Bug with Rate-limit and Access-list

From: gladston@br.ibm.com
Date: Tue May 24 2005 - 11:35:36 GMT-3

If there is an access-list IN on the same interface where there is a rate-limit, packets matched by the security access-list are not matched by the rate-limit access-list.

Have you seen that?

interface Ethernet0/0
 ip address 142.20.44.4 255.255.255.0
 ip access-group 150 in
 ip directed-broadcast
 ip multicast helper-map broadcast 229.1.1.1 110
 max-reserved-bandwidth 90
 service-policy output Qos
 rate-limit input access-group 121 512000 64000 96000 conform-action continue exceed-action drop
 rate-limit input access-group 122 64000 8000 12000 conform-action transmit exceed-action drop
 rate-limit input access-group 123 32000 4000 6000 conform-action transmit exceed-action drop
 ntp multicast 229.2.2.2
 ipv6 address 2001:1:1:4::4/64
 ipv6 address FEC0:2E3D:5B7C:4::4/64
 ipv6 nd suppress-ra

Rack2R4(config)#int e 0/0
Rack2R4(config-if)#no ip access-group 150 in
Rack2R4(config-if)#do sh access-list 123
Extended IP access list 123
    10 permit icmp any any (20 matches)
Rack2R4(config-if)#do sh access-list 123
Extended IP access list 123
    10 permit icmp any any (25 matches)
Rack2R4(config-if)#do sh access-list 123
Extended IP access list 123
    10 permit icmp any any (29 matches)

Rack2R4(config-if)#do sh int e 0/0 rat

Ethernet0/0
  Input
    matches: access-group 121
      params: 512000 bps, 64000 limit, 96000 extended limit
      conformed 103 packets, 114646 bytes; action: continue
      exceeded 0 packets, 0 bytes; action: drop
      last packet: 257ms ago, current burst: 0 bytes
      last cleared 00:47:56 ago, conformed 0 bps, exceeded 0 bps
    matches: access-group 122
      params: 64000 bps, 8000 limit, 12000 extended limit
      conformed 0 packets, 0 bytes; action: transmit
      exceeded 0 packets, 0 bytes; action: drop
      last packet: 10281010ms ago, current burst: 0 bytes
      last cleared 00:47:14 ago, conformed 0 bps, exceeded 0 bps
    matches: access-group 123
      params: 32000 bps, 4000 limit, 6000 extended limit
      conformed 66 packets, 99924 bytes; action: transmit
      exceeded 8 packets, 12112 bytes; action: drop
      last packet: 261ms ago, current burst: 3882 bytes
      last cleared 00:46:39 ago, conformed 0 bps, exceeded 0 bps

Rack2R4(config-if)# ip access-group 150 in
Rack2R4(config-if)#do sh access-list 123
Extended IP access list 123
    10 permit icmp any any (97 matches)
Rack2R4(config-if)#do sh access-list 123
Extended IP access list 123
    10 permit icmp any any (97 matches)
Rack2R4(config-if)#do sh access-list 150
Extended IP access list 150
    10 permit tcp any any established
    20 permit tcp any any log-input
    30 permit icmp any any echo log-input (1491 matches)
    40 permit ip any any (305 matches)
Rack2R4(config-if)#do sh access-list 150
Extended IP access list 150
    10 permit tcp any any established
    20 permit tcp any any log-input
    30 permit icmp any any echo log-input (1499 matches)
    40 permit ip any any (305 matches)
Rack2R4(config-if)#do sh access-list 150
Extended IP access list 150
    10 permit tcp any any established
    20 permit tcp any any log-input
    30 permit icmp any any echo log-input (1518 matches)
    40 permit ip any any (305 matches)

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:12:01 GMT-3