Beginning with software release 12.xx, the switches covered by this guide support configuring inbound and outbound rate-limiting for all traffic on a port and specifying bandwidth usage in terms of either percent or kilobits per second (kbps.)
You can enable rate limiting for various types of traffic. When a limit is enabled on a port, excess traffic above the configured rate is discarded. The default is no limit.
-
All-traffic rate limiting is primarily used for end-node connections (i.e. at the network edge). It is not recommended for use on links to servers, routers, switches, or the network core. Rate limiting traffic on such links may interfere with important network functions.
-
Broadcast rate limiting is used to protect the network from disruption by excessive broadcast traffic.
-
ICMP rate limiting is primarily used for throttling denial of service attacks.
-
Multicast rate limiting is used to protect the network from disruption by excessive multicast traffic. This is an Interface context command. It can be called directly from the interface context or following the
interfacecommand.<PORT-LIST> -
Queues rate limiting sets an outbound rate limit for each traffic queue on a selected interface.
|
|
|
![[NOTE: ]](images/note.gif) |
NOTE: Applying rate-limiting to desirable traffic is not recommended. |
|
|
For more information on all-traffic rate-limiting, see All traffic rate-limiting.
Syntax
[no] int [ <PORT-LIST> rate-limit allin | out ] percent | <0-100>kbps <0-100000000>
Configures a traffic rate limit (on non-trunked ports) on the link. The no form of the command disables rate-limiting on the specified ports.
The rate-limit all command controls the rate of traffic sent or received on a port by setting a limit on the bandwidth available. It includes options for:
-
Rate-limiting on either inbound or outbound traffic.
-
Specifying the traffic rate as either a percentage of bandwidth, or in terms of kilobits per second.
in or out |
Specifies a traffic rate limit on inbound traffic passing through that port, or on outbound traffic. |
percent or kbps |
Specifies the rate limit as a percentage of total available bandwidth, or in kilobits per second. |
|
|
|
|
|
NOTE: The granularity of actual limits may vary across different switch models. |
|
|
The show rate-limit all command displays the per-port rate-limit configuration in the running-config file.
Syntax
show rate-limit all <PORT-LIST>
Without <PORT-LIST>
With <PORT-LIST>
Example
The following figure shows a rate-limiting configuration for the first six ports in the module in slot "A". In this instance:
-
Ports A1–A4 are configured with an outbound rate limit of 200 Kbps.
-
Port A5 is configured with an inbound rate limit of 20%.
-
Port A6 is not configured for rate-limiting.
The show running command displays the currently applied setting for any interfaces in the switch configured for all traffic rate-limiting and ICMP rate-limiting.
The show config command displays this information for the configuration currently stored in the startup-config file. (Note that configuration changes performed with the CLI, but not followed by a write mem command, do not appear in the startup-config file.)
ICMP rate-limiting provides a method for limiting the amount of bandwidth that may be used for inbound ICMP traffic on a switch port. This feature allows users to restrict ICMP traffic to percentage levels that permit necessary ICMP functions, but throttle additional traffic that may be caused by worms or viruses (reducing their spread and effect.) In addition, ICMP rate-limiting preserves inbound port bandwidth for non-ICMP traffic.
|
|
|
![[CAUTION: ]](images/caution.gif) |
CAUTION: This feature should not be used to remove all ICMP traffic from a network. ICMP is necessary for routing, diagnostic, and error responses in an IP network. ICMP rate-limiting is primarily used for throttling worm or virus-like behavior and should normally be configured to allow one to five percent of available inbound bandwidth (at 10 Mbps or 100 Mbps speeds) or 100 to 10,000 kbps (1Gbps or 10 Gbps speeds) to be used for ICMP traffic. |
|
|
For more information on ICMP rate-limiting operation, see ICMP rate-limiting.
The rate-limit icmp command controls inbound usage of a port by setting a limit on the bandwidth available for inbound ICMP traffic.
Syntax
Where
<ip-type>is one of the following:
ip-all: Set a rate limit for all ICMP traffic.
ipv4: Set a rate limit for IPv4 ICMP traffic.
ipv6: Set a rate limit for IPv6 ICMP traffic.
kbps: Set the rate limit in kilobits per second.
percent: Set the rate limit as a percentage of the port link speed.
trap-clear: Clear an existing ICMP rate limiting trap condition.
