Академический Документы
Профессиональный Документы
Культура Документы
Contents
11
13
16
18
20
Rate Limiting
The rate limiting feature enables you to define the maximum load for a given network
entity or virtual entity on the Citrix NetScaler appliance. The feature enables you to
configure the appliance to monitor the rate of traffic associated with the entity and take
preventive action, in real time, based on the traffic rate. This feature is particularly useful
when the network is under attack from a hostile client that is sending the appliance a flood
of requests. You can mitigate the risks that affect the availability of resources to clients,
and you can improve the reliability of the network and the resources that the appliance
manages.
You can monitor and control the rate of traffic that is associated with virtual and
user-defined entities, including virtual servers, URLs, domains, and combinations of URLs
and domains. You can throttle the rate of traffic if it is too high, base information caching
on the traffic rate, and redirect traffic to a given load balancing virtual server if the traffic
rate exceeds a predefined limit. You can apply rate-based monitoring to HTTP, TCP, and
DNS requests.
To monitor the rate of traffic for a given scenario, you configure a rate limit identifier. A
rate limit identifier specifies numeric thresholds such as the maximum number of requests
or connections (of a particular type) that are permitted in a specified time period called a
time slice.
Optionally, you can configure filters, known as stream selectors, and associate them with
rate limit identifiers when you configure the identifiers. After you configure the optional
stream selector and the limit identifier, you must invoke the limit identifier from a default
syntax policy. You can invoke identifiers from any feature in which the identifier may be
useful, including rewrite, responder, DNS, and integrated caching.
You can globally enable and disable SNMP traps for rate limit identifiers. Each trap contains
cumulative data for the rate limit identifier's configured data collection interval (time
slice), unless you specified multiple traps to be generated per time slice. For more
information about configuring SNMP traps and managers, see "SNMP."
http.req.url
http.res.body(1000>after_str(\"car_model\").before_str(\"made_in\")"
"client.ip.src.subnet(24)"
The order in which you specify parameters is significant. For example, if you configure an IP
address and a domain (in that order) in one selector, and then specify the domain and the
IP address (in the reverse order) in another selector, the NetScaler considers these values
to be unique. This can lead to the same transaction being counted twice. Also, if multiple
policies invoke the same selector, the NetScaler, again, can count the same transaction
more than once.
Note: If you modify an expression in a stream selector, you may get an error if any policy
that invokes it is bound to a new policy label or bind point. For example, suppose that
you create a stream selector named myStreamSelector1, invoke it from myLimitID1, and
invoke the identifier from a DNS policy named dnsRateLimit1. If you change the
expression in myStreamSelector1, you might receive an error when binding dnsRateLimit1
to a new bind point. The workaround is to modify these expressions before creating the
policies that invoke them.
> add ns limitIdentifier 100_request_limit -threshold 100 -timeSlice 1000 -mode REQUEST_RATE -limitType BU
Configuring traffic rate limit identifier in SMOOTH mode:
> add ns limitidentifier limit_req -mode request_rate -limitType smooth -timeslice 1000 -Threshold 2000 -tra
An expression that identifies traffic to which the rate limit identifier is applied. For
example:
http.req.url.contains("my_aspx.aspx").
10
sh limitsession myLimitSession
11
12
13
http://<IP of a vserver>/testsite/test.txt
6. At the NetScaler command prompt, type:
show ns limitSessions <limitIdentifier>
Example
14
Action Taken: 0
15
Example
16
17
The first scenario describes the use of a rate-based policy that sends traffic to a new
data center if the rate of DNS requests exceed 1000 per second.
In the second scenario, if more than five DNS requests arrive for a local DNS (LDNS)
client within a particular period, the additional requests are dropped.
18
19
client.traffic_domain.id
You can configure rate limiting for traffic associated with a particular traffic domain, a set
of traffic domains, or all traffic domains.
For configuring rate limiting for traffic domains, you perform the following steps on a
NetScaler appliance by using the configuration utility or the NetScaler command line:
1. Configure a stream selector that uses the client.traffic_domain.id expression for
identifying the traffic, associated with traffic domains, to be rate limited.
2. Configure a rate limit identifier that specifies parameters such as maximum threshold
for traffic to be rate limited. You also associate a stream selector to the rate limiter in
this step.
3. Configure an action that you want to associate with the policy that uses the rate limit
identifier.
4. Configure a policy that uses the sys.check_limit expression prefix to call the rate limit
identifier, and associate the action with this policy.
5. Bind the policy globally.
Consider an example in which two traffic domains, with IDs 10 and 20, are configured on
NetScaler ADC NS1. On traffic domain 10, LB1-TD-1 is configured to load balance servers S1
and S2; LB2-TD1 is configured to load balance servers S3 and S4.
On traffic domain 20, LB1-TD-2 is configured to load balance servers S5 and S6; LB2-TD2 is
configured to load balance servers S7 and S8.
The following table lists some examples of rate limiting policies for traffic domains in the
example setup.
20
Purpose
CLI commands
21