This article describes how to rate-limit SD-WAN traffic on Versa FlexVNF
Use Case
In some scenarios, customer wants to limit/rate-limit the SD-WAN traffic.
For example In Hub-Spoke topology customer might want to rate-limit the SD-WAN traffic on spoke site to avoid congestion on HUB site.
Solution
We need to apply policer to limit the traffic. On Versa FlexVNF, a policer works in inbound direction. Policer action is configured on QoS profile (Step 1), further we need to associate this profile with a particular traffic flow using QoS policy rule (Step 3).
In this example we have 1 Gbps WAN link and we want to allow maximum 10Mbps of Internet traffic. So, here we need to configure 10Mbps policer on the “SD-WAN-traffic-profile” which is mapped with Customer traffic flow coming from LAN1 interface and going out on vni-0/0 interface (ptvi zone).
Topology
Configuration
- Configure QoS Profile by logging into Versa Director
Go to Appliance > Configuration> Class of Service> QoS Profiles and then click on + to create a new Profile.
We need to define Peak rate of internet traffic which needs to be allowed (i.e. 10Mbps ) and Burst size is in Byte [ 5000 Byte Default ]
Please Note: Burst size needs to be chosen carefully as it affects policer rate. Choosing burst size too large may cause policer to allow traffic more than the specified rate. Also choosing burst size too low may result in early drops than the specified rate.
- Configure QoS-policy
Navigate to Appliance > Configuration > Class of Service> QoS Policies and then click on + button.
There can be only one QoS-policy. By-default, there is ‘Default-policy’ configured so we can just delete the default one and create new policy with different name.
- Configure QoS policy rules
Now navigate to Appliance > Configuration > Class of Service> QoS Policies> Rules and then click on + to create new rule.
Match source and destination zones. Here source zone is “Intf-LAN1-Zone” where SD-WAN traffic is coming.
As the SDWAN traffic traverses out of tunnel interface, we need to select “ptvi“ as destination zone.
We can match other parameters as well based on requirement.
- Finally, in enforce tab we need to associate the rule with QoS profile created in step1 above and then click OK to complete the configuration.
Verification
Initiate the traffic and check if configured qos-policy getting hits. If the qos policy rule is not getting hits, then cross check source/destination parameters.
admin@CPE1-cli> show orgs org-services AGR class-of-service qos-policies AGR-QoS-Policy rules qos-policy-stats SD_WAN-limit
QOS QOS QOS QOS PPS PPS KBPS KBPS
QOS DROP QOS DROP FORWARD FORWARD SESSION POLICER POLICER POLICER POLICER
HIT PACKET BYTE PACKET BYTE DENY PKTS BYTES PKTS BYTES
RULE NAME COUNT COUNT COUNT COUNT COUNT COUNT DROPPED DROPPED DROPPED DROPPED
--------------------------------------------------------------------------------------------------------
SD_WAN-limit 7 49505 41683210 12911 10854954 0 0 0 49505 41683210 <<< Drops due to policer
vsm-vcsn0> show vsm statistics dropped
DPDK ERROR STATISTICS
~~~~~~~~~~~~~~~~~~~~~
DATAPATH ERROR STATISTICS
~~~~~~~~~~~~~~~~~~~~~~~~~
# Packets Dropped - Filter Lookup Module Action Denied : 10
THRM ERROR STATISTICS
~~~~~~~~~~~~~~~~~~~~~~
NFP ERROR STATISTICS
~~~~~~~~~~~~~~~~~~~~
# Dropped Anchor rate limiting : 102 <<< Drops due to policer
VSF ERROR STATISTICS
~~~~~~~~~~~~~~~~~~~~
VUNET ERROR STATISTICS
~~~~~~~~~~~~~~~~~~~~~~
COS DROPS
~~~~~~~~~~~~~
# Shaper drops : 0