)
        qos
            egress
                rate-limit
                    shared-policer shared-pol1
                    ..
                ..
            ..
        ..

Commit the configuration:

vsr running interface# commit
Configuration committed.
vsr running interface# /
vsr running config#

Show interface qos state:

vsr running config# show state vrf main interface
interface
    (...)
    physical eth0
        (...)
        qos
            egress
                rate-limit
                    policer
                        bandwidth 1G
                        burst 2K
                        excess-bandwidth 0
                        excess-burst 1
                        shared-policer shared-pol1
                        stats
                            pass-packets 0
                            pass-bytes 0
                            pass-excess-packets 0
                            pass-excess-bytes 0
                            drop-packets 0
                            drop-bytes 0
                            ..
                        ..
                    ..
                ..
            ..
        ..
    physical eth1
        (...)
        qos
            egress
                rate-limit
                    policer
                        bandwidth 1G
                        burst 2K
                        excess-bandwidth 0
                        excess-burst 1
                        shared-policer shared-pol1
                        stats
                            pass-packets 0
                            pass-bytes 0
                            pass-excess-packets 0
                            pass-excess-bytes 0
                            drop-packets 0
                            drop-bytes 0
                            ..
                        ..
                    ..
                ..
            ..
        ..

The same settings can be made using the following NETCONF XML configuration:

<config xmlns="urn:6wind:vrouter">
  <qos xmlns="urn:6wind:vrouter/qos">
    <policer>
      <name>pol1</name>
      <burst>2000</burst>
      <excess-bandwidth>0</excess-bandwidth>
      <excess-burst>1</excess-burst>
      <bandwidth>1000000000</bandwidth>
    </policer>
    <shared-policer>
      <name>shared-pol1</name>
      <policer>pol1</policer>
    </shared-policer>
  </qos>
  <vrf>
    <name>main</name>
    <interface xmlns="urn:6wind:vrouter/interface">
      <physical>
        <name>eth0</name>
        (...)
        <qos>
          <egress>
            <rate-limit>
              <shared-policer>shared-pol1</shared-policer>
            </rate-limit>
          </egress>
        </qos>
      </physical>
      <physical>
        <name>eth1</name>
        (...)
        <qos>
          <egress>
            <rate-limit>
              <shared-policer>shared-pol1</shared-policer>
            </rate-limit>
          </egress>
        </qos>
      </physical>
    </interface>
    (...)

Each interface that specifies rate-limit shared-policer pol1 uses the same shared policer object.

A given shared-policer may be shared by interfaces in different vrfs and directions.