Previous section   Next section

Recipe 11.12 Using Committed Access Rate

11.12.1 Problem

You want to use Committed Access Rate (CAR) to control the flow of traffic through an interface.

11.12.2 Solution

CAR provides a useful method for policing the traffic rate through an interface. The main features of CAR are functionally similar to traffic shaping, but CAR also allows several extremely useful extensions. This first example shows the simplest application. We have configured CAR here to do basic rate limiting. The interface will transmit packets at an average rate of 500,000bps, allowing bursts of 4,500 bytes. If there is a burst of longer than 9,000 bytes, the router will drop the excess packets:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface HSSI0/0
Router(config-if)#rate-limit output 500000 4500 9000 conform-action transmit exceed-
action drop
Router(config-if)#end
Router#

This next example defines three different traffic classifications using access lists, and separately limits the rates of these applications:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access list 101 permit tcp any eq www any
Router(config)#access list 101 permit tcp any any eq www
Router(config)#access list 102 permit tcp any eq ftp any 
Router(config)#access list 102 permit tcp any any eq ftp
Router(config)#access list 102 permit tcp any eq ftp-data any 
Router(config)#access list 102 permit tcp any any eq ftp-data
Router(config)#access list 103 permit ip any any 
Router(config)#interface HSSI0/0
Router(config-if)#rate-limit output access-group 101 50000 4500 9000 conform-action 
transmit exceed-action drop
Router(config-if)#rate-limit output access-group 102 50000 4500 9000 conform-action 
transmit exceed-action drop
Router(config-if)#rate-limit output access-group 103 400000 4500 9000 conform-action 
transmit exceed-action drop
Router(config-if)#end
Router#

CAR also includes a useful option to match DSCP in the rate-limit command without needing to resort to an access group. In the following example, the DSCP values with the highest drop precedence values are rate-limited. Note that, unlike several other Cisco commands, here you must specify the decimal value of the DSCP field. Please refer to Table B-3 in Appendix B for a list of these values:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface HSSI0/0
Router(config-if)#rate-limit output dscp 14 50000 4500 9000 conform-action  transmit 
exceed-action drop
Router(config-if)#rate-limit output dscp 22 50000 4500 9000 conform-action transmit 
exceed-action drop
Router(config-if)#rate-limit output dscp 30 50000 4500 9000 conform-action transmit 
exceed-action drop
Router(config-if)#end
Router#

Finally, CAR also allows you to define a new kind of access list called a rate-limiting access list:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access list rate-limit 55 5
Router(config)#interface HSSI0/0
Router(config-if)#rate-limit output access-group rate-limit 55 50000 4500 9000 
conform-action transmit exceed-action drop
Router(config-if)#end
Router#

11.12.3 Discussion

People are often confused about the difference between CAR and traffic shaping, because they appear to perform extremely similar functions. However, there is one very important difference. When a traffic shaping interface experiences a burst of data, it attempts to buffer the excess. But CAR just does whatever exceed-action you have specified:

Router(config-if)#rate-limit output 500000 4500 9000 conform-action transmit exceed-
action drop

In this example, the exceed-action is to simply drop the packet. Meanwhile, the conform-action in each example is to simply transmit the packet. Any traffic that falls below the configured rate is said to conform. CAR includes several other possibilities besides simply transmitting or dropping the packet:

drop

CAR drops the packet.

transmit

CAR transmits the packet unchanged.

set-prec-transmit

CAR changes the IP Precedence of the packet, and then transmits it.

continue

CAR moves on to evaluate the next rate-limit command on this interface.

set-prec-continue

CAR changes the IP Precedence and then evaluates the next rate-limit command.

Cisco has added several additional options to IOS Versions 12.0(14)ST and higher:

set-dscp-continue

CAR changes the DSCP field and then evaluates the next rate-limit command.

set-dscp-transmit

CAR changes DSCP field and then transmits the packet.

set-qos-continue

CAR sets the qos-group and then evaluates next command.

set-qos-transmit

CAR sets the qos-group and then transmits the packet.

There are two additional commands that you can use with MPLS to alter the MPLS experimental field:

set-mpls-exp-continue

This sets the experimental field and then continues.

set-mpls-exp-transmit

This option sets the experimental field and transmits the packet.

