Application-based Rate-Limiting with Thunder CFW

siddharthaasiddharthaa Member, Moderator mod
edited September 2021 in Tips

In this article, we will see how you can use the Thunder CFW to rate-limit traffic on a per-application (or application category) basis.


Objective

Here, we want to rate-limit application traffic for each subscriber as follows:

  • Social network traffic: upload speed = 1 Mbps, downlink speed = 2 Mbps
  • FTP or TFTP traffic: upload speed = 2 Mbps, downlink speed = 4 Mbps
  • Web traffic: upload speed = 3 Mbps, downlink speed = 10 Mbps
  • All other traffic: upload speed = 4 Mbps, downlink speed = 20 Mbps


Requirement

  • Thunder CFW running ACOS 5.2.1 or higher. Here we are running ACOS 5.2.1-P2.


Steps

Confirm you have the required software feature license:

vThunder#sh license-info
------------------------------------------------------------------------------------
Enabled Licenses     Expiry Date (UTC)        Notes
------------------------------------------------------------------------------------
QOSMOS          22-September-2022


Configure the Thunder device to periodically update the application protocol signatures:

automatic-update use-mgmt-port
!
automatic-update app-fw schedule daily 08:00


Verify the current download status of application protocol signatures:

vThunder#sh automatic-update
Feature name Version   Schedule Time  Last Updated Next Check
-------------------------------------------------------------------
app-fw    1.560.0-26 Daily   08:00 2021-09-02  2021-09-08


Configure the inside interface using the ip client command and the outside interface using the ip server command:

interface ethernet 1
 enable
 ip address 100.64.13.1 255.255.255.0
 ip client
!
interface ethernet 2
 enable
 ip address 100.64.14.1 255.255.255.0
 ip server


Configure the rate-limit policies for the different types of applications traffic:

template limit-policy 1
 limit-throughput uplink 1
 limit-throughput downlink 2
!
template limit-policy 2
 limit-throughput uplink 2
 limit-throughput downlink 4
!
template limit-policy 3
 limit-throughput uplink 3
 limit-throughput downlink 10
!
template limit-policy 4
 limit-throughput uplink 4
 limit-throughput downlink 20


Note: The scope of the rate-limiting policy can be:

vThunder(config-limit-policy)#limit-scope ?
 aggregate     Rule Level
 subscriber-ip   Subscriber IP Level
 subscriber-prefix Subscriber Prefix Level


Here we are using the scope of subscriber-ip, which is the default scope.


Now, configure a firewall rule-set matching the various applications (or application category), and under each rule, specify the corresponding rate-limit policy to be applied:

rule-set APPPOLICY
 rule rule1
  source ipv4-address any
  source zone Private
  dest ipv4-address any
  dest zone Public
  service any
  application category social-networks
  action-group
   permit limit-policy 1
 rule rule2
  source ipv4-address any
  source zone Private
  dest ipv4-address any
  dest zone Public
  service any
  application protocol ftp
  application protocol tftp
  action-group
   permit limit-policy 2
 rule rule3
  source ipv4-address any
  source zone any
  dest ipv4-address any
  dest zone Public
  service any
  application category web
  action-group
   permit limit-policy 3
 rule rule4
  source ipv4-address any
  source zone Private
  dest ipv4-address any
  dest zone Public
  service any
  application any
  action-group
   permit limit-policy 4


Apply the firewall rule-set as follows:

fw active-rule-set APPPOLICY


Verification

Start web traffic from two clients 100.64.13.11 and 100.64.13.12.


On the Thunder device you can verify the application traffic is being rate-limited (in bytes per second) as follows:

vThunder#sh fw rate-limit
IP Address  Prefix Rule  Type CPS Uplink-Rate Downlink-Rate Total-Rate Drop Count
100.64.13.11 32   rule4 BPS  0  0      0       0      0
100.64.13.11 32   rule3 BPS  0  38400    1597019    0      2901
100.64.13.12 32   rule3 BPS  0  38400    1556141    0      1598
Total Rate Limit Entries Shown:3


Sign In or Register to comment.