Recently, I've been working on applications based on VPP's flow-per-packet plugin, which enables us to send per packet IPFIX records from VPP. First thought that came to my mind was - we could analysis traffic peaks to find the 'top-talker' flows in VPP. After that, we could use VPP's policer API to limit the bandwidth of these flows to control congestion or stop DDOS attacks. The process looks like this (for example):
1. We have found that source IP 192.168.1.2 is sending too much traffic via interface 0 on VPP.
2. First we configure a simple 1r2c policer in VPP:
'configure policer name policy1 type 1r2c cir 450 cb 50000 rate kbps closest conform-action transmit exceed-action drop'
3. After that, we configure a classifier table and session with 'policer-hit-next':
'classify table mask l3 ip4 src'
'classify session policer-hit-next policy1 exceed-color table-index 0 match l3 ip4 src 192.168.1.2'
4. Finally, apply the classifier table to the interface:
'set policer classify interface 0 ip4-table 0'
However, as I've noticed that there's only classifier support in HC, the above steps have to be done via ssh commands - which is not ideal especially if you are doing all other configurations via HC. I believe policer support will enhance the classifier functionalities currently supported in HC, which can be of use in a lot other scenarios as well.
1. YANG model for policer configuration. API reference: vnet/policer/policer.h
2. Add 'policer-hit-next' case to current classify YANG model. API reference: vnet/classify/vnet_classify.h
3. Add 'set policer classify' case to current classify YANG model. API reference:
4. Implementations to support the above YANG models in v3po2vpp.
|5553,9||HC2VPP-39: yang model for policer configuration in VPP||master||hc2vpp||Status: MERGED||+2||+1|
|5809,1||HC2VPP-39: policer postman collection||master||hc2vpp||Status: MERGED||+2||+1|