From: Allan Wells (wellse@bigpond.net.au)
Date: Fri Apr 09 2004 - 10:43:32 GMT-3
Hello all,
Im working on some policing/marking excercises in the lab and want to validate
what is the optimum method for marking and policing traffic I have tried two
methods described below and perhaps their are better ways. For me they both
work and appear to achieve the same result except with rate-limit on the
interface the pkt size for ping was 3800bytes with policy-map only 959byte
pkts wer successful why is this ? policy were the same for policing.
Both use bits for cir and bytes for burst when configuring.
1. But basically my question "?" is which method should i use if asked to
perform such a task in the lab are both methods ok or is there some
limitation someone see's that i dont.
###################--Test 1 rate-limit and mark
certain-traffic--##########################
-----------------------------------THE-Topolgy-------------------------------
------------
|PC_HOST|----------EThSegment---------R1------------frpvc-----------------R3
1.1.1.10/24 .1/24 10.1.1.1/30
.2/30
#############################################################################
###############
Router 1
This first ping/s below is from host 1.1.1.10 to R3/s1 10.1.1.2 with the
access-group 1 used with rate-limit statement(see-below) on R1.
The access-ist is set for permitip host 1.1.1.9 so this source host i'm using
1.1.1.10 isnt being used/effeceted by the rate-limit access-grooup blah blah
so traffic isnt subject to any policy and justs goes about its business
normally : )
Router1 ethernet 0
interface Ethernet0
ip address 1.1.1.1 255.255.255.0
rate-limit input access-group 1 8000 1500 2000 conform-action
set-prec-transmit 5 exceed-action drop
bridge-group 1
Pinging 10.1.1.2 with 14000 bytes of data:
Reply from 10.1.1.2: bytes=14000 time=133ms TTL=254
Reply from 10.1.1.2: bytes=14000 time=130ms TTL=254
Reply from 10.1.1.2: bytes=14000 time=130ms TTL=254
Reply from 10.1.1.2: bytes=14000 time=129ms TTL=254
Reply from 10.1.1.2: bytes=14000 time=130ms TTL=254
Reply from 10.1.1.2: bytes=14000 time=130ms TTL=254
Reply from 10.1.1.2: bytes=14000 time=129ms TTL=254
Reply from 10.1.1.2: bytes=14000 time=130ms TTL=254
Reply from 10.1.1.2: bytes=14000 time=130ms TTL=254
Reply from 10.1.1.2: bytes=14000 time=130ms TTL=254
Reply from 10.1.1.2: bytes=14000 time=130ms TTL=254
Reply from 10.1.1.2: bytes=14000 time=130ms TTL=254
#########An access-list entry on R3 serial shows the access-list being matched
for ip
#########Nothing shows for this ENTRY--->permit ip host 1.1.1.10 any
precedence critical log
#########BECAUSE THE ACCESS-LIST ON R1 DOESNT SPECIFY 1.1.1.10 AT THis STAGE
$$I wasnt positive if any other traffic would pass through unafected thats why
i did this.$$
Extended IP access list 199
permit ip host 1.1.1.10 any precedence critical log
permit ip any any (970 matches)
******************************************************
NOw I Add an access-list 1 entry ON R1 & CONTINUE THE PING---> now policing
and marking kicks in.
-------------BEFORE----------------access-list 1 permit 1.1.1.9
-----------> ADD this entry ------>access-list 1 permit 1.1.1.10 "MY-PC"
Reply from 10.1.1.2: bytes=14000 time=131ms TTL=254
Reply from 10.1.1.2: bytes=14000 time=129ms TTL=254
Reply from 10.1.1.2: bytes=14000 time=132ms TTL=254
Reply from 10.1.1.2: bytes=14000 time=130ms TTL=254
Reply from 10.1.1.2: bytes=14000 time=129ms TTL=254
Request timed out.
Request timed out.I COULD PING WITH PKT SiZE UP TO 3800BYTES WITH SUCCESS
Request timed out.
Request timed out.
This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:44 GMT-3