Fault Symptom
Router A functions as the egress. Rate limit is configured for UDP packets other than DNS, SNMP, SNMP Trap, and Syslog packets in the inbound direction of GE 1/0/0 on Router A. The rate of these UDP packets is limited to 1.3 Gbit/s. After the configuration, a user on another network cannot access the DNS server on this network.
Fault Analysis
1. After configurations of rate limit are deleted by using the undo car command in the traffic behavior view on Router A, a user on another network can access the DNS server on this network. Therefore, it can be concluded that the fault is caused by incorrect configurations.
2. Run the display current-configuration command on Router A to check its configurations:
acl number 3300
rule 0 deny udp destination-port eq dns
rule 1 deny udp destination-port eq snmp
rule 2 deny udp destination-port eq snmptrap
rule 3 deny udp destination-port eq syslog
rule 4 permit udp
traffic classifier udp-limit operator and
if-match acl 3300
traffic behavior udp-limit
car cir 1360000 cbs 1360000 pbs 0 green pass yellow discard red discard
traffic policy udp-limit
classifier udp-limit behavior udp-limit
The preceding information indicates that DNS, SNMP, SNMP Trap, and Syslog packets are all denied. This is because these packets match the ACL rules whose action is deny. As a result, these packets are directly discarded on Router A, and thus are not processed based on the configured traffic behaviors.
Therefore, the actions in the rules of ACL 3300 need to be set to permit for DNS, SNMP, SNMP Trap, and Syslog packets, and an ACL rule needs to be added to implement rate limit on the other types of UDP packets.
Procedure
1. Define ACL 3300 for DNS, SNMP, SNMP Trap, and Syslog packets, configure a traffic classifier through the traffic classifier udp-limit command, configure a traffic behavior by using the traffic behavior udp-limit command, and create a traffic policy by using the traffic policy udp-limit command.
2. Define ACL 3301 for UDP packets other than DNS, SNMP, SNMP Trap, and Syslog packets, configure a traffic classifier through the traffic classifier udp-limit1 command, configure a traffic behavior by uing the traffic behavior udp-limit1 command, and create a traffic policy by uing the traffic policy udp-limit1 command.
3. Run the display current-configuration command on Router A to check the corresponding configurations:
acl number 3300
rule 0 permit udp destination-port eq dns
rule 1 permit udp destination-port eq snmp
rule 2 permit udp destination-port eq snmptrap
rule 3 permit udp destination-port eq syslog
acl number 3301
rule 0 permit udp
traffic classifier udp-limit operator or
if-match acl 3300
traffic classifier udp-limit1 operator or
if-match acl 3301
traffic behavior udp-limit
traffic behavior udp-limit1
car cir 1360000 cbs 1360000 pbs 0 green pass yellow discard red discard
traffic policy udp-limit
classifier udp-limit behavior udp-limit
classifier udp-limit1 behavior udp-limit1
After matching ACL 3300, DNS, SNMP, SNMP Trap, and Syslog packets are forwarded based on the traffic behavior configured through the traffic behavior udp-limit command. After matching ACL 3301, UDP packets other than DNS, SNMP, SNMP Trap, and Syslog packets are forwarded based on the traffic behavior configured in the traffic behavior udp-limit1 command.
After the preceding operations, a user on another network can access the DNS server on this network and rate limit takes effect. The fault is rectified.
Summary
An ACL not only classifies traffic but also permits or denies traffic, that is, forwards or discards traffic. Therefore, make sure that packets that need to be rate limited are not discarded.
