Hi Gaurav,
Policers token buckets are filled with the following formula-
( Current Packet Arrival Time - Previous Packet Arrival Time ) * Police Rate
in bps / 8 (to convert bits to bytes you divide by 8)
If created a bucket by doing /32 I believe you would create a bucket at
15625 (Tc of 32ms) and say your physical line rate was 1Mbps (1 000 000bps)
then you could send data at a rate of 125bytes per ms or (1500 bytes every
12ms)
Token Bucket (Bc) = 15625
09:00:00.000 First Packet Arrival (1500bytes)
Token Bucket (Bc) = 15625 - 1500 = 14125
09:00:00.012 Second Packet Arrival (12ms)
Token Bucket (Bc) = 14125 + 750 - 1500 = 13375
09:00:00.024 Third Packet Arrival (12ms)
Token Bucket (Bc) = 13375 + 750 - 1500 = 12625
After another 192ms your bucket has almost dimished, with only 625 tokens
left or 625 bytes worth of conforming data left.
The next lot of data will take us to -125 bytes or tokens, therefore the
next packet exceeds and no tokens are taken from the bucket, instead the
bucket will now look like this
Token Bucket (Bc) = 625 + 750 = 1375 and the packet is considered exceeding,
and an action performed based on whats configured
Another 12ms passes, and another 1500byte packet arrives
Token Bucket (Bc) = 1375 + 750 - 1500 = 625, packet conforms and is passed
Another 12ms passes..
Token Bucket (Bc) = 625 + 750 = 1375, packet exceeds
So as you can see you have that initial burst for 250ms where you can send
data then on average ever second packet is dropped so you are averaged out
to only 500,000bps..
So what if we apply the same logic to a bucket with 4000 bytes available?
09:00:00.000 First Packet Arrival (1500bytes)
Token Bucket (Bc) = 4000 - 1500 = 2500
09:00:00.012 Second Packet Arrival (12ms)
Token Bucket (Bc) = 2500 + 750 - 1500 = 1750
09:00:00.024 Third Packet Arrival (12ms)
Token Bucket (Bc) = 1750 + 750 - 1500 = 1000
09:00:00.036 Fourth Packet Arrival (12ms)
Token Bucket (Bc) = 1000 + 750 - 1500 = 250
09:00:00.048 Fifth Packet Arrival (12ms)
Token Bucket (Bc) = 250 + 750 - 1500 = -250 (Packet considered exceeding as
there are not enough tokens, no tokens taken from bucket)
Token Bucket (Bc) = 250 + 750 = 1000
09:00:00.060 Sixth Packet Arrival (12ms)
Token Bucket (Bc) = 1000 + 750 - 1500 = 250 (Packet conforms)
09:00:00.072 Seventh Packet Arrival (12ms)
Token Bucket (Bc) = 250 + 750 - 1500 = -250 (Packet considered exceeding as
there are not enough tokens, no tokens taken from bucket)
Token Bucket (Bc) = 250 + 750 = 1000
09:00:00.084 Eighth Packet Arrival (12ms)
Token Bucket (Bc) = 1000 + 750 - 1500 = 250 (Packet conforms)
Okay, that looks like the same end result to me?
What if our line was 100mbps?
So now we can send data at a rate of 12500bytes per ms... if our MTU is at
1500 then we'd probably end up seeing around 8 Packets per MS!
09:00:00.000.000 First Packet Arrival (1500bytes)
Token Bucket (Bc) = 4000 - 1500 = 2500
09:00:00.000.120 Second Packet Arrival (120microseconds)
Token Bucket (Bc) = 2500 + 7.5 - 1500 = 1007.5
09:00:00.000.240 Third Packet Arrival (120microseconds)
Token Bucket (Bc) = 1007.5 + 7.5 - 1500 = -492.5 (Packet Exceeds No Tokens
Taken)
Token Bucket (Bc) = 1007.5 + 7.5 = 1015
09:00:00.000.360 Fourth Packet Arrival (120microseconds)
Token Bucket (Bc) = 1015 + 7.5 - 1500 = 477.5 (Packet Exceeds No Tokens
Taken)
Token Bucket (Bc) = 1015 + 7.5 = 1022.5
It'd take approximately 8miliseconds to fill our bucket back up too
1500bytes just to be emptied again taking another 24ms to fill up again..
averaging to around 62,500 bytes per second or 500,000bps :-)
This is how I worked out my math, hopefully its correct otherwise i have to
revisit this whole section of study, and get it right before I sit my exam
on the 23rd of August EEK!
