Configure Layer 2 ACL Rate Limiting

  • For Layer 2 ACL-based rate limiting on VPLS endpoints, ensure that the default TCAM profile is enabled.

    Important

    Important

    Layer 2 ACL-based rate limiting on VPLS endpoints is not supported on SLX 9150/Extreme 8520.
  • Configure Layer 2 filter parameters to match the outer VLAN, VLAN-tag format, and inner VLAN based on the traffic received on a logical interface for which rate limiting is required. For more information on filtering by the VLAN-tag type, see the Extreme SLX-OS Security Configuration Guide.

  • For Layer 2 ACL-based rate limiting to filter known unicast traffic only, configure a rule for a MAC extended ACL with the known-unicast-only keyword. This configuration is supported only for an ingress ACL on an L2_Ratelimit profile. Note that an implicit deny applies for both unknown and known unicast traffic.

To display the Layer 2 ACL bindings, use the show access-list mac command.

To display the policy-map bindings and rate-limiting statistics, use the show policy-map interface command.

  1. In privileged EXEC mode, access global configuration mode.
    device# configure terminal
    
  2. Create the Layer 2 ACL.
    device(config)# mac access-list extended m1
    
  3. Add the permit rule for the ACL.
    device(conf-macl-ext)# permit any any vlan 100
    
  4. Access global configuration mode.
    device(conf-macl-ext)# exit
    
  5. Create the class map and access its configuration mode.
    device(config)# class-map c1
    
  6. Add a match statement to the class map.
    device(config-classmap)# match access-group m1
    
  7. Access global configuration mode.
    device(config-classmap)# exit
    
  8. Create the policy map and access its configuration mode.
    device(config)# policy-map p1
    
  9. Add the class map to the policy map and access the policy-class configuration mode.
    device(config-policymap)# class c1
    
  10. Configure the class map.
    device(config-policymap-class)# police cir 400000
    
    This step configures the committed information rate for the class map.
  11. Access global configuration mode.
    device(config-policymap-class)# exit
  12. Access the interface configuration mode for the interface where you want to apply the policy map.
    device(config)# interface ethernet 0/1
    
  13. Apply the policy map to the interface.
    device(conf-if-eth-0/1)# service-policy in p1
    
  14. For egress rate limiting, enable the L2-Egress-RateLimit TCAM profile and then reboot the device.
    device(config)# hardware
    device(config-hardware)# profile tcam layer2-egress-ratelimit
    device(config-hardware)# exit
    device# copy running-config startup-config
    device# reload system

The following example summarizes the commands in this procedure.

device# configure terminal
device(config)# mac access-list extended m1
device(conf-macl-ext)# permit any any vlan 100
device(conf-macl-ext)# exit
device(config)# class-map c1
device(config-classmap)# match access-group m1
device(config-classmap)# exit
device(config)# policy-map p1
device(config-policymap)# class c1
device(config-policymap-class)# police cir 400000
device(config-policymap-class)# exit
device(config-policymap)# exit
device(config)# interface ethernet 0/1
device(conf-if-eth-0/1)# service-policy in p1