From: Allan Wells (wellse@bigpond.net.au)
Date: Fri Apr 09 2004 - 10:54:22 GMT-3
For policy map
The class-map match-all a
actually matched an accesslist and i had precedence being set getting late
and cut and pasted wrong info but result is accurate.
----- Original Message -----
From: "Allan Wells" <wellse@bigpond.net.au>
To: <ccielab@groupstudy.com>
Sent: Friday, April 09, 2004 11:43 PM
Subject: rate-limiting and mark traffic question
> Hello all,
> Im working on some policing/marking excercises in the lab and want to
validate
> what is the optimum method for marking and policing traffic I have tried
two
> methods described below and perhaps their are better ways. For me they
both
> work and appear to achieve the same result except with rate-limit on the
> interface the pkt size for ping was 3800bytes with policy-map only
959byte
> pkts wer successful why is this ? policy were the same for policing.
> Both use bits for cir and bytes for burst when configuring.
>
> 1. But basically my question "?" is which method should i use if asked to
> perform such a task in the lab are both methods ok or is there some
> limitation someone see's that i dont.
>
> ###################--Test 1 rate-limit and mark
> certain-traffic--##########################
>
> -----------------------------------THE-Topolgy----------------------------
--- > ------------ > > |PC_HOST|----------EThSegment---------R1------------frpvc-----------------R3 > 1.1.1.10/24 .1/24 10.1.1.1/30 > .2/30 > > ############################################################################ # > ############### > > Router 1 > > > This first ping/s below is from host 1.1.1.10 to R3/s1 10.1.1.2 with the > access-group 1 used with rate-limit statement(see-below) on R1. > > The access-ist is set for permitip host 1.1.1.9 so this source host i'm using > 1.1.1.10 isnt being used/effeceted by the rate-limit access-grooup blah blah > so traffic isnt subject to any policy and justs goes about its business > normally : ) > > Router1 ethernet 0 > > interface Ethernet0 > ip address 1.1.1.1 255.255.255.0 > rate-limit input access-group 1 8000 1500 2000 conform-action > set-prec-transmit 5 exceed-action drop > bridge-group 1 > > > > Pinging 10.1.1.2 with 14000 bytes of data: > > Reply from 10.1.1.2: bytes=14000 time=133ms TTL=254 > Reply from 10.1.1.2: bytes=14000 time=130ms TTL=254 > Reply from 10.1.1.2: bytes=14000 time=130ms TTL=254 > Reply from 10.1.1.2: bytes=14000 time=129ms TTL=254 > Reply from 10.1.1.2: bytes=14000 time=130ms TTL=254 > Reply from 10.1.1.2: bytes=14000 time=130ms TTL=254 > Reply from 10.1.1.2: bytes=14000 time=129ms TTL=254 > Reply from 10.1.1.2: bytes=14000 time=130ms TTL=254 > Reply from 10.1.1.2: bytes=14000 time=130ms TTL=254 > Reply from 10.1.1.2: bytes=14000 time=130ms TTL=254 > Reply from 10.1.1.2: bytes=14000 time=130ms TTL=254 > Reply from 10.1.1.2: bytes=14000 time=130ms TTL=254 > > #########An access-list entry on R3 serial shows the access-list being matched > for ip > #########Nothing shows for this ENTRY--->permit ip host 1.1.1.10 any > precedence critical log > #########BECAUSE THE ACCESS-LIST ON R1 DOESNT SPECIFY 1.1.1.10 AT THis STAGE > > $$I wasnt positive if any other traffic would pass through unafected thats why > i did this.$$ > > Extended IP access list 199 > permit ip host 1.1.1.10 any precedence critical log > permit ip any any (970 matches) > > ****************************************************** > NOw I Add an access-list 1 entry ON R1 & CONTINUE THE PING---> now policing > and marking kicks in. > -------------BEFORE----------------access-list 1 permit 1.1.1.9 > -----------> ADD this entry ------>access-list 1 permit 1.1.1.10 "MY-PC" > > Reply from 10.1.1.2: bytes=14000 time=131ms TTL=254 > Reply from 10.1.1.2: bytes=14000 time=129ms TTL=254 > Reply from 10.1.1.2: bytes=14000 time=132ms TTL=254 > Reply from 10.1.1.2: bytes=14000 time=130ms TTL=254 > Reply from 10.1.1.2: bytes=14000 