Configure Layer 2 ACL Rate Limiting

Before you begin

  • For Layer 2 ACL-based rate limiting on VPLS endpoints, ensure that the default TCAM profile is enabled.

    Important

    Important

    Layer 2 ACL-based rate limiting on VPLS endpoints is not supported on SLX 9150.

  • Configure Layer 2 filter parameters to match the outer VLAN, VLAN-tag format, and inner VLAN based on the traffic received on a logical interface for which rate limiting is required. For more information on filtering by the VLAN-tag type, see the Extreme SLX-OS Security Configuration Guide.

  • For Layer 2 ACL-based rate limiting to filter known unicast traffic only, configure a rule for a MAC extended ACL with the known-unicast-only keyword. This configuration is supported only for an ingress ACL on an L2_Ratelimit profile. Note that an implicit deny applies for both unknown and known unicast traffic.

About this task

To display the Layer 2 ACL bindings, use the show access-list mac command.

To display the policy-map bindings and rate-limiting statistics, use the show policy-map interface command.

Procedure

  1. In privileged EXEC mode, access global configuration mode. 
    device# configure terminal
  2. Create the Layer 2 ACL. 
    device(config)# mac access-list extended m1
  3. Add the permit rule for the ACL. 
    device(conf-macl-ext)# permit any any vlan 100
  4. Access global configuration mode. 
    device(conf-macl-ext)# exit
  5. Create the class map and access its configuration mode. 
    device(config)# class-map c1
  6. Add a match statement to the class map. 
    device(config-classmap)# match access-group m1
  7. Access global configuration mode. 
    device(config-classmap)# exit
  8. Create the policy map and access its configuration mode. 
    device(config)# policy-map p1
  9. Add the class map to the policy map and access the policy-class configuration mode. 
    device(config-policymap)# class c1
  10. Configure the class map. 
    device(config-policymap-class)# police cir 400000
    This step configures the committed information rate for the class map.
  11. Access global configuration mode. 
    device(config-policymap-class)# exit
  12. Access the interface configuration mode for the interface where you want to apply the policy map. 
    device(config)# interface ethernet 0/1
  13. Apply the policy map to the interface. 
    device(conf-if-eth-0/1)# service-policy in p1
  14. For egress rate limiting, enable the L2-Egress-RateLimit TCAM profile and then reboot the device. 
    device(config)# hardware
device(config-hardware)# profile tcam layer2-egress-ratelimit
device(config-hardware)# exit
device# copy running-config startup-config
device# reload system

Example

The following example summarizes the commands in this procedure. 

device# configure terminal
device(config)# mac access-list extended m1
device(conf-macl-ext)# permit any any vlan 100
device(conf-macl-ext)# exit
device(config)# class-map c1
device(config-classmap)# match access-group m1
device(config-classmap)# exit
device(config)# policy-map p1
device(config-policymap)# class c1
device(config-policymap-class)# police cir 400000
device(config-policymap-class)# exit
device(config-policymap)# exit
device(config)# interface ethernet 0/1
device(conf-if-eth-0/1)# service-policy in p1
9037573-00 Rev AA