Configuring Rate Limits

This chapter describes how to configure rate limits for supervisor-bound traffic on Cisco NX-OS devices.

This chapter includes the following sections:

About Rate Limits

Rate limits can prevent redirected packets for exceptions from overwhelming the supervisor module on a Cisco NX-OS device. You can configure rate limits in packets per second for the following types of redirected packets:

  • Access-list log packets

  • Bidirectional forwarding detection (BFD) packets

  • Catch-all exception traffic

  • Fabric Extender (FEX) traffic

  • Layer 3 glean packets

  • Layer 3 multicast data packets

  • SPAN egress traffic—For this option only, you can configure rate limits in kilobits per second.

Licensing Requirements for Rate Limits

The following table shows the licensing requirements for this feature:

Product

License Requirement

Cisco NX-OS

No license is required for rate limits. Any feature not included in a license package is bundled with the nx-os image and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.

Guidelines and Limitations for Rate Limits

Rate limits has the following configuration guidelines and limitations:

  • You can set rate limits for supervisor-bound exception and redirected traffic. Use control plane policing (CoPP) for other types of supervisor-bound traffic.


    Note

    Hardware rate-limiters protect the supervisor CPU from excessive inbound traffic. The traffic rate allowed by the hardware rate-limiters is configured globally and applied to each individual I/O module. The resulting allowed rate depends on the number of I/O modules in the system. CoPP provides more granular supervisor CPU protection by utilizing the modular quality-of-service CLI (MQC).


Note

If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.

Default Settings for Rate Limits

This table lists the default settings for rate limits parameters.

Table 1. Default Rate Limits Parameters Settings

Parameters

Default

Access-list log packets rate limit

100 packets per second

BFD packets rate limit

10000 packets per second

Exception packets rate limit

50 packets per second

FEX packets rate limit

1000 packets per second

Layer 3 glean packets rate limit

100 packets per second

Layer 3 multicast data packets rate limit

3000 packets per second

SPAN egress rate limit

No limit

Configuring Rate Limits

You can set rate limits on supervisor-bound traffic.

SUMMARY STEPS

  1. configure terminal
  2. hardware rate-limiter access-list-log {packets | disable} [module module [port start end]]
  3. hardware rate-limiter bfd packets [module module [port start end]]
  4. hardware rate-limiter exception packets [module module [port start end]]
  5. hardware rate-limiter fex packets [module module [port start end]]
  6. hardware rate-limiter layer-3 glean packets [module module [port start end]]
  7. hardware rate-limiter layer-3 multicast local-groups packets [module module [port start end]]
  8. (Optional) show hardware rate-limiter [ access-list-log | bfd |exception | fex | layer-3 glean | layer-3 multicast local-groups | |module module]
  9. (Optional) copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

hardware rate-limiter access-list-log {packets | disable} [module module [port start end]]

Example:

switch(config)# hardware rate-limiter access-list-log 200

Configures rate limits in packets per second for packets copied to the supervisor module for access list logging. The range is from 0 to 10000.

Step 3

hardware rate-limiter bfd packets [module module [port start end]]

Example:

switch(config)# hardware rate-limiter bfd 500

Configures rate limits in packets per second for bidirectional forwarding detection (BFD) packets. The range is from 0 to 10000.

Step 4

hardware rate-limiter exception packets [module module [port start end]]

Example:

switch(config)# hardware rate-limiter exception 500

Configures rate limits in packets per second for any exception traffic in the system that is not classified by the Control Plane Policing (CoPP) policy. The range is from 0 to 10000.

Step 5

hardware rate-limiter fex packets [module module [port start end]]

Example:

switch(config)# hardware rate-limiter fex 500

Configures rate limits in packets per second for supervisor-bound FEX trafffic. The range is from 0 to 10000.

Step 6

hardware rate-limiter layer-3 glean packets [module module [port start end]]

Example:

switch(config)# hardware rate-limiter layer-3 glean 500

Configures rate limits in packets per second for Layer 3 glean packets. The range is from 0 to 10000.

A node receiving traffic for a particular destination might be unable to forward traffic because it is unaware of the rewrite information or the physical layer interface behind which the destination resides. During this time, it is possible to install a glean entry in the data path for that destination. Because this might not be a pointer to the global punt adjacency, a reserved module or port value is used to punt such packets to the supervisor. This glean rate can be controlled using the given rate limiter.

Note

 

The CoPP policy controls the rate of glean packets that are forwarded due to global punt adjacency, and this rate limiter controls the destination-specific glean packets.

Step 7

hardware rate-limiter layer-3 multicast local-groups packets [module module [port start end]]

Example:

switch(config)# hardware rate-limiter layer-3 multicast local-groups 300

Configures rate limits in packets per second for Layer 3 multicast data packets that are punted for initiating a shortest-path tree (SPT) join. The range is from 0 to 10000.

Step 8

(Optional) show hardware rate-limiter [ access-list-log | bfd |exception | fex | layer-3 glean | layer-3 multicast local-groups | |module module]

Example:

switch# show hardware rate-limiter
 (Optional)

Displays the rate limit configuration. The module range is from 1 to 30.

Step 9

(Optional) copy running-config startup-config

Example:

switch# copy running-config startup-config
 (Optional)

Copies the running configuration to the startup configuration.

Monitoring Rate Limits

You can monitor rate limits.

SUMMARY STEPS

  1. show hardware rate-limiter [access-list-log | bfd | exception | fex | layer-3 glean | layer-3 multicast local-groups | span-egress | module module]

DETAILED STEPS

Command or Action Purpose

show hardware rate-limiter [access-list-log | bfd | exception | fex | layer-3 glean | layer-3 multicast local-groups | span-egress | module module]

Example:

switch# show hardware rate-limiter access-list-log

Displays the rate limit statistics.

Clearing the Rate Limit Statistics

You can clear the rate limit statistics.

SUMMARY STEPS

  1. clear hardware rate-limiter {all | access-list-log | bfd | exception | fex | layer-3 glean | layer-3 multicast local-groups [module module] }

DETAILED STEPS

Command or Action Purpose

clear hardware rate-limiter {all | access-list-log | bfd | exception | fex | layer-3 glean | layer-3 multicast local-groups [module module] }

Example:

switch# clear hardware rate-limiter access-list-log

Clears the rate limit statistics.

Verifying the Rate Limit Configuration

To display the rate limit configuration information, perform the following tasks:

Command

Purpose

show hardware rate-limiter [access-list-log | bfd | exception | fex | layer-3 glean | layer-3 multicast local-groups | module module]

Displays the rate limit configuration.

Configuration Examples for Rate Limits

The following example shows how to configure rate limits for packets copied to the supervisor module for access list logging: 

switch(config)#	hardware rate-limiter access-list-log 
switch(config)# show hardware rate-limiter access-list-log
Units for Config: packets per second
Allowed, Dropped & Total: aggregated since last clear counters


Module: 4
  R-L Class           Config           Allowed         Dropped            Total
 +------------------+--------+---------------+---------------+-----------------
+
  access-list-log         100               0               0                 0

  Port group with configuration same as default configuration
      Eth4/1-36

Module: 22
  R-L Class           Config           Allowed         Dropped            Total
 +------------------+--------+---------------+---------------+-----------------
+
  access-list-log         100               0               0                 0

  Port group with configuration same as default configuration
      Eth22/1-0

Additional References for Rate Limits

This section includes additional information related to implementing rate limits.

Related Documents

Related Topic

Document Title

Cisco NX-OS licensing

Cisco NX-OS Licensing Guide