Match Access-Group Class Map Policing
Access groups are used for Layer 2 and Layer 3 ACL-based ingress rate limiting and for denial
of service (DoS) mitigation.
ACL-based rate limiting is built on ACL and
policer features. It limits the following traffic:
- Layer 3 traffic that matches the permit
conditions in an IPv4 access list.
- Layer 2 traffic that matches the permit conditions
in Layer 2 access lists.
Layer 2
ACL-based rate limiting can occur on VPLS endpoints when the TCAM profile is set
to Default and MAC ACLs support VPLS-based filtering. You should configure the
Layer 2 filter parameters to match the outer VLAN, VLAN-tag format and to match
the inner VLAN based on the traffic received on a logical interface (LIF) for
which rate limiting is required. For more information on filtering by the
VLAN-tag type, see the Extreme SLX-OS Security Configuration Guide.
Note
Layer 2 ACL-based rate limiting
on VPLS endpoints is supported only on devices based on
Extreme 8820,
SLX 9740,
SLX 9640, and
SLX 9540.
Consider the following when you configure
match access-group class map
policing.
- You can configure:
- 1,024 policy maps
- 6,144 ACL Content Addressable
Memory (CAM) entries for use with rate limiting
- 2,048 ACLs with rate limiting
for each user
- Ternary Content Addressable Memory
(TCAM) entries for use with rate limiting and ingress policers are dependent on
the hardware TCAM profile that is used.
- The ACL-based rate limiting feature can
serve as a hardware solution to prevent DoS attacks, including:
- PING attacks
- TCP Reset attacks
- TCP SYN attacks
- UDP attacks
- Layer 2 MAC and Layer 3 IPv4 ACL-based
rate limiting are supported.
- ACL-based rate limiting applies only to
ingress traffic.
- There is one policer per ACL, which
applies to all the rules for that ACL.
- Control protocols are rate-limited if
they match the configured ACL clause.
