Oh I must correct one thing with the above..
I noticed I said the Tc is 32ms, well this is not correct the Tc is actually
250ms 500 000 / 8 = 62500bytes per second then 15625 / 62500 = 0.250 (Tc of
250ms) the math is as follows
62500 bytes per second is allowed to be sent, based on our average rate but
our bucket is 15625 now 15625 can do into 62500 4 times... since 62500 bytes
can be sent in 1 seconds, and 1000ms = 1 second then cut that into four
slices and your have a Tc of 250ms. :-) which all ties in with the first
example...
amazingly, I worked that all our at 6am this morning perth time with just
the first formula at the top which was all I was going to originally post,
this is something that confused me about six months ago and I never worked
it out until you asked the question again.
Thanks for the great question :-D
Garth
On Thu, Jul 29, 2010 at 9:27 AM, Garth Bryden <
hacked.the.planet.on.28.8k.dialup_at_gmail.com> wrote:
> Hi Gaurav,
>
> Policers token buckets are filled with the following formula-
>
> ( Current Packet Arrival Time - Previous Packet Arrival Time ) * Police
> Rate in bps / 8 (to convert bits to bytes you divide by 8)
>
> If created a bucket by doing /32 I believe you would create a bucket at
> 15625 (Tc of 32ms) and say your physical line rate was 1Mbps (1 000 000bps)
> then you could send data at a rate of 125bytes per ms or (1500 bytes every
> 12ms)
>
> Token Bucket (Bc) = 15625
>
> 09:00:00.000 First Packet Arrival (1500bytes)
> Token Bucket (Bc) = 15625 - 1500 = 14125
>
> 09:00:00.012 Second Packet Arrival (12ms)
> Token Bucket (Bc) = 14125 + 750 - 1500 = 13375
>
> 09:00:00.024 Third Packet Arrival (12ms)
> Token Bucket (Bc) = 13375 + 750 - 1500 = 12625
>
> After another 192ms your bucket has almost dimished, with only 625 tokens
> left or 625 bytes worth of conforming data left.
>
> The next lot of data will take us to -125 bytes or tokens, therefore the
> next packet exceeds and no tokens are taken from the bucket, instead the
> bucket will now look like this
>
> Token Bucket (Bc) = 625 + 750 = 1375 and the packet is considered
> exceeding, and an action performed based on whats configured
>
> Another 12ms passes, and another 1500byte packet arrives
>
> Token Bucket (Bc) = 1375 + 750 - 1500 = 625, packet conforms and is passed
>
> Another 12ms passes..
>
> Token Bucket (Bc) = 625 + 750 = 1375, packet exceeds
>
>
> So as you can see you have that initial burst for 250ms where you can send
> data then on average ever second packet is dropped so you are averaged out
> to only 500,000bps..
>
> So what if we apply the same logic to a bucket with 4000 bytes available?
>
> 09:00:00.000 First Packet Arrival (1500bytes)
> Token Bucket (Bc) = 4000 - 1500 = 2500
>
> 09:00:00.012 Second Packet Arrival (12ms)
> Token Bucket (Bc) = 2500 + 750 - 1500 = 1750
>
> 09:00:00.024 Third Packet Arrival (12ms)
> Token Bucket (Bc) = 1750 + 750 - 1500 = 1000
>
> 09:00:00.036 Fourth Packet Arrival (12ms)
> Token Bucket (Bc) = 1000 + 750 - 1500 = 250
>
> 09:00:00.048 Fifth Packet Arrival (12ms)
> Token Bucket (Bc) = 250 + 750 - 1500 = -250 (Packet considered exceeding as
> there are not enough tokens, no tokens taken from bucket)
> Token Bucket (Bc) = 250 + 750 = 1000
>
> 09:00:00.060 Sixth Packet Arrival (12ms)
> Token Bucket (Bc) = 1000 + 750 - 1500 = 250 (Packet conforms)
>
> 09:00:00.072 Seventh Packet Arrival (12ms)
> Token Bucket (Bc) = 250 + 750 - 1500 = -250 (Packet considered exceeding as
> there are not enough tokens, no tokens taken from bucket)
> Token Bucket (Bc) = 250 + 750 = 1000
>
> 09:00:00.084 Eighth Packet Arrival (12ms)
> Token Bucket (Bc) = 1000 + 750 - 1500 = 250 (Packet conforms)
>
> Okay, that looks like the same end result to me?
>
> What if our line was 100mbps?
>
> So now we can send data at a rate of 12500bytes per ms... if our MTU is at
> 1500 then we'd probably end up seeing around 8 Packets per MS!
>
> 09:00:00.000.000 First Packet Arrival (1500bytes)
> Token Bucket (Bc) = 4000 - 1500 = 2500
>
> 09:00:00.000.120 Second Packet Arrival (120microseconds)
> Token Bucket (Bc) = 2500 + 7.5 - 1500 = 1007.5
>
> 09:00:00.000.240 Third Packet Arrival (120microseconds)
> Token Bucket (Bc) = 1007.5 + 7.5 - 1500 = -492.5 (Packet Exceeds No Tokens
> Taken)
> Token Bucket (Bc) = 1007.5 + 7.5 = 1015
>
> 09:00:00.000.360 Fourth Packet Arrival (120microseconds)
> Token Bucket (Bc) = 1015 + 7.5 - 1500 = 477.5 (Packet Exceeds No Tokens
> Taken)
> Token Bucket (Bc) = 1015 + 7.5 = 1022.5
>
> It'd take approximately 8miliseconds to fill our bucket back up too
> 1500bytes just to be emptied again taking another 24ms to fill up again..
