Fault Symptom
Access control is configured on the Router A to discard UDP packets destined for specific interfaces and rate limit is configured to limit the rate of the other data packets. After the configuration is complete, it is found that rate limit does not take effect.
Fault Analysis
1. Run the display current-configuration command on the Router A.
acl number 3300
rule 0 deny udp destination-port eq dns
rule 1 deny udp destination-port eq snmp
rule 2 deny udp destination-port eq snmptrap
rule 3 deny udp destination-port eq syslog
traffic classifier udp-limit operator and
if-match acl 3300
traffic behavior udp-limit
car cir 1360000 cbs 1360000 pbs 0 green pass yellow discard red discard
traffic policy udp-limit
classifier udp-limit behavior udp-limit
interface gigabitethernet 1/0/0
traffic-policy udp-limit inbound
The preceding command output shows that after a data packet enters an interface, the packet is matched against ACL rules. If the packet matches an ACL rule whose action is deny, the packet is discarded. Packets that do not match any ACL rule are directly forwarded.
Therefore, to limit the rate of the data packets that do not match any ACL rule, you need to add an ACL rule to implement the permit action on these packets. Then, rate limit takes effect with these data packets.
Procedure
1. Run the undo traffic-policy command in the interface view to cancel the traffic policy that is applied to the interface.
2. Run the system-view command to enter the system view.
3. Run the undo traffic policy policy-name command to delete the traffic policy from the device.
4. Run the traffic behavior udp-limit command to enter the traffic behavior view.
5. Run the undo car command to cancel the configured traffic rate limit.
6. Run the quit command to return to the system view.
7. Run the acl [ number ] acl-number command to add an ACL.
8. Run the rule rule-id permit any command to implement the permit action on the packets other than the UDP packets destined for specific interfaces.
9. Run the quit command to return to the system view.
10. Run the traffic classifier classifier-name command to configure a traffic classifier.
11. Run the if-match acl acl-number command to define an ACL matching rule.
12. Run the quit command to return to the system view.
13. Run the traffic behavior behavior-name command to configure a traffic behavior.
14. Run the car cir 1360000 cbs 1360000 pbs 0 green pass yellow discard red discard command to configure a rate limit for the packets that are allowed to pass.
15. Run the quit command to return to the system view.
16. Run the traffic policy policy-name command to create a traffic policy and then run the classifier classifier-name behavior behavior-name command to associate the traffic classifier with the traffic behavior in the traffic policy.
17. Run the traffic-policy policy-name inbound command on the interface to apply the traffic policy to the interface.
18. Run the display current-configuration command to check the corresponding configurations.
acl number 3300
rule 0 deny udp destination-port eq dns
rule 1 deny udp destination-port eq snmp
rule 2 deny udp destination-port eq snmptrap
rule 3 deny udp destination-port eq syslog
acl number 3301
rule 4 permit any
traffic classifier udp-limit operator or
if-match acl 3300
traffic classifier udp-limit1 operator or
if-match acl 3301
traffic behavior udp-limit
traffic behavior udp-limit1
car cir 1360000 cbs 1360000 pbs 0 green pass yellow discard red discard
traffic policy udp-limit
classifier udp-limit behavior udp-limit
classifier udp-limit1 behavior udp-limit1
interface gigabitEthernet 1/0/0
traffic policy udp-limit inbound
After the preceding operations, both access control and rate limit take effect. The fault is rectified.
Summary
When configuring access control, you can use the parameter deny to discard packets. The other packets that are not discarded are directly forwarded without rate limit by default. To limit the rate of the packets that are not denied, you need to first configure an ACL rule to allow them to pass. Then, configure traffic behaviors to limit the rate at which these packets are forwarded.