time=129ms TTL=254 > Request timed out. > Request timed out.I COULD PING WITH PKT SiZE UP TO 3800BYTES WITH SUCCESS > Request timed out. > Request timed out. > ____________________________________________________________________ > > I REDUCE the ping pkt size to 1400bytes from 14000 then go to r3 and sh > accesslist 199 > THERE are matches against precedence entry on the access-list applied to R3 > serial interface for me this "validates" the prec is being set by r1 for host > 1.1.1.10 ping packets I already know the rate-limit is working as above. > > > ####Extended IP access list 199 > ####permit ip host 1.1.1.10 any precedence critical log (13 matches) > ####permit ip any any (1 match) > > #################cmd window on host 1.1.1.10 ################ > > Reply from 10.1.1.2: bytes=1400 time=21ms TTL=254 > Reply from 10.1.1.2: bytes=1400 time=21ms TTL=254 > Reply from 10.1.1.2: bytes=1400 time=21ms TTL=254 > Reply from 10.1.1.2: bytes=1400 time=21ms TTL=254 > Reply from 10.1.1.2: bytes=1400 time=21ms TTL=254 > Request timed out. > Reply from 10.1.1.2: bytes=1400 time=22ms TTL=254 > Reply from 10.1.1.2: bytes=1400 time=21ms TTL=254 > Reply from 10.1.1.2: bytes=1400 time=21ms TTL=254 > > Ok so that work fine and I can use multiple rate-limit statments with > different access-groups if i wanted to match other criteria > > ############################################################################ # > ############### > -------------The next test is using policy-maps to do the same > task---------------- > ############################################################################ # > ############### > > -----------------------------R1 ethernet apply policy-map > ab------------------------------ > > class-map match-all a > match ip precedence 5 > class-map match-all b > match any > > policy-map ab > class a > police 8000 1500 1500 conform-action drop exceed-action drop > class b > > Before apply policy ping test to R3 > Pinging 10.1.1.2 with 14000 bytes of data: > > Reply from 10.1.1.2: bytes=14000 time=130ms TTL=254 > Reply from 10.1.1.2: bytes=14000 time=130ms TTL=254 > Reply from 10.1.1.2: bytes=14000 time=130ms TTL=254 > > after policy applied to eth0 > > ##################interface Ethernet0 > #################ip address 1.1.1.1 255.255.255.0 > #################service-policy input ab > #################bridge-group 1 > > the largest pkt allowed was 958bytes!! with rate-limit on iterface eth0 in 1st > example above it was 3800 ! before it would fail. WHY IS THIS ? > > Pinging 10.1.1.2 with 958 bytes of data: > > Reply from 10.1.1.2: bytes=958 time=16ms TTL=254 > Reply from 10.1.1.2: bytes=958 time=15ms TTL=254 > > SHOW POLICY-MAP INT ETH0 > ###############THE EXCEEDED BELOW PKTS WERE ALL PINGS OVER 958BYTES ######### > > Service-policy input: ab > > Class-map: a (match-all) > 151 packets, 154988 bytes > 5 minute offered rate 7000 bps, drop rate 1000 bps > Match: access-group 1 > police: > cir 8000 bps, bc 1000 bytes > conformed 116 packets, 106793 bytes; actions: > set-prec-transmit 5 > -------> exceeded 35 packets, 48195 bytes; actions: > drop > conformed 4000 bps, exceed 1000 bps > > Class-map: b (match-all) > 0 packets, 0 bytes > 5 minute offered rate 0 bps > Match: any > > Class-map: class-default (match-any) > 0 packets, 0 bytes > 5 minute offered rate 0 bps, drop rate 0 bps > Match: any > > on R3 validate precedence with access-list matches > > r3#clea access-l coun 199 > Extended IP access list 199 > permit ip host 1.1.1.10 any precedence critical log (90 > matches)<-------matching!! > permit ip any any (9 matches) > > Conclusion achieved the same thing though viewed different behaviour with the > ping pkt sizes > > _______________________________________________________________________ > Please help support GroupStudy by purchasing your study materials from: > http://shop.groupstudy.com > > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:44 GMT-3