The mechanism and implementation of CAR on a Cisco Router

This article describes in detail what a CAR is, how to configure a CAR, how to check whether a CAR works on the corresponding port, and so on. I believe this article will help you.

Many organizations have established internal networks because of their work needs. Large Enterprises and organizations may also have established wide area networks (WAN ). There are many types of applications on the network. To ensure the good operation of the main applications, traffic control must be performed on the network. One way is to purchase some traffic control products such as PacketShaper. However, these products are expensive, so that users cannot deploy them in a wide area across the network; the second method is to use the CAR traffic control policy on CISCO routers that are widely used in enterprise networks.

1. What is a CAR?

The CAR is short for the Committed Access Rate, which means the guaranteed Access Rate.

1. Role of CAR

CAR has two main functions: to limit the inbound/outbound traffic rate of a port or sub-port (subinterface) according to a certain standard upper limit; to classify the traffic and divide different QoS priorities.

2. CAR Applicability

A car can only work on an IP packet, but cannot limit non-IP traffic. In addition, a CAR can only be used on a vro or vswitch that supports the CEF switch (Cisco Express Forward. Therefore, only models of Cisco 2600 series and above can use CAR. CAR cannot be used on the following interfaces:

Fast EtherChannel interface

Tunnel Interface

PRI interface

3. CAR Operation Mechanism

A car can be seen as a combination of packet classification and access rate limiting. The workflow can be pointed out from:

The first step of Traffic Matching is to first identify the Traffic of interest from the data stream. The "interest" traffic refers to the data packet type that the user wants to control the traffic. You can use the following methods to identify traffic:

(1) All IP traffic, so that all IP traffic can adopt a unified traffic control policy.

(2) Based on the IP prefix, this method is defined by rate-limit access list.

(3) QoS grouping

(4) MAC address, which is defined by rate-limitaccess list.

(5) IP access list, which can be defined by standard or extended access list.

After the above method is used in the first step to identify the traffic of interest, the traffic in the second step is measured (traffic measurement ). CAR uses a token bucket mechanism to measure traffic.

The token in the figure can be seen as the interest traffic identified by the traffic matching in the first step. The data packet of this traffic enters a bucket, and the depth of this bucket is defined by the user, after entering the token bucket, you can leave the bucket with the desired traffic rate (this traffic rate is not the actual rate of this type of traffic, but the maximum rate of this type of traffic, execute the next operation (conform action ). Here, for the actual traffic rate difference, we can see that there are two situations:

(1) The actual traffic is less than or equal to the desired rate. Obviously, the actual rate at which the token leaves the bucket is the same as the actual rate at which it comes. The bucket can be seen as empty. The traffic does not exceed the expected value.

(2) The actual traffic exceeds the expected rate. In this way, the rate at which the token enters the bucket is faster than the rate at which it leaves the bucket. In this way, the token will fill the bucket within a period of time, and the coming token will overflow (excess) the bucket, then the CAR takes the corresponding action (generally discard or change its IP prefix to change the priority of the token ). This ensures that the data traffic rate is within the desired value defined by the user.

Ii. how to configure a CAR

Generally, the CAR is suitable for deploying on the edge of the network. Our general practice is to deploy the CAR on the sub-Gateway Router. CAR Configuration mainly includes the following parts:

1. Determine the traffic type of "interest" mainly through the following methods:

(1) All IP traffic

(2) IP prefix-based

(3) QoS-based grouping

(4) MAC address-based

(5) standard or extended IP access list

The fifth method is commonly used. You can use the standard ip access list to determine which IP addresses to access (accessed) require rate-limit, you can also use extended ip access list to determine which IP addresses to access (accessed) require rate-limit for protocol traffic (such as HTTP and FTP. For example, if we want to limit the speed at which users can browse webpages on the Intranet, we can use the following access list to define the traffic:

Access-list 101 permit tcp any eq www any

It is worth noting that the configuration should be configured with any eq www any instead of any eq www. Because the main traffic is not the request sent by the user to the http server (the source port number of this type of request traffic is random, and the destination port number is 80 ), the traffic sent by the http server to the webpage after receiving the user's request (the source port number of this traffic is 80, and the destination port number is the initiator's port number ), if you do not pay attention to this small detail, you cannot effectively limit the download traffic.

