Receive ACL Rate Limiting

IP Receive access list (RACL) provides hardware-based filtering capability for Layer 3 IPv4 or IPv6 traffic that is destined to the CPU.

RACL can protect the CPU from overloading due to heavy traffic that was sent to an IP interface on the device. Using the RACL, an ACL is applied at the system level to eliminate the need to add an ACL to each interface on the device. For more information about RACL, see the Extreme SLX-OS Security Configuration Guide.

Using policy maps, you can apply rate liming to an RACL on IPv4 and IPv6 traffic destined to the CPU control plane. Policy maps can support maximum of 1,000 class maps. The rate-limited RACL does not have dedicated TCAM space. Instead, it shares the ACL TCAM space. RACL rate limiting for IPv4 and Ipv6 traffic is supported only in the default TCAM profile, which can support 2,048 entries.

Consider the following when configuring RACL:

• An ACL must be defined before it can be used for RACL rate limiting.
• Only one policy map can be applied on the control plane.
• A rate-limited RACL has a higher precedence than a user ACL configured on an interface.
• RACL rate-limiting rules have lower precedence than RACL rules.
• An IPv4 or IPv6 RACL supports all the matching criteria and actions that are supported by an IPv4 or IPv6 user ACL.
• A deny action in a rule is ignored for RACL rate limiting.
• No default drop entry is programmed for RACL limiting.
• The CPU shaper rate also polices traffic that is destined to the CPU. The default shaper rate is 10 Mbps. You can configure the shaper rate to a maximum of 150 Mbps.

Note

The RACL-RL match fields icmp_type, icmp_code, and ip_ttl are added in SLX 20.2.1. The match fields icmp_code and ip_ttl are valid only when icmp_type match is valid.

The match fields icmp_type, icmp_code, and ip_ttl are supported only on SLX 9150 and SLX 9250.