From: Chris Lewis \(chrlewis\) (chrlewis@cisco.com)
Date: Tue Jul 12 2005 - 14:42:39 GMT-3
In the following config:
policy-map ftp_tcp
class ftp
police cir 2000000
class tcp
police cir 5000000
An FTP packet coming along will match the first entry and count against
the 2M for class ftp and basically the packet is done with the
policy-map entries. A telnet packet will not match class ftp, but will
match class tcp, so counts against the 5M. So with the above config you
can get a total of 7 M of TCP traffic if 2 M of it is FTP.
With the following config:
> policy-map ftp
> class ftp
> police cir 2000000
>
> policy-map tcp
> class tcp
> police cir 5000000
> service-policy ftp
Look at it being executed from the "inside out" if an FTP packet comes
along, it will count against the 2 M for that class and be counted
against the overall 5M for TCP.
Chris
________________________________
From: Ed Lui [mailto:edwlui@gmail.com]
Sent: Tuesday, July 12, 2005 11:34 AM
To: Chris Lewis (chrlewis)
Cc: k c; ccielab@groupstudy.com
Subject: Re: Ratelimit vs MQC
Chris,
I can tell nested policy is the key benefit of MQC as the name says
Modular. Plus starting PIX 7.0, modular configuration will eventually
replace fixup command. I was just thinking don't make things more
complicated than it should be. Since ftp also belongs to tcp, should ftp
traffic be considered within the 5M, Hm ?
Ed
On 7/12/05, Chris Lewis (chrlewis) <chrlewis@cisco.com> wrote:
Ed,
Nested policies are a key benefit of the MQC system. Whether you
do or
do not next policies depend upon the requirements of the
question. In
the original example, all TCP traffic is limited to 5M, and
within that
5M, FTP is limited to 2 M. With your example, if something
matches the
FTP policy-map, it will be counted against tha and not the tcp
class, so
it is possible to get 5M of TCP traffic AND 2 Meg of FTP
traffica llowed
by the configuration you show.
That is fine, it just depends upon the question requirements.
Chris
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf Of
Ed Lui
Sent: Tuesday, July 12, 2005 9:58 AM
To: k c
Cc: ccielab@groupstudy.com
Subject: Re: Ratelimit vs MQC
J,
For method 2, I don't think it is a good idea to nest a policy
into
another. In other words, something like below should work
Method 2)
access-list 101 permit tcp 10.1.1.0 <http://10.1.1.0>
0.0.0.255<http://0.0.0.255>any
class-map match-all ftp
match protocol FTP
class-map match-all tcp
match access-group 101
policy-map ftp_tcp
class ftp
police cir 2000000
class tcp
police cir 5000000
interface f0/0
service-policy input ftp_tcp
HTH,
Ed Lui
On 7/11/05, k c <jwongccie@yahoo.com.hk> wrote:
>
> Hi Group,
>
> I need to permit tcp traffic from vlan10 ( 10.1.1.0
<http://10.1.1.0>)
> at 5Mbps and ftp traffic at 2Mbps. Are the following two
methods
> correct? For method 2, will ftp packets match both policies
tcp and
ftp?
>
> Method 1)
> rate-limit input access-group 101 5000000 10000 20000
conform-action
> continue exceed-action drop rate-limit intput access-group 102
2000000
> 10000 20000 conform-action transmit exceed-action drop
access-list 101
> permit tcp 10.1.1.0 <http://10.1.1.0>
0.0.0.255<http://0.0.0.255>any
> access-list 102 permit tcp 10.1.1.0 <http://10.1.1.0>
0.0.0.255<http://0.0.0.255>any eq ftp
> access-list 102 permit tcp 10.1.1.0 <http://10.1.1.0>
0.0.0.255<http://0.0.0.255 >any eq ftp-data
>
> Method 2)
> access-list 101 permit tcp 10.1.1.0 <http://10.1.1.0>
0.0.0.255< http://0.0.0.255>any
>
> class-map match-all ftp
> match protocol FTP
>
> class-map match-all tcp
> match access-group 101
>
> policy-map ftp
> class ftp
> police cir 2000000
>
> policy-map tcp
> class tcp
> police cir 5000000
> service-policy ftp
>
> interface f0/0
> service-policy input tcp
>
> Thanks.
>
>
> %og+
>
>
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:29 GMT-3