The various continue options allow you to string together a series of CAR commands on an interface to do more sophisticated things:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access list 101 permit tcp any eq www any
Router(config)#access list 101 permit tcp any any eq www
Router(config)#access list 103 permit ip any any 
Router(config)#interface HSSI0/0
Router(config-if)#rate-limit output 50000 4500 4500 conform-action transmit exceed-
action continue
Router(config-if)#rate-limit output access-group 101 100000 4500 9000 conform-action 
set-prec-transmit 3 exceed-action continue
Router(config-if)#rate-limit output access-group 103 100000 4500 9000 conform-action
set-prec-transmit 0 exceed-action drop
Router(config-if)#end
Router#

In this example, the interface will transmit all packets when the rate is 50,000bps or less. As soon as the traffic exceeds this rate, however, the router starts to bump up the IP Precedence of all HTTP traffic to a value of 3, and all other traffic goes down to a precedence of 0. It will continue to transmit all of these packets until the average rate exceeds 100,000bps. You can use this sort of technique to carefully tune how your network behaves in congestion situations.

You can also use CAR and the exceed-action set-prec-transmit command to lower the Precedence of high priority IP traffic when it exceeds its allocated portion of the bandwidth. Simply transmitting it with a lower Precedence represents a nice and useful intermediate step to dropping high priority packets outright. However, with real-time packets, it is better to drop than buffer or remark, because those options would introduce unwanted latency and jitter.

The other useful thing you can do with CAR is to rate-limit inbound traffic:

Router(config-if)#rate-limit input 50000 4500 4500 conform-action transmit exceed-
action drop

Of course, it's never completely ideal to allow a remote device to send too many packets across the network, only to drop them as they are received. But it is sometimes useful when your network acts as a service provider to other networks. For example, you might have downstream customers who have subscribed to a subrate service. This would include things like selling access through an Ethernet port, but restricting the customer to some lower rate such as 100Kbps.

Alternatively, you could use inbound rate-limit commands to ensure that your downstream customers are allowed to use your network for surfing the web, but only if the rate is kept below some threshold:

Router(config)#access list 101 permit tcp any eq www any
Router(config)#access list 101 permit tcp any any eq www
Router(config)#access list 103 permit ip any any 
Router(config)#interface HSSI0/0
Router(config-if)#rate-limit input 50000 4500 4500 conform-action transmit exceed-
action continue
Router(config-if)#rate-limit input access-group 101 100000 4500 9000 conform-action 
drop exceed-action continue
Router(config-if)#rate-limit input access-group 103 100000 4500 9000 conform-action 
transmit exceed-action drop
Router(config-if)#end
Router#

You could even use CAR to simply rewrite the IP Precedence values of all packets received from a customer:

Router(config)#interface HSSI0/0
Router(config-if)#rate-limit input 100000 4500 9000 conform-action set-prec-transmit
0 exceed-action set-prec-transmit 0
Router(config-if)#end
Router#

This same technique is also helpful in combating Internet-based DOS attacks. For example, if your network is being inundated with PING flood or SYN ACK attacks, you might want to look specifically for these types of packets, and make sure that they are restricted to a low but reasonable rate. This way, the legitimate uses of these packets will not suffer, but you will reduce the service denial problem.

The last example in the solution section of this recipe needs a little bit of explanation because some of the properties can be confusing:

Router(config)#access list rate-limit 55 5
Router(config)#interface HSSI0/0
Router(config-if)#rate-limit output access-group rate-limit 55 50000 4500 9000 
conform-action transmit exceed-action drop

The access-list rate-limit command allows you to create a new and special variety of access lists especially for use with CAR. There are three ranges of rate-limiting access list index numbers. You use access lists with values between 0 and 99 to match IP Precedence values. If the index number is between 100 and 199, it will match MAC addresses, and if it is between 200 and 299, it matches MPLS experimental field values.

In the example above, access list number 55 simply matches all packets with IP Precedence values of 5. You can also use a precedence bit mask to match several values. For example, to match Precedence values 0, 1, and 2, you could use a mask of 01100000, which is 96 in decimal:

Router(config)#access list rate-limit 56 mask 96

The MPLS access lists work in a similar way, matching the value in the MPLS experimental field:

Router(config)#access list rate-limit 255 6
Router(config)#access list rate-limit 256 mask 42

The MAC address access lists work on standard Ethernet or Token Ring 48-bit MAC addresses:

Router(config)#access list rate-limit 155 0000.0c07.ac01

You have to be careful about how you use these rate-limiting access lists, because it's easy to get them confused with regular access lists. You can have a regular access list with the same number as a rate-limiting access list. The only difference is that you apply rate-limiting access lists with the rate-limit keyword on the rate-limit command as follows:

Router(config)#interface HSSI0/0
Router(config-if)#rate-limit output access-group rate-limit 55 50000 4500 9000 
conform-action transmit exceed-action drop

  Previous section   Next section
Top