Detections
Analytics

2.2 Traffic Control - Rate limiting

Information

Configuring rate-limiting on Aruba CX switches allows administrators to control the maximum amount of traffic (bandwidth) that can pass through specific interfaces or for specific traffic types. This ensures that no single device or application can consume excessive network resources.Specifies the type of ingress traffic to which the rate limit applies: broadcast, multicast, unknown-unicast, or ICMP.The multicast rate limit affects multicast and broadcast traffic. The broadcast rate limit only affects broadcast traffic. When both types are applied to the same interface, broadcast packets are limited to the lower of the two rate values. Layer 2 BPDU packets, like spanning tree, are also included in the multicast rate limit.The ICMP rate limit can be configured to apply to IPv4, IPv6, or all IP traffic. Only one ICMP rate-limit can be configured at a time. Applying a new ICMP rate-limit replaces any previous ICMP rate-limit.

Specifies the rate limit in kilobits per second, packets per second, or as a percentage of link bandwidth. Range: 64 to 100000000 kbps (in steps of 64 kbps), 64 to 209090910 pps (in steps of 64 pps), or 1-100 percent. The actual rate limit will be approximately equivalent to the minimum of the two step values that are closest to the configured rate (or for percent mode, the kbps-converted rate).

Rate-limiting is implemented to prevent network congestion, mitigate the impact of potential denial-of-service (DoS) attacks, and ensure fair bandwidth allocation among users and applications. It helps maintain optimal network performance and stability

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To configure rate-limit in interfaces -

switch(config)# interface <ID>
switch(config)# rate-limit {broadcast|multicast|unknown-unicast|icmp {ip-all|ip|ipv6}} <RATE> {kbps|percent|pps}

Sample configurations -

Limiting broadcast traffic to 2000pps on interface 1/1/3:

switch(config)# interface 1/1/3
switch(config-if)# rate-limit broadcast 500 kbps

Limiting all ICMP IPv4 traffic to 10000kbps on interface 1/1/3:

switch(config)# interface 1/1/3
switch(config-if)# rate-limit icmp ip 10000 kbps

Impact:

By configuring rate-limiting, organizations can improve network efficiency, protect critical services from being overwhelmed by excessive traffic, and ensure a consistent user experience. This proactive measure enhances both security and operational reliability.

See Also

https://workbench.cisecurity.org/benchmarks/24202

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5

Plugin: ArubaOS

Control ID: 98a5af0c60643e73b8287763b229a61548b067e0f2b79e3ca156944fa16dc1e1