Traffic limiting policy is not working due to the wrong direction in USG5500

Publication Date:  2014-11-27 Views:  370 Downloads:  0
Issue Description
A customer replied they were trying to configure some traffic limiting policies with "PER-IP CAR Policy", but it did not work.
This is the topology:

After finishing the configuration, the customer found that some traffic hit the traffic-policy, but the speed was not limited to 1mbps, the speed was 8.42MBps.And the traffic policy was hit.

The following are the related configuration:
#
ip address-set extplxv00013 type object
address 0 10.191.22.20 mask 32
#
#
car-class traffic_class_a type per-ip
connection-number 100
car max 1024 guaranteed 512  //the max speed is limited to 1024kbps=1mbps
#
traffic-policy interzone dmz_external untrust outbound per-ip
policy 0
  action car
  policy source address-set extplxv00013
  policy car-type source-ip
  policy car-class traffic_class_a
#

Alarm Information
None
Handling Process
(1) Since the traffic policy is based on the direction of traffic, no matter who is the originating Server. In this issue, we asked the customer several times about the traffic direction, and customer replied that inner server extplxv00013was the originating Server. We can’t get clear answer from the customer.
(2)  We analyzed the test method that the customer used:
user01.test@EXTPLXV00013:/tmp$ wget http://releases.xxx.com/14.10/14.10-desktop-test.iso
……
Saving to: ‘14.10-desktop-test.iso’
     6% [======>] 79.637.792  8,42M/s


From the above, the command “wget” indicated the customer tried to download this ISO from the server in internet, save to local server Extplxv00013, which was opposite against what the customer said. After we confirmed with the customer again, we got the correct topology and requirement as follows:


That was why the previous traffic limiting policy didn’t work—the customer misunderstood the usage of traffic-policy, he thought that the inner server EXTPLXV00013 was the one who originated this download action, so the traffic policy should be applied on outbound direction.
(3)  After we got the clear topology, then changed the configuration as below. The traffic limiting policy works. The download speed was limited to 1mbps.
traffic-policy interzone dmz_external untrust inbound per-ip //the direction is inbound
policy 0

  action car
  policy destination address-set extplxv00013 //only one destination IP
  policy car-type destination-ip             //car-type is destination ip
  policy car-class traffic_class_a


Root Cause
(1) The traffic policy was applied to wrong direction.
Solution
After the configuration was changed as below, the traffic limiting policy worked. And the download speed was limited to 1mbps.
raffic-policy interzone dmz_external untrust inbound per-ip //the direction is inbound
policy 0

  action car
  policy destination address-set extplxv00013 //only one destination IP
  policy car-type destination-ip                           //car-type is destination ip
  policy car-class traffic_class_a

Suggestions
For a certain traffic limiting policy, it only takes effect in one direction.When you configure the per IP traffic limiting, employ traffic directions to control and manage the traffic. That is, the traffic direction determines to which direction you need to apply the traffic limiting policy.

END