[T&C] Firewall with Application-based Rate-Limiting using Thunder CFW
siddharthaa
Member ✭
In this article, we will see how you can use the Thunder CFW to rate-limit traffic on a per-application (or application category) basis.
Objective
Here, we want to rate-limit application traffic for each subscriber as follows:
- Social network traffic: upload speed = 1 Mbps, downlink speed = 2 Mbps
- FTP or TFTP traffic: upload speed = 2 Mbps, downlink speed = 4 Mbps
- Web traffic: upload speed = 3 Mbps, downlink speed = 10 Mbps
- All other traffic: upload speed = 4 Mbps, downlink speed = 20 Mbps
Requirement
- Thunder CFW running ACOS 5.2.1 or higher. Here we are running ACOS 5.2.1-P2.
Steps
Confirm you have the required software feature license:
vThunder#sh license-info ------------------------------------------------------------------------------------ Enabled Licenses Expiry Date (UTC) Notes ------------------------------------------------------------------------------------ QOSMOS 22-September-2022
Configure the Thunder device to periodically update the application protocol signatures:
automatic-update use-mgmt-port ! automatic-update app-fw schedule daily 08:00
Verify the current download status of application protocol signatures:
vThunder#sh automatic-update Feature name Version Schedule Time Last Updated Next Check ------------------------------------------------------------------- app-fw 1.560.0-26 Daily 08:00 2021-09-02 2021-09-08
Configure the inside interface using the ip client command and the outside interface using the ip server command:
interface ethernet 1 enable ip address 100.64.13.1 255.255.255.0 ip client ! interface ethernet 2 enable ip address 100.64.14.1 255.255.255.0 ip server
Configure the rate-limit policies for the different types of applications traffic:
template limit-policy 1 limit-throughput uplink 1 limit-throughput downlink 2 ! template limit-policy 2 limit-throughput uplink 2 limit-throughput downlink 4 ! template limit-policy 3 limit-throughput uplink 3 limit-throughput downlink 10 ! template limit-policy 4 limit-throughput uplink 4 limit-throughput downlink 20
Note: The scope of the rate-limiting policy can be:
vThunder(config-limit-policy)#limit-scope ? aggregate Rule Level subscriber-ip Subscriber IP Level subscriber-prefix Subscriber Prefix Level
Here we are using the scope of subscriber-ip, which is the default scope.
Now, configure a firewall rule-set matching the various applications (or application category), and under each rule, specify the corresponding rate-limit policy to be applied:
rule-set APPPOLICY rule rule1 source ipv4-address any source zone Private dest ipv4-address any dest zone Public service any application category social-networks action-group permit limit-policy 1 rule rule2 source ipv4-address any source zone Private dest ipv4-address any dest zone Public service any application protocol ftp application protocol tftp action-group permit limit-policy 2 rule rule3 source ipv4-address any source zone any dest ipv4-address any dest zone Public service any application category web action-group permit limit-policy 3 rule rule4 source ipv4-address any source zone Private dest ipv4-address any dest zone Public service any application any action-group permit limit-policy 4
Apply the firewall rule-set as follows:
fw active-rule-set APPPOLICY
Verification
Start web traffic from two clients 100.64.13.11 and 100.64.13.12.
On the Thunder device you can verify the application traffic is being rate-limited (in bytes per second) as follows:
vThunder#sh fw rate-limit IP Address Prefix Rule Type CPS Uplink-Rate Downlink-Rate Total-Rate Drop Count 100.64.13.11 32 rule4 BPS 0 0 0 0 0 100.64.13.11 32 rule3 BPS 0 38400 1597019 0 2901 100.64.13.12 32 rule3 BPS 0 38400 1556141 0 1598 Total Rate Limit Entries Shown:3