From: Mark Lasarko (mlasarko@co.ba.md.us)
Date: Wed May 25 2005 - 12:59:32 GMT-3
Greetings Gladston,
I had not seen any replies so I thought maybe I'd arp for it again...
Anyone?
Logic tells me that this is not a bug at all.
I would suspect the ACL is being processed prior.
to the rate-limit (obviously), I am just not sure where.
To expand on that comment;
I seem to recall NAT happens first, before anything.
Next, we are either policy routed or not.
Then the path continues as offsets, distance, etc... are applied.
Then on to the incoming routing process and other selection criteria.
With all the options available I am just not sure where the rate-limit
happens?
Anyone?
~M
>>> <gladston@br.ibm.com> 05/24/05 10:35 AM >>>
If there is an access-list IN on the same interface where there is a
rate-limit, packets matched by the security access-list are not matched by the
rate-limit access-list.
Have you seen that?
interface Ethernet0/0
ip address 142.20.44.4 255.255.255.0
ip access-group 150 in
ip directed-broadcast
ip multicast helper-map broadcast 229.1.1.1 110
max-reserved-bandwidth 90
service-policy output Qos
rate-limit input access-group 121 512000 64000 96000 conform-action continue
exceed-action drop
rate-limit input access-group 122 64000 8000 12000 conform-action transmit
exceed-action drop
rate-limit input access-group 123 32000 4000 6000 conform-action transmit
exceed-action drop
ntp multicast 229.2.2.2
ipv6 address 2001:1:1:4::4/64
ipv6 address FEC0:2E3D:5B7C:4::4/64
ipv6 nd suppress-ra
Rack2R4(config)#int e 0/0
Rack2R4(config-if)#no ip access-group 150 in
Rack2R4(config-if)#do sh access-list 123
Extended IP access list 123
10 permit icmp any any (20 matches)
Rack2R4(config-if)#do sh access-list 123
Extended IP access list 123
10 permit icmp any any (25 matches)
Rack2R4(config-if)#do sh access-list 123
Extended IP access list 123
10 permit icmp any any (29 matches)
Rack2R4(config-if)#do sh int e 0/0 rat
Ethernet0/0
Input
matches: access-group 121
params: 512000 bps, 64000 limit, 96000 extended limit
conformed 103 packets, 114646 bytes; action: continue
exceeded 0 packets, 0 bytes; action: drop
last packet: 257ms ago, current burst: 0 bytes
last cleared 00:47:56 ago, conformed 0 bps, exceeded 0 bps
matches: access-group 122
params: 64000 bps, 8000 limit, 12000 extended limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 10281010ms ago, current burst: 0 bytes
last cleared 00:47:14 ago, conformed 0 bps, exceeded 0 bps
matches: access-group 123
params: 32000 bps, 4000 limit, 6000 extended limit
conformed 66 packets, 99924 bytes; action: transmit
exceeded 8 packets, 12112 bytes; action: drop
last packet: 261ms ago, current burst: 3882 bytes
last cleared 00:46:39 ago, conformed 0 bps, exceeded 0 bps
Rack2R4(config-if)# ip access-group 150 in
Rack2R4(config-if)#do sh access-list 123
Extended IP access list 123
10 permit icmp any any (97 matches)
Rack2R4(config-if)#do sh access-list 123
Extended IP access list 123
10 permit icmp any any (97 matches)
Rack2R4(config-if)#do sh access-list 150
Extended IP access list 150
10 permit tcp any any established
20 permit tcp any any log-input
30 permit icmp any any echo log-input (1491 matches)
40 permit ip any any (305 matches)
Rack2R4(config-if)#do sh access-list 150
Extended IP access list 150
10 permit tcp any any established
20 permit tcp any any log-input
30 permit icmp any any echo log-input (1499 matches)
40 permit ip any any (305 matches)
Rack2R4(config-if)#do sh access-list 150
Extended IP access list 150
10 permit tcp any any established
20 permit tcp any any log-input
30 permit icmp any any echo log-input (1518 matches)
40 permit ip any any (305 matches)
This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:12:02 GMT-3