Is rate limit working with Cumulus VX?


Hi All, I am testing rate limit on Cumulus VX 3.0 by using ebtables but no luck yet. After applying the rule, I do not see any traffic hit on the rule when I generate traffic to test. Does the rate limit work on Cumulus VX? Thank you!

8 replies

Userlevel 4
Hey Try,

How are you applying the rule? There is no netlink equivalent with iptables commands so if you directly using iptables commands the ASIC will not get this in hardware. You would need to use the command cl-acltool. It sounds like from your question you are using Cumulus VX (the VM) so this would not be your problem (but just in case).

If using Cumulus VX can you just give me the iptables command you are running?

Hi Sean,

I am using cl-acltool not iptables on Cumulus VX to test the rate limit. Below is the command:

#more /etc/cumulus/acl/policy.d/test.rules
INGRESS_INTF = br22
INGRESS_CHAIN = FORWARD
[ebtables]
-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -j police --set-mode KB --set-rate 128 --set-burst 100

#cl-acltool -L eb
Bridge chain: FORWARD, entries: 1, policy: ACCEPT-i br22 -j police --set-mode KB --set-rate 128 --set-burst 100 , pcnt = 0 -- bcnt = 0

Thanks!

Userlevel 4
Just use iptables directly when on Cumulus VX. All cl-acltool is syntax checking. Future versions may fix this. This is expected behavior but if you use iptables directly it should work as desired.
Let me try iptables instead. But one thing that I noticed iptables service is not running on Cumulus. The iptables that you mentioned is relying on ac-acltool. Is it correct?
I have tried with iptables but it seems not work neither. There is still no traffic hit on the rule. Do I miss something?

- Configurations:
#more /etc/cumulus/acl/policy.d/test.rules

INGRESS_INTF = br22
INGRESS_CHAIN = FORWARD
[iptables]
-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -j POLICE --set-mode KB --set-rate 128 --set-burst 100

- Verification:
#cl-acltool -L ip | grep br22
0 0 POLICE all -- br22 any anywhere anywhere POLICE mode:KB rate:128 burst:100


Userlevel 4
what does iptables -L show?
The POLICE target will not work in VX. This target is built out enough to hold the configuration for synchronization to switch hardware, but is not implemented in the software forwarding path.

Ah...that's why no traffic hit on the rules. thanks Sean and Trapier for advising.

Reply