In this article, we will see how you can use the Thunder CFW to rate-limit traffic on a per-application (or application category) basis.
Objective
- Here, we want to rate-limit application traffic for each subscriber as follows:
Social network traffic: upload speed = 1 Mbps, downlink speed = 2 Mbps - FTP or TFTP traffic: upload speed = 2 Mbps, downlink speed = 4 Mbps
- Web traffic: upload speed = 3 Mbps, downlink speed = 10 Mbps
- All other traffic: upload speed = 4 Mbps, downlink speed = 20 Mbps
Requirement
- Thunder CFW running ACOS 5.2.1 or higher. Here we are running ACOS 5.2.1-P2.
Steps
Confirm you have the required software feature license:
vThunder#sh license-info
------------------------------------------------------------------------------------
Enabled Licenses Expiry Date (UTC) Notes
------------------------------------------------------------------------------------
QOSMOS 22-September-2022
Configure the Thunder device to periodically update the application protocol signatures:
automatic-update use-mgmt-port
!
automatic-update app-fw schedule daily 08:00
Verify the current download status of application protocol signatures:
vThunder#sh automatic-update
Feature name Version Schedule Time Last Updated Next Check
-------------------------------------------------------------------
app-fw 1.560.0-26 Daily 08:00 2021-09-02 2021-09-08
Configure the inside interface using the ip client command and the outside interface using the ip server command:
interface ethernet 1
enable
ip address 100.64.13.1 255.255.255.0
ip client
!
interface ethernet 2
enable
ip address 100.64.14.1 255.255.255.0
ip server
Configure the rate-limit policies for the different types of applications traffic:
template limit-policy 1
limit-throughput uplink 1
limit-throughput downlink 2
!
template limit-policy 2
limit-throughput uplink 2
limit-throughput downlink 4
!
template limit-policy 3
limit-throughput uplink 3
limit-throughput downlink 10
!
template limit-policy 4
limit-throughput uplink 4
limit-throughput downlink 20
Note: The scope of the rate-limiting policy can be:
vThunder(config-limit-policy)#limit-scope ?
aggregate Rule Level
subscriber-ip Subscriber IP Level
subscriber-prefix Subscriber Prefix Level
Here we are using the scope of subscriber-ip, which is the default scope.
Now, configure a firewall rule-set matching the various applications (or application category), and under each rule, specify the corresponding rate-limit policy to be applied:
rule-set APPPOLICY
rule rule1
source ipv4-address any
source zone Private
dest ipv4-address any
dest zone Public
service any
application category social-networks
action-group
permit limit-policy 1
rule rule2
source ipv4-address any
source zone Private
dest ipv4-address any
dest zone Public
service any
application protocol ftp
application protocol tftp
action-group
permit limit-policy 2
rule rule3
source ipv4-address any
source zone any
dest ipv4-address any
dest zone Public
service any
application category web
action-group
permit limit-policy 3
rule rule4
source ipv4-address any
source zone Private
dest ipv4-address any
dest zone Public
service any
application any
action-group
permit limit-policy 4
Apply the firewall rule-set as follows:
fw active-rule-set APPPOLICY
Verification
Start web traffic from two clients 100.64.13.11 and 100.64.13.12.
On the Thunder device you can verify the application traffic is being rate-limited (in bytes per second) as follows:
vThunder#sh fw rate-limit
IP Address Prefix Rule Type CPS Uplink-Rate Downlink-Rate Total-Rate Drop Count
100.64.13.11 32 rule4 BPS 0 0 0 0 0
100.64.13.11 32 rule3 BPS 0 38400 1597019 0 2901
100.64.13.12 32 rule3 BPS 0 38400 1556141 0 1598
Total Rate Limit Entries Shown:3