Configures inbound ICMP traffic rate-limiting. You can configure a rate limit from either the global configuration level (as shown above) or from the interface context level. The no form of the command disables ICMP rate-limiting on the specified interfaces.
percent |
Values in this range allow ICMP traffic as a percentage of the bandwidth available on the interface. |
kbps |
Specifies the rate at which to forward traffic in kilobits per second. |
0 |
Causes an interface to drop all incoming ICMP traffic and is not recommended. See the Caution on page “Caution”. |
Example
Either of the following commands configures an inbound rate limit of 1% on ports A3 to A5, which are used as network edge ports:
HP Switch(config) # int a3-a5 rate-limit icmp percent 1 HP Switch(eth-A3-A5) # rate-limit icmp percent 1
The show rate-limit icmp command displays the per-interface ICMP rate-limit configuration in the running-config file.
Syntax
show rate-limit icmp <PORT-LIST>
Without [PORT-LIST], this command lists the ICMP rate-limit configuration for all ports on the switch.
With [PORT-LIST], this command lists the rate-limit configuration for the specified interfaces. This command operates the same way in any CLI context
Example
If you want to view the rate-limiting configuration on the first six ports in the module in slot "B":
The show running command displays the currently applied setting for any interfaces in the switch configured for anyl traffic rate-limiting and ICMP rate-limiting.
The show config command displays this information for the configuration currently stored in the startup-config file. Note that configuration changes performed with the CLI, but not followed by a write mem command, do not appear in the startup-config file.
Trap notification is enabled by default. When a trap notification is sent, it does not repeat unless the ICMP trap function is cleared.
To reset the port ICMP trap function, use the following CLI command:
int<PORT-LIST>rate-limit icmp trap-clear
You can also perform the reset through SNMP from a network management station or through the CLI with the setmib command.
setmib hpIcmpRatelimitPortAlarmflag.internal-port-# -i 1
On a port configured with ICMP rate-limiting, this command resets the ICMP trap function, which allows the switch to generate a new SNMP trap and an Event Log message if ICMP traffic in excess of the configured limit is detected on the port.
Example
An operator noticing an ICMP rate-limiting trap or Event Log message originating with port A1 on a switch could use either of the following commands to reset the port to send a new message if the condition occurs again:
To enable excess ICMP traffic notification traps and Event Log messages, use the setmib command described on ICMP rate-limiting trap. The port number included in the command corresponds to the internal number the switch maintains for the designated port and not the port's external (slot/number) identity.
To match the port's external slot/number to the internal port number, use the walkmib ifDescr command, as shown in the following figure:
Egress broadcast limiting on switches is configured on a per-port basis. You must be at the port context level for this command to work, for example:
HP Switch(config) # int B1 HP Switch(int B1) # broadcast-limit 1
Syntax
broadcast-limit [0-99]
Enables or disables broadcast limiting for outbound broadcasts on a selected port on the switch.
The value selected is the percentage of traffic allowed, for example, broadcast-limit 5 allows 5% of the maximum amount of traffic for that port. A value of zero disables broadcast limiting for that port.
|
|
|
|
|
NOTE: You must switch to port context level before issuing the This feature is not appropriate for networks requiring high levels of IPX or RIP broadcast traffic. |
|
|
Syntax
show config
Displays the startup-config file. The broadcast limit setting appears here if enabled and saved to the startup-config file.
Syntax
show running-config
Displays the running-config file. The broadcast limit setting appears here if enabled. If the setting is not also saved to the startup-config file, rebooting the switch returns broadcast limit to the setting currently in the startup-config file.
Example
The following command enables broadcast limiting of 1% of the outbound traffic rate on the selected port on the switch:
HP Switch(int B1) # broadcast-limit 1
For a 1-Gbps port, this results in an outbound broadcast traffic rate of 10 Mbps.
You can configure rate-limiting (throttling) of inbound broadcast and multicast traffic on the switch, which helps prevent the switch from being disrupted by traffic storms if they occur on the rate-limited port. The rate-limiting is implemented as either a percentage of the total available bandwidth on the port or as kilobits per-second.
The rate-limit command can be executed from the global or interface context, for example:
(HP_Switch_name#) interface 3 rate-limit bcast in percent 10(HP_Switch_name#) interface 3 HP Switch(eth-3#) rate-limit bcast in percent 10
Syntax
rate-limit [ bcast | mcast ] in [ percent ]0-100 | kbps 0-100000000
[no] rate-limit [ bcast | [mcast ]] in
Enables rate-limiting and sets limits for the specified inbound broadcast or multicast traffic. Only the amount of traffic specified by the percent is forwarded.
