Policing
Policing is used to limit the bandwidth of traffic that enters the switch at ingress.
Traffic that exceeds the configured bandwidth is dropped.
A policer is configured by using rate and burst parameters, where rate is the maximum traffic rate
in bits per second and burst is the maximum allowed burst in bytes.
Policers are implemented using a tc filter containing a police action.
The tc filter is attached to a clsact qdisc which must be created first:
# tc qdisc add dev eth0 clsact
See the TC Introduction page for a general introduction to tc commands.
1. Port Policer
A port policer limits the bandwidth of traffic that enters the port at ingress and is implemented by a tc matchall filter.
Setup a port policer with a rate of 100 Megabits per second and a burst of 4096 bytes:
# tc filter add dev eth0 ingress prio 100 handle 200 matchall skip_sw \ action police rate 100000000 burst 4096
The skip_sw flag signals that hardware offload is required.
Show port policer statistics:
# tc -s filter show dev eth0 ingress
filter protocol all pref 100 matchall chain 0
filter protocol all pref 100 matchall chain 0 handle 0xc8
skip_sw
in_hw (rule hit 0)
action order 1: police 0x1 rate 100Mbit burst 4075b mtu 2Kb action reclassify overhead 0b
ref 1 bind 1 installed 0 sec used 0 sec
Action statistics:
Sent 1004000 bytes 1000 pkt (dropped 893, overlimits 0 requeues 0)
Sent software 0 bytes 0 pkt
Sent hardware 1004000 bytes 1000 pkt
backlog 0b 0p requeues 0
used_hw_stats immediate
Here it is shown that 893 packets out of 1000 packets are dropped.
Delete the port policer created above:
# tc filter del dev eth0 ingress prio 100 handle 200 matchall
2. ACL Policer
An ACL policer makes it possible to limit the bandwidth of a specific incoming traffic stream.
ACL policers are implemented by a tc flower filter that is hardware offloaded via VCAP IS2.
See the TC and VCAP page for more information about how to configure VCAPs by using tc commands.
Setup an ACL policer with a rate of 100 Megabits per second and a burst of 4096 bytes that polices all traffic containing destination IP address 10.10.10.10:
# tc filter add dev eth0 ingress chain 20000 prio 100 handle 200 protocol ip flower skip_sw \ dst_ip 10.10.10.10 \ action police rate 100000000 burst 4096 \ action goto chain 21000
The skip_sw flag signals that hardware offload is required.
Show ACL policer statistics:
# tc -s filter show dev eth0 ingress
filter protocol ip pref 100 flower chain 20000
filter protocol ip pref 100 flower chain 20000 handle 0xc8
eth_type ipv4
dst_ip 10.10.10.10
skip_sw
in_hw in_hw_count 1
action order 1: police 0x1 rate 100Mbit burst 4075b mtu 2Kb action reclassify overhead 0b
ref 2 bind 1 installed 8 sec used 8 sec
Action statistics:
Sent 0 bytes 10000 pkt (dropped 0, overlimits 0 requeues 0)
Sent software 0 bytes 0 pkt
Sent hardware 0 bytes 10000 pkt
backlog 0b 0p requeues 0
used_hw_stats immediate
action order 2: gact action goto chain 21000
random type none pass val 0
index 2 ref 1 bind 1 installed 8 sec used 8 sec
Action statistics:
Sent 0 bytes 10000 pkt (dropped 0, overlimits 0 requeues 0)
Sent software 0 bytes 0 pkt
Sent hardware 0 bytes 10000 pkt
backlog 0b 0p requeues 0
used_hw_stats immediate
Here it is shown that the filter was hit by 10000 packets.
ACL policers do not support count of dropped frames.
Delete the ACL policer created above:
# tc filter del dev eth0 ingress chain 20000 prio 100 handle 200 protocol ip flower
3. PSFP Policer
A PSFP policer works in much the same way as an ACL policer and is explained in detail on the PSFP page.
4. BUM Policer
A BUM policer limits the bandwidth of known and unknown broadcast, unicast, and
multicast traffic. It is configured using tc flower to set up per-port,
per-flow rules for rate limiting each type of traffic.
To configure BUM policing, you need to use both the dst_mac and l2_miss keys
in tc flower. The dst_mac key matches the destination MAC address,
allowing you to target broadcast, unicast, or multicast traffic as needed. The
l2_miss key determines whether the rule matches traffic with a known or
unknown destination MAC address: set l2_miss to 0 to match known traffic, or
to 1 to match unknown traffic.
When using dst_mac in combination with l2_miss, the driver determines the
traffic type based on the value of the dst_mac key and sets up the rule to
match the appropriate traffic. Specifically:
-
Setting
dst_mac ff:ff:ff:ff:ff:ffmatches broadcast traffic. -
Setting
dst_mac 01:00:00:00:00:00/01:00:00:00:00:00matches multicast traffic. -
Setting
dst_mac 00:00:00:00:00:00/00:00:00:00:00:00, or omitting thedst_mackey entirely, matches unicast traffic.
4.1. Examples
4.1.1. Unknown broadcast
Police any unknown broadcast frame, with a rate of 500 Mbps and a burst size of 1024 bytes.
# tc filter add dev eth0 ingress chain 1100000 prio 1 handle 1 protocol 0xbeef \
flower dst_mac ff:ff:ff:ff:ff:ff l2_miss 1 \
action police rate 500000000 burst 1024 conform-exceed drop \
action goto chain 12000004.1.2. Unknown unicast
Police any unknown unicast frame, with a rate of 250 Mbps and a burst size of 2048 bytes.
# tc filter add dev eth0 ingress chain 1100000 prio 1 handle 1 protocol all \
flower dst_mac 00:00:00:00:00:00/00:00:00:00:00:00 l2_miss 1 \
action police rate 250000000 burst 2048 conform-exceed drop \
action goto chain 12000004.1.3. Unknown multicast
Police any unknown multicast frame, with a rate of 125 Mbps and a burst size of 4096 bytes.
# tc filter add dev eth0 ingress chain 1100000 prio 1 handle 1 protocol 0xbeef \
flower dst_mac 01:00:00:00:00:00/01:00:00:00:00:00 l2_miss 1 \
action police rate 125000000 burst 4096 conform-exceed drop \
action goto chain 1200000|
The switch driver installs a per-VLAN broadcast address in the MAC table, which means that broadcast frames can be classified as either known or unknown. |
|
The |
|
The driver will always configure BUM policing when the |