*Packet Size / Bucket Fill Rate * Time Between Packets (Microseconds) / 1000
(1000 microseconds = 1millisecond)*
1500 / 7.5 * 120 / 1000 = 24
*1000 Milliseconds / 24milliseconds = 41.66 x 1500 bytes are considered
conforming*
1000 / 24 = 41.66
*Number of Packets * Size Per Packet = Total Bytes Per Second*
41.66 * 1500 = 62500 bytes per miliseconds
*Bytes Per Second * 8 = bits per second*
62500 * 8 = 500 000 bps
Hope this helps
Garth
On Thu, Jul 29, 2010 at 1:33 AM, Gaurav Thukral <pearlgaurav_at_gmail.com>wrote:
> Hi Sonu,
>
> Thanks for your reply. Just want to confirm how was this Bc and Be value
> derived if we have CIR = 500000
> As far as I know we use formula :- CIR/32
>
> => Bc = 500000/32 = 16000 (Approx.)
>
> Please suggest if I am assuming something wrong here.
>
> Thanks & Regards,
> Gaurav.
>
> On Wed, Jul 28, 2010 at 7:44 PM, Sonu Khandelwal (sokhande) <
> sokhande_at_cisco.com> wrote:
>
> > Hi,
> > It gets automatically converted to 496000 even if we give 500000 as cir.
> >
> > R2(config)#int gi0/1
> > R2(config-if)#rate-limit input 500000 1500 2000 conform-action transmit
> > exceed-action drop
> >
> > R2#sh run int gi0/1
> > Building configuration...
> >
> > Current configuration : 339 bytes
> > !
> > interface GigabitEthernet0/1
> > rate-limit input 496000 1500 2000 conform-action transmit exceed-action
> > drop
> > End
> >
> > I think this is some kind of limitation with this kind of config, I
> > think we should configure 500000 as cir. BTW in case of policing bc and
> > be are in bytes and not in bits hence assuming 4000 bytes as bc might
> > not make it 500000 (policing rate).
> >
> > Just my 2c.
> >
> > Thanks,
> > Sonu
> >
> >
> >
> > -----Original Message-----
> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> > Alexei Monastyrnyi
> > Sent: Wednesday, July 28, 2010 6:50 PM
> > To: Gaurav Thukral
> > Cc: Group study
> > Subject: Re: Rate limiting TCP syn attack
> >
> > Guarav,
> > I would guess their train of though being average rate + normal burst,
> > 496000 + 4000 is 500000. The fishy part is that average rate is in bits
> > and bursts are in bytes...
> >
> > HTH
> > A.
> >
> > On 7/28/2010 11:10 PM, Gaurav Thukral wrote:
> > > Hi experts
> > >
> > > I came accross one following question while practicing for my security
> > > section of CCIE SP :-
> > >
> > > Recently monitoring of your web server on VLAN 5 has shown an
> > inordinate
> > > amount of half open TCP se ssions, possibly indicating a DoS attack.
> > In
> > > order to reduce the load on the server while the possibility of attack
> > is
> > > investigated configure R5 to that TCP requests sent to this server are
> > > limited to a maximum of 500Kbps.
> > >
> > > Following is the solution given for this.
> > >
> > > ANS:
> > >
> > > interface Ethernet0/1
> > > rate-limit output access-group 192 *496000 *4000 4000 conform-action
> > > transmit exceed-action drop
> > > !
> > > access-list 192 permit tcp any 173.1.5.0 0.0.0.255 eq www syn
> > >
> > >
> > > According to me in this case CIR should be 500000 as question says
> > "maximum
> > > of 500" and accordingly Bc and Be should be calculated. Not sure how
> > Bc and
> > > Be value is taken here. Can someone please explain this. ?
> > >
> > > Thanks& Regards,
> > > Gaurav.
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Jul 29 2010 - 09:27:00 ART
This archive was generated by hypermail 2.2.0 : Sun Aug 01 2010 - 19:19:15 ART