Rate Limiting for Traffic Domains
You can configure rate limiting for traffic domains. The following expression in the Citrix ADC expressions language for identifies traffic associated with traffic domains.
- client.traffic_domain.id
You can configure rate limiting for traffic associated with a particular traffic domain, a set of traffic domains, or all traffic domains.
For configuring rate limiting for traffic domains, you perform the following steps on a Citrix ADC appliance by using the configuration utility or the Citrix ADC command line:
- Configure a stream selector that uses the client.traffic_domain.id expression for identifying the traffic, associated with traffic domains, to be rate limited.
- Configure a rate limit identifier that specifies parameters such as maximum threshold for traffic to be rate limited. You also associate a stream selector to the rate limiter in this step.
- Configure an action that you want to associate with the policy that uses the rate limit identifier.
- Configure a policy that uses the sys.check_limit expression prefix to call the rate limit identifier, and associate the action with this policy.
- Bind the policy globally.
Consider an example in which two traffic domains, with IDs 10 and 20, are configured on Citrix ADC NS1. On traffic domain 10, LB1-TD-1 is configured to load balance servers S1 and S2; LB2-TD1 is configured to load balance servers S3 and S4.
On traffic domain 20, LB1-TD-2 is configured to load balance servers S5 and S6; LB2-TD2 is configured to load balance servers S7 and S8.
The following table lists some examples of rate limiting policies for traffic domains in the example setup.
Purpose | CLI commands |
---|---|
Limit the number of requests to 10 per second for each of the traffic domains. | add stream selector tdratelimit-1 CLIENT.TRAFFIC_DOMAIN.ID add ns limitIdentifier limitidf-1 -threshold 10 -selectorName tdratelimit-1 -trapsInTimeSlice 0 add responder policy ratelimit-pol “sys.check_limit(\“limitidf-1\”)” DROP bind responder global ratelimit-pol 1 |
Limit the number of requests to 5 per client per second for each of the traffic domains. | add stream selector tdandclientip CLIENT.IP.SRC,CLIENT.TRAFFIC_DOMAIN.ID add ns limitIdentifier td_limitidf -threshold 5 -selectorName tdandclientip -trapsInTimeSlice 5 add responder policy tdratelimit-pol “sys.check_limit(\“td_limitidf\”)” DROP bind responder global tdratelimit-pol 2 |
Limit the number of requests sent for a particular traffic domain (for example traffic domain 10) to 30 requests every 3 seconds. | add stream selector tdratelimit CLIENT.TRAFFIC_DOMAIN.ID add ns limitIdentifier td10_limitidf -threshold 30 -timeSlice 3000 -selectorName tdratelimit -trapsInTimeSlice 5 add responder policy td10ratelimit “client.traffic_domain.id==10 && sys.check_limit(\“td10_limitidf\”)” DROP bind responder global td10ratelimit 3 |
Limit the number of connections to 5 per client per second for a particular traffic domain (for example traffic domain 20). | add stream selector tdandclientip CLIENT.IP.SRC CLIENT.TRAFFIC_DOMAIN.ID add ns limitIdentifier td20_limitidf -threshold 5 -mode CONNECTION -selectorName tdandclientip -trapsInTimeSlice 5 add responder policy td20_ratelimit “client.traffic_domain.id==20 && sys.check_limit(\“td20_limitidf\”)” DROP bind responder global td20_ratelimit 4 |