From: Ed Lui (edwlui@gmail.com)
Date: Tue Jul 12 2005 - 13:33:58 GMT-3
Chris,
I can tell nested policy is the key benefit of MQC as the name says
Modular. Plus starting PIX 7.0, modular configuration will eventually
replace fixup command. I was just thinking don't make things more
complicated than it should be. Since ftp also belongs to tcp, should ftp
traffic be considered within the 5M, Hm ?
Ed
On 7/12/05, Chris Lewis (chrlewis) <chrlewis@cisco.com> wrote:
>
> Ed,
>
> Nested policies are a key benefit of the MQC system. Whether you do or
> do not next policies depend upon the requirements of the question. In
> the original example, all TCP traffic is limited to 5M, and within that
> 5M, FTP is limited to 2 M. With your example, if something matches the
> FTP policy-map, it will be counted against tha and not the tcp class, so
> it is possible to get 5M of TCP traffic AND 2 Meg of FTP traffica llowed
> by the configuration you show.
>
> That is fine, it just depends upon the question requirements.
>
> Chris
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Ed Lui
> Sent: Tuesday, July 12, 2005 9:58 AM
> To: k c
> Cc: ccielab@groupstudy.com
> Subject: Re: Ratelimit vs MQC
>
> J,
> For method 2, I don't think it is a good idea to nest a policy into
> another. In other words, something like below should work Method 2)
> access-list 101 permit tcp 10.1.1.0 <http://10.1.1.0> <http://10.1.1.0>
> 0.0.0.255 <http://0.0.0.255><http://0.0.0.255>any
>
> class-map match-all ftp
> match protocol FTP
>
> class-map match-all tcp
> match access-group 101
>
> policy-map ftp_tcp
> class ftp
> police cir 2000000
> class tcp
> police cir 5000000
>
> interface f0/0
> service-policy input ftp_tcp
>
> HTH,
> Ed Lui
> On 7/11/05, k c <jwongccie@yahoo.com.hk> wrote:
> >
> > Hi Group,
> >
> > I need to permit tcp traffic from vlan10 (10.1.1.0 <http://10.1.1.0> <
> http://10.1.1.0>)
> > at 5Mbps and ftp traffic at 2Mbps. Are the following two methods
> > correct? For method 2, will ftp packets match both policies tcp and
> ftp?
> >
> > Method 1)
> > rate-limit input access-group 101 5000000 10000 20000 conform-action
> > continue exceed-action drop rate-limit intput access-group 102 2000000
>
> > 10000 20000 conform-action transmit exceed-action drop access-list 101
>
> > permit tcp 10.1.1.0 <http://10.1.1.0> <http://10.1.1.0>
> 0.0.0.255 <http://0.0.0.255><http://0.0.0.255>any
> > access-list 102 permit tcp 10.1.1.0 <http://10.1.1.0> <http://10.1.1.0>
> 0.0.0.255 <http://0.0.0.255><http://0.0.0.255>any eq ftp
> > access-list 102 permit tcp 10.1.1.0 <http://10.1.1.0> <http://10.1.1.0>
> 0.0.0.255 <http://0.0.0.255><http://0.0.0.255>any eq ftp-data
> >
> > Method 2)
> > access-list 101 permit tcp 10.1.1.0 <http://10.1.1.0> <http://10.1.1.0>
> 0.0.0.255 <http://0.0.0.255><http://0.0.0.255>any
> >
> > class-map match-all ftp
> > match protocol FTP
> >
> > class-map match-all tcp
> > match access-group 101
> >
> > policy-map ftp
> > class ftp
> > police cir 2000000
> >
> > policy-map tcp
> > class tcp
> > police cir 5000000
> > service-policy ftp
> >
> > interface f0/0
> > service-policy input tcp
> >
> > Thanks.
> >
> >
> > %og+
> >
> > ______________________________________________________________________
> > _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:29 GMT-3