Specifications
White Paper
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 55 of 89
8.10 User Based Rate Limiting (UBRL)
When Microflow policing is enabled, interface full flow masks are used. This means that a Microflow policer will apply
to each flow with a unique source/destination IP address and a unique source/destination port number and a unique
interface. To explain this further, lets assume a Microflow policer with a Rate of 1Mbps is applied to a switchport. A
user on this port starts three different applications (for example, web, email and a telnet session) and each of these
applications created a single flow. The result of the Microflow policer would be that only 3Mb of traffic would be
allowed through this port. If the user then started another Web window that started four flows, then the total traffic
allowed would be 7Mbps (i.e. 1Mbps x 7 flows). With a Microflow, it is not the total amount of traffic that is limited,
rather the amount of traffic that each flow is allowed to use.
User Based Rate Limiting is a form of Microflow Policing. As mentioned above, Microflow policing supports the
policing of individual flows. The switch uses a flow mask to determine what constitutes a flow. There are 4 different
flow masks available in the PFC3, and they are:
●
Interface Destination: Input interface, Destination IP Address
●
Interface Source: Input Interface, Source IP Address
●
Interface, Source & Destination: Input interface, source and destination IP address
●
Interface, Full: Input interface, Source, Destination IP address, IP protocol, TCP/UDP source and destination
ports if present
When these flow masks are used, it changes the way in which the system views a flow. In our example above where
a single user initiates a number of applications that created a number flows, UBRL would now view all those flows as
a single flow. Why is this so? It is because the flow mask in use (Interface Source) will only be interested in the
source IP address as the flow identifier. As all of the applications are sourced from the same IP address in our
example, the Microflow would view “ALL” traffic from that user as a single flow. This means that in our example of the
1Mb Microflow being applied to that switchport, the user would rate limited to 1Mb for all traffic originating from that
IP address. More importantly, in the situation where the “Interface Full flow mask” was being used, there would have
been seven flow records created in the Netflow table. With the “source-only” flow mask being used, only a single flow
record now exists in the Netflow table. UBRL thus allows us to scale the Netflow table to support more flow records.
When a UBRL policy is defined, the flow mask that is used with this policy is defined along with the stated rate. The
flexibility UBRL yields is in allowing one policer to be applied for traffic outbound and another for return traffic as
shown in the following example.
First, create the ACL’s to permit the traffic sourced from the subnets to any destination address and for return traffic.
Cat6500(config)# access-list 101 permit ip 10.0.1.0 0.0.0.255 any
Cat6500(config)# access-list 102 permit ip any 10.0.1.0 0.0.0.255
Then, you need to add this ACL to the class-map, and then match the class-map to the appropriate access-group:
Cat6500(config)# class-map outward_traffic
Cat6500(config-cmap)# match access-group 101
Cat6500(config)# class-map return_traffic
Cat6500(config-cmap)# match access-group 102
Once that’s complete, the policy-map must be created to set the rate limits for the users in the access list, and to
configure what to do with the traffic if the policy is not adhered to:
Cat6500(config)# policy-map UBRL
Cat6500(config-pmap)# class outward_traffic