From: Ed Lui (edwlui@gmail.com)
Date: Tue Jul 12 2005 - 11:58:29 GMT-3
J,
For method 2, I don't think it is a good idea to nest a policy into
another. In other words, something like below should work
Method 2)
access-list 101 permit tcp 10.1.1.0 <http://10.1.1.0>
0.0.0.255<http://0.0.0.255>any
class-map match-all ftp
match protocol FTP
class-map match-all tcp
match access-group 101
policy-map ftp_tcp
class ftp
police cir 2000000
class tcp
police cir 5000000
interface f0/0
service-policy input ftp_tcp
HTH,
Ed Lui
On 7/11/05, k c <jwongccie@yahoo.com.hk> wrote:
>
> Hi Group,
>
> I need to permit tcp traffic from vlan10 (10.1.1.0 <http://10.1.1.0>) at
> 5Mbps and ftp traffic at 2Mbps. Are the following two methods correct? For
> method 2, will ftp packets match both policies tcp and ftp?
>
> Method 1)
> rate-limit input access-group 101 5000000 10000 20000 conform-action
> continue exceed-action drop
> rate-limit intput access-group 102 2000000 10000 20000 conform-action
> transmit exceed-action drop
> access-list 101 permit tcp 10.1.1.0 <http://10.1.1.0>
0.0.0.255<http://0.0.0.255>any
> access-list 102 permit tcp 10.1.1.0 <http://10.1.1.0>
0.0.0.255<http://0.0.0.255>any eq ftp
> access-list 102 permit tcp 10.1.1.0 <http://10.1.1.0>
0.0.0.255<http://0.0.0.255>any eq ftp-data
>
> Method 2)
> access-list 101 permit tcp 10.1.1.0 <http://10.1.1.0>
0.0.0.255<http://0.0.0.255>any
>
> class-map match-all ftp
> match protocol FTP
>
> class-map match-all tcp
> match access-group 101
>
> policy-map ftp
> class ftp
> police cir 2000000
>
> policy-map tcp
> class tcp
> police cir 5000000
> service-policy ftp
>
> interface f0/0
> service-policy input tcp
>
> Thanks.
>
>
> %og+
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:29 GMT-3