Cumulus Linux vs Cisco IOS: Policing

Follow

{{table_of_contents}}

Issue

I already know Cisco IOS, but I would like to see a translation of policing in IOS syntax to iptables for use with Cumulus Linux and cl-acltool, a Cumulus Linux tool to install iptables onto the hardware ASIC.

Resolution

Before we compare Cumulus Linux and Cisco IOS syntax, you should create the iptables rules in Cumulus Linux.

Configuring iptables Rules Files in Cumulus Linux

Cumulus Networks recommends you create a persistent configuration of the iptables rules. Create a .rules file in /etc/cumulus/acl/policy.d/ like this example:

cumulus@switch$ cat /etc/cumulus/acl/policy.d/10.rules
[iptables]
-A FORWARD --in-interface swp1 -j POLICE --set-mode KB --set-rate 125000 --set-burst 2000
-A FORWARD --in-interface swp2 -m dscp --dscp 10 -j POLICE --set-mode KB --set-rate 31250 --set-burst 2000
-A FORWARD --in-interface swp3 -j POLICE --set-mode KB --set-rate 12500 --set-burst 2000 -s 5.5.5.0/24

By default, there are two control plane policing rules files: 00control_plane.rules and 99control_plane_catch_all.rules. Rules are installed in sequential, ascending order (so 00control_plane.rules is installed first, while 10.rules would be installed second and 99control_plane_catch_all.rules is installed last). These rules are all stored in the same directory, /etc/cumulus/acl/policy.d/:

cumulus@leaf1$ ls /etc/cumulus/acl/policy.d/
00control_plane.rules  10.rules  99control_plane_catch_all.rules

You can determine how many rules can be installed into the ASIC using the cl-resource-query command:

cumulus@leaf1$ cl-resource-query | grep ACL
Ingress ACL entries:       73,   5% of maximum value   1280
Ingress ACL counters:      94,   7% of maximum value   1280
Ingress ACL meters:        21,   0% of maximum value   4096
Ingress ACL slices:         2,  50% of maximum value      4
Egress ACL entries:        26,  10% of maximum value    256
Egress ACL counters:       51,   4% of maximum value   1024
Egress ACL meters:         25,   9% of maximum value    256
Egress ACL slices:          1, 100% of maximum value      1

You can find more information on how netfilter and cl-acltool work in the user guide.

Comparing iptables Rules in Cumulus Linux vs Cisco IOS

Following are three example rules implemented as iptables in Cumulus Linux alongside their equivalent syntax in IOS.

Example 1: Policing a Physical Interface

The following rule polices all traffic on the interface to 1Gbps (Cumulus Linux is using Kilobytes per second — KBps — mode, where 125000KBps = 1Gbps; Cisco is using bps, where 1000000000bps = 1Gbps):

Cumulus Linux Cisco Systems IOS
-A FORWARD --in-interface swp1 -j POLICE --set-mode KB --set-rate 125000 --set-burst 2000

Output:

cumulus@leaf1$ sudo cl-acltool -L ip | grep swp1
pkts bytes target prot opt in     out source   destination 0 0 POLICE all -- swp1 any anywhere anywhere POLICE mode:KB rate:125000 burst:2000
policy-map sean
 class class-default
    police cir 1000000000
interface TenGigabitEthernet1/13
 service-policy input sean
Output:
4500X-1#show policy-map interface ten1/13
 TenGigabitEthernet1/13

  Service-policy input: sean

    Class-map: class-default (match-any)
      0 packets
      Match: any
        0 packets
      police:
          cir 1000000000 bps, bc 31250000 bytes
        conformed 0 bytes; actions:
          transmit
        exceeded 0 bytes; actions:
          drop
        conformed 0000 bps, exceed 0000 bps

Example 2: Policing DSCP values

This rule sets all traffic coming in to swp2 with a DSCP marking of 10 to get policed down to 31250 KBps (0.25 Gbps):

Cumulus Linux Cisco Systems IOS
-A FORWARD --in-interface swp2 -m dscp --dscp 10  -j POLICE --set-mode KB --set-rate 31250 --set-burst 2000

Output:

cumulus@leaf1$ sudo cl-acltool -L ip | grep swp2
pkts bytes target prot opt in   out source   destination
0    0     POLICE  all  -- swp2 any anywhere anywhere    DSCP match 0x0a POLICE  mode:KB rate:31250 burst:2000
class-map match-all dscp10
  match  dscp af11
!
policy-map sean2
 class dscp10
    police cir 250000000
!
interface TenGigabitEthernet1/14
 service-policy input sean2

Output:

4500X-1#show policy-map interface ten1/14
 TenGigabitEthernet1/14

  Service-policy input: sean2

    Class-map: dscp10 (match-all)
      0 packets
      Match:  dscp af11 (10)
      police:
          cir 250000000 bps, bc 7812500 bytes
        conformed 0 bytes; actions:
          transmit
        exceeded 0 bytes; actions:
          drop
        conformed 0000 bps, exceed 0000 bps

    Class-map: class-default (match-any)
      0 packets
      Match: any
        0 packets

Example 3: Policing by Source Traffic

The following rule polices all traffic from subnet 3.3.3.0/24 down to 1/10 Gbps (.1 Gbps), which is 12500 KB or 100000000 bps:

Cumulus Linux Cisco Systems IOS
-A FORWARD --in-interface swp3 -j POLICE --set-mode KB --set-rate 12500 --set-burst 2000 -s 3.3.3.0/24

Output:

cumulus@leaf1$ sudo cl-acltool -L ip | grep swp3
pkts bytes target prot opt in   out source     destination
0    0 POLICE all  --  swp3 any 3.3.3.0/24 anywhere   POLICE  mode:KB rate:12500 burst:2000
access-list 100 permit ip 3.3.3.0 0.0.0.255 any
!
class-map match-all heller
  match access-group 100
!
policy-map heller
 class heller
    police cir 100000000
!
interface TenGigabitEthernet1/15
 service-policy input heller
!

Output:

4500X-1#show policy-map interface ten1/15
 TenGigabitEthernet1/15

  Service-policy input: heller

    Class-map: heller (match-all)
      0 packets
      Match: access-group 100
      Match: any
      police:
          cir 100000000 bps, bc 3125000 bytes
        conformed 0 bytes; actions:
          transmit
        exceeded 0 bytes; actions:
          drop
        conformed 0000 bps, exceed 0000 bps

    Class-map: class-default (match-any)
      0 packets
      Match: any
        0 packets

Using a Unit Converter

Sometimes it's easy to make human errors when doing the math to convert from megabytes to gigabits, or bps to MBps, for example. Using a unit converter is reliable and very easy; just select Digital Storage from the menu, then choose the appropriate units to compare.

For More Information

Please refer to the Netfilter documentation for more information. nixCraft is also a great resource for learning Linux and iptables. In addition to the man pages, Debian also has great documentation.

See Also

Have more questions? Submit a request

Comments

Powered by Zendesk