Re: Bug with Rate-limit and Access-list

From: gladston@br.ibm.com
Date: Wed May 25 2005 - 16:39:45 GMT-3

• Next message: John Matus: "blocking packets from compromised server"
• Previous message: Vazman: "Re: PIX and VPN Concentrator !"
• Maybe in reply to: gladston@br.ibm.com: "Bug with Rate-limit and Access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks Simon,

What makes me not understand it yet is that I would expected security
access list permit the traffic (as it does in fact) and rate limit
access-list also matches the traffic (which does not happens).

Cisco says IOS do these:

check input access list
check input rate limits

But does not say that if traffic is permitted by access-list it will not
pass input rate limit access-list.

Do you have another opinion?

------------------------------------------------------------------
 Gladston

SIMON HART <simon.hart@btinternet.com>
25/05/2005 13:09

To
Mark Lasarko <mlasarko@co.ba.md.us>, Alaerte Gladston
Vidali/Brazil/IBM@IBMBR, ccielab@groupstudy.com
cc

Subject
Re: Bug with Rate-limit and Access-list

Mark,
 
You are right, on the input the ACL is matched prior to the rate limit.
The attached URL, provides the order of operation
 
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
 
Simon

Mark Lasarko <mlasarko@co.ba.md.us> wrote:
Greetings Gladston,

I had not seen any replies so I thought maybe I'd arp for it again...
Anyone?

Logic tells me that this is not a bug at all.
I would suspect the ACL is being processed prior.
to the rate-limit (obviously), I am just not sure where.

To expand on that comment;
I seem to recall NAT happens first, before anything.

Next, we are either policy routed or not.

Then the path continues as offsets, distance, etc... are applied.

Then on to the incoming routing process and other selection criteria.

With all the options available I am just not sure where the rate-limit
happens?
Anyone?
~M

>>> 05/24/05 10:35 AM >>>

If there is an access-list IN on the same interface where there is a
rate-limit, packets matched by the security access-list are! not matched
by the
rate-limit access-list.

Have you seen that?

interface Ethernet0/0
ip address 142.20.44.4 255.255.255.0
ip access-group 150 in
ip directed-broadcast
ip multicast helper-map broadcast 229.1.1.1 110
max-reserved-bandwidth 90
service-policy output Qos
rate-limit input access-group 121 512000 64000 96000 conform-action
continue
exceed-action drop
rate-limit input access-group 122 64000 8000 12000 conform-action transmit
exceed-action drop
rate-limit input access-group 123 32000 4000 6000 conform-action transmit
exceed-action drop
ntp multicast 229.2.2.2
ipv6 address 2001:1:1:4::4/64
ipv6 address FEC0:2E3D:5B7C:4::4/64
ipv6 nd suppress-ra

Rack2R4(config)#int e 0/0
Rack2R4(config-if)#no ip access-group 150 in
Rack2R4(config-if)#do sh access-list 123
Extended IP access list 123
10 permit icmp any any (20 matches)
Rack2R4(config-if)#do sh access-list 123
Extended IP access li! st 123
10 permit icmp any any (25 matches)
Rack2R4(config-if)#do sh access-list 123
Extended IP access list 123
10 permit icmp any any (29 matches)

Rack2R4(config-if)#do sh int e 0/0 rat

Ethernet0/0
Input
matches: access-group 121
params: 512000 bps, 64000 limit, 96000 extended limit
conformed 103 packets, 114646 bytes; action: continue
exceeded 0 packets, 0 bytes; action: drop
last packet: 257ms ago, current burst: 0 bytes
last cleared 00:47:56 ago, conformed 0 bps, exceeded 0 bps
matches: access-group 122
params: 64000 bps, 8000 limit, 12000 extended limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 10281010ms ago, current burst: 0 bytes
last cleared 00:47:14 ago, conformed 0 bps, exceeded 0 bps
matches: access-group 123
params: 32000 bps, 4000 limit, 6000 extended limit
conformed 66 packets, 99924 bytes; action: transmit
exceeded 8 packets, ! 12112 bytes; action: drop
last packet: 261ms ago, current burst: 3882 bytes
last cleared 00:46:39 ago, conformed 0 bps, exceeded 0 bps

Rack2R4(config-if)# ip access-group 150 in
Rack2R4(config-if)#do sh access-list 123
Extended IP access list 123
10 permit icmp any any (97 matches)
Rack2R4(config-if)#do sh access-list 123
Extended IP access list 123
10 permit icmp any any (97 matches)
Rack2R4(config-if)#do sh access-list 150
Extended IP access list 150
10 permit tcp any any established
20 permit tcp any any log-input
30 permit icmp any any echo log-input (1491 matches)
40 permit ip any any (305 matches)
Rack2R4(config-if)#do sh access-list 150
Extended IP access list 150
10 permit tcp any any established
20 permit tcp any any log-input
30 permit icmp any any echo log-input (1499 matches)
40 permit ip any any (305 matches)
Rack2R4(config-if)#do sh access-list 150
Extended IP access list 150
10 permit tcp a! ny any established
20 permit tcp any any log-input
30 permit icmp any any echo log-input (1518 matches)
40 permit ip any any (305 matches)

• Next message: John Matus: "blocking packets from compromised server"
• Previous message: Vazman: "Re: PIX and VPN Concentrator !"
• Maybe in reply to: gladston@br.ibm.com: "Bug with Rate-limit and Access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:12:02 GMT-3