> averaging to around 62,500 bytes per second or 500,000bps :-)
> This is how I worked out my math, hopefully its correct otherwise i have to
> revisit this whole section of study, and get it right before I sit my exam
> on the 23rd of August EEK!
>
> *Packet Size / Bucket Fill Rate * Time Between Packets (Microseconds) /
> 1000 (1000 microseconds = 1millisecond)*
>
> 1500 / 7.5 * 120 / 1000 = 24
>
> *1000 Milliseconds / 24milliseconds = 41.66 x 1500 bytes are considered
> conforming*
>
> 1000 / 24 = 41.66
>
> *Number of Packets * Size Per Packet = Total Bytes Per Second*
>
> 41.66 * 1500 = 62500 bytes per miliseconds
>
> *Bytes Per Second * 8 = bits per second*
> 62500 * 8 = 500 000 bps
>
> Hope this helps
>
> Garth
>
>
> On Thu, Jul 29, 2010 at 1:33 AM, Gaurav Thukral <pearlgaurav_at_gmail.com>wrote:
>
>> Hi Sonu,
>>
>> Thanks for your reply. Just want to confirm how was this Bc and Be value
>> derived if we have CIR = 500000
>> As far as I know we use formula :- CIR/32
>>
>> => Bc = 500000/32 = 16000 (Approx.)
>>
>> Please suggest if I am assuming something wrong here.
>>
>> Thanks & Regards,
>> Gaurav.
>>
>> On Wed, Jul 28, 2010 at 7:44 PM, Sonu Khandelwal (sokhande) <
>> sokhande_at_cisco.com> wrote:
>>
>> > Hi,
>> > It gets automatically converted to 496000 even if we give 500000 as cir.
>> >
>> > R2(config)#int gi0/1
>> > R2(config-if)#rate-limit input 500000 1500 2000 conform-action transmit
>> > exceed-action drop
>> >
>> > R2#sh run int gi0/1
>> > Building configuration...
>> >
>> > Current configuration : 339 bytes
>> > !
>> > interface GigabitEthernet0/1
>> > rate-limit input 496000 1500 2000 conform-action transmit exceed-action
>> > drop
>> > End
>> >
>> > I think this is some kind of limitation with this kind of config, I
>> > think we should configure 500000 as cir. BTW in case of policing bc and
>> > be are in bytes and not in bits hence assuming 4000 bytes as bc might
>> > not make it 500000 (policing rate).
>> >
>> > Just my 2c.
>> >
>> > Thanks,
>> > Sonu
>> >
>> >
>> >
>> > -----Original Message-----
>> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> > Alexei Monastyrnyi
>> > Sent: Wednesday, July 28, 2010 6:50 PM
>> > To: Gaurav Thukral
>> > Cc: Group study
>> > Subject: Re: Rate limiting TCP syn attack
>> >
>> > Guarav,
>> > I would guess their train of though being average rate + normal burst,
>> > 496000 + 4000 is 500000. The fishy part is that average rate is in bits
>> > and bursts are in bytes...
>> >
>> > HTH
>> > A.
>> >
>> > On 7/28/2010 11:10 PM, Gaurav Thukral wrote:
>> > > Hi experts
>> > >
>> > > I came accross one following question while practicing for my security
>> > > section of CCIE SP :-
>> > >
>> > > Recently monitoring of your web server on VLAN 5 has shown an
>> > inordinate
>> > > amount of half open TCP se ssions, possibly indicating a DoS attack.
>> > In
>> > > order to reduce the load on the server while the possibility of attack
>> > is
>> > > investigated configure R5 to that TCP requests sent to this server are
>> > > limited to a maximum of 500Kbps.
>> > >
>> > > Following is the solution given for this.
>> > >
>> > > ANS:
>> > >
>> > > interface Ethernet0/1
>> > > rate-limit output access-group 192 *496000 *4000 4000 conform-action
>> > > transmit exceed-action drop
>> > > !
>> > > access-list 192 permit tcp any 173.1.5.0 0.0.0.255 eq www syn
>> > >
>> > >
>> > > According to me in this case CIR should be 500000 as question says
>> > "maximum
>> > > of 500" and accordingly Bc and Be should be calculated. Not sure how
>> > Bc and
>> > > Be value is taken here. Can someone please explain this. ?
>> > >
>> > > Thanks& Regards,
>> > > Gaurav.
>> > >
>> > >
>> > > Blogs and organic groups at http://www.ccie.net
>> > >
>> > >
>> > _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Jul 29 2010 - 21:50:36 ART
This archive was generated by hypermail 2.2.0 : Sun Aug 01 2010 - 19:19:15 ART