2. Configure rate-limit on the corresponding Port:

The general statement is:

Interface X

Rate-limit [access-group number] bps burst-normal burst-max conform-action exceed-action

The command is interpreted as follows:

Interface: the port you want to control traffic. It can be an Ethernet port or a serial port. However, different types of interfaces are different in the input output below.

Input | output: You want to limit the Input or output traffic. For example, if the network port is configured, the traffic is output. If the port is configured on the serial port, the traffic is input.

Access-group number: number is the access list number of the traffic defined by the user using access list.

Bps: the maximum rate of the traffic you want. The unit is bps.

Burst-normal burst-max: the size of the token bucket. Generally, these values are 8000,16000 and 32000, depending on the bps value.

Conform-action: The processing policy that limits the following traffic at a rate.

Exceed-action: The processing policy for traffic exceeding the rate limit.

Action: processing policy, including the following:

Transmit: Transmission

Drop: discard

Set precedence and transmit: Modify the IP prefix and then transmit

Set QoS group and transmit: route the traffic to a QoS group for transmission.

Continue: no action. check whether there are traffic matching and processing policies in the next rate-limit command. If not, transmit

Set precedence and continue: Modify the IP prefix and then continue

Set QoS group and continue: insert QoS group and then continue

It should be noted that multiple rate-limit commands can be configured in one interface. If the action contains a continue, the next rate-limit command is executed in sequence, if a traffic is not discarded by a rate-limit command after the continue, it will be transmitted. A port can have up to 20 rate-limit commands.

In this example, the corresponding configuration is as follows:

Interface e0

Rate-limit output access-group 101 128000 16000 16000 conform-action transmit exceed-action drop

Here we define the downloaded traffic at 128 Kbps, And the token bucket is 16000 bytes in size. If the token bucket is set to be too small (for example, 4000), the user-side speed will not be smooth enough.

3. How to check whether the CAR works on the corresponding port?

Run the show interface XX rate-limit command to check the actual effect of the CAR on port XX, as shown in the following example:

Fddi2/1/0

Input

Matches: access-group 101

Params: 80000000 bps, 72000 limit, 72000 extended limit

Conformed 0 packets, 0 bytes; action: set-prec-transmit 5

Exceeded 0 packets, 0 bytes; action: set-prec-transmit 0

Last packet: 4738036 ms ago, current burst: 0 bytes

Last cleared 01:02:05 ago, conformed 0 bps, exceeded 0 bps

Matches: all traffic

Params: 50000000 bps, 64000 limit, 64000 extended limit

Conformed 0 packets, 0 bytes; action: set-prec-transmit 5

Exceeded 0 packets, 0 bytes; action: set-prec-transmit 0

Last packet: 4738036 ms ago, current burst: 0 bytes

Last cleared 01:00:22 ago, conformed 0 bps, exceeded 0 bps

Output

Matches: all traffic

Params: 80000000 bps, 80000 limit, 80000 extended limit

Conformed 0 packets, 0 bytes; action: transmit

Exceeded 0 packets, 0 bytes; action: drop

Last packet: 4809528 ms ago, current burst: 0 bytes

Last cleared 00:59:42 ago, conformed 0 bps, exceeded 0 bps

Here we will explain the result of show interface rate-limit.

Matches indicates the traffic matching rule configured for the interface. Multiple matches indicates that the interface is configured with multiple rate-limit commands and Multiple matching rules. The following params indicates the parameters defined by the rule, xxx bps indicates the set rate, and limit and extended limit indicate the capacity of the token bucket. Conformed x packets, y bytes indicates the number of packages and number of segments within the speed limit, and action indicates the processing method used for compliant packets; the exceeded x packets line is similar to the number of packages and number of segments that exceed the speed limit. action is the processing method. The following last packet indicates how long the latest incoming data packet arrived. The current burst indicates the data size in the current token bucket, and the last cleared indicates the time from the last stenographer to the present, conform x bps indicates the actual traffic rate of packets within the speed limit, and exceed y bps indicates the rate of excess packets.

We can use this command to check the actual effect of CAR configuration. If we find that there is no conform traffic, it is generally because the traffic matching rule settings are incorrect, or the input output on the interface is incorrect.

IV. Other functions of CAR

In addition to limiting the rate of a certain traffic, CAR can also be used to defend against certain types of network attacks.

One feature of DOS network attacks is that the network is flooded with a large number of ICMP packets with illegal source addresses, we can set the speed limit for ICMP packets on the router by configuring the CAR to protect the network.