Example
If you want to set a limit of 50% on inbound broadcast traffic for port 3, you can first enter interface context for port 3 and then execute the rate-limit command, as shown in Inbound broadcast rate-limiting of 50% on port 3. Only 50% of the inbound broadcast traffic will be forwarded.
If you rate-limit multicast traffic on the same port, the multicast limit is also in effect for that port, as shown in Inbound multicast rate-limiting of 20% on port 3. Only 20% of the multicast traffic will be forwarded.
To disable rate-limiting for a port enter the no form of the command, as shown in Disabling inbound multicast rate-limiting for port 3.
Egress rate-limiting permits administrators to configure the maximum percentage of traffic allowed to egress an interface for each priority queue.
-
Egress per-queue rate-limiting allows configurations on both physical ports and static trunks.
-
The number of queue percentages will vary based on the number of queues configured on the device (i.e. 2-queues, 4-queues, 8-queues).
-
Configuration is allowed on a static trunk (manual HP trunks and static LACP trunks), but the actual traffic enforcement occurs per-port on the individual ports belonging to the trunk.
-
While limits on all egress traffic (
egress rate-limit all) and limits on specific egress queues (egress rate-limit queues) can be configured at the same time on a given port (i.e., can be concurrent features), this may result in lower actual limits than expected. This is particularly true of queue-limits, where a packet may be dropped for the port as a whole even when the queue is below its limit. -
The egress per-queue rate-limiting is not configurable on dynamic LACP and Distributed trunks.
-
Other rate-limiting features (ingress and egress) are not supported on trunked ports.
The rate-limit queues out command configures the maximum percentage of outbound port traffic that can be transmitted by each queue available on a port or static trunk.
The rate-limit queues out command is not supported on either distributed trunks or dynamic trunks.
Syntax
Syntax
Show running-config output
HP-5406zl(config)# show running-config Running configuration: ; J8697A Configuration Editor; Created on release #KA.15.18.0001 ; Ver #09:14.6b.fb.ff.fd.ff.ff:3f.ef:5f hostname "HP-Switch" module 1 type j9986a module 6 type j9987a trunk A5-A6 trk1 trunk ip access-list standard "std" 10 permit 0.0.0.0 255.255.255.255 log exit interface A2 rate-limit all out percent 90 rate-limit queues out percent 60 50 70 60 40 80 90 30 exit interface Trk1 ip access-group "std" in rate-limit queues out percent 60 50 70 60 40 80 90 30 exit snmp-server community "public" unrestricted vlan 1 name "DEFAULT_VLAN" untagged A1-A4,A7-A22,F1-F24,Trk1 ip address dhcp-bootp exit spanning-tree Trk1 priority 4
Syntax
Using the
show rate-limitcommand with thequeuesoption added in software release 15.18 enables you to specify both individual ports and port trunk names to display the output. If nothing is specified, all physical ports and any static, non-DT trunks are displayed with their current settings previously configured with therate-limit queuescommand. The optionalPORT-LISTparameter limits the display output to the listed ports (and static, non-DT trunks, if any).Command output when no port list specified
HP-Switch# show rate-limit queues Outbound Queue-Based Rate-Limit % Port Q1 Q2 Q3 Q4 Q5 Q6 Q7 Q8 ------ --- --- --- --- --- --- --- --- A1 5 10 10 5 10 10 20 20 A2 5 10 10 5 10 10 20 20 A3 5 10 10 5 10 10 20 20 A4 5 10 10 5 10 10 20 20 A7 5 10 10 5 10 10 20 20 A22 5 10 10 5 10 10 20 20 F1 5 10 10 5 10 10 20 20 F24 5 10 10 5 10 10 20 20 Trk1 5 10 10 5 10 10 10 20 Trk6 5 10 10 5 10 10 10 20Output with trunk queue set to 100 percent
HP-Switch# show rate-limit queues Outbound Queue-Based Rate-Limit % Port Q1 Q2 Q3 Q4 Q5 Q6 Q7 Q8 ------ --- ------ --- ------ --- --- --- ------ A5 5 10 10 5 10 10 20 20 A8 5 10 10 5 10 10 20 20 A18 5 10 10 5 10 10 20 20 Trk1 5 10 10 5 10 10 20 100