From: ChicagoCCIE (chicagoccie@yahoo.com)
Date: Wed Apr 26 2006 - 13:05:04 GMT-3
The conform action of the TCP should be set to continue, not to transmit.
ccie_for_sure@comcast.net wrote: I have a question on nested policy. Example rate-limit FTP to 128K and TCP to 512K.
Since they are both TCP traffic I used a nested policy, but I only see TCP being hit
and FTP child is ignored.
Anyone have an idea on this?
IOS (tm) C2600 Software (C2600-J1S3-M), Version 12.2(13)T1
Extended IP access list FTP
permit tcp any any eq ftp
permit tcp any any eq ftp-data
Extended IP access list TCP
permit tcp any 5.5.9.0 0.0.0.255 eq www (224 matches)
sho policy-map
Policy Map FTP
Class FTP
police cir 128000 bc 4000
conform-action transmit
exceed-action drop
Policy Map TCP
Class TCP
police cir 512000 bc 16000
conform-action transmit
exceed-action drop
service-policy FTP
Mar 4 00:53:15.661: SAA(3) Scheduler: Starting an operation
Mar 4 00:53:15.661: SAA(3) CtrlMsg: Sending msg, ver=1, id=105, len=52, cmd=3,
ip=5.5.3.3, port=21, duration=5000ms<----------------------------------------------ftp-data
Mar 4 00:53:15.685: SAA(3) CtrlMsg: Receive status = 0
Mar 4 00:53:15.685: SAA(3) tcpConnect operation: Sending tcp packet
Mar 4 00:53:15.697: SAA(3) tcpConnect operation: Timeout
Mar 4 00:53:15.697: SAA(3) Scheduler: Updating result
Mar 4 00:53:32.001: SAA(1) Scheduler: Starting an operation
Mar 4 00:53:32.001: SAA(1) CtrlMsg: Sending msg, ver=1, id=106, len=52, cmd=3,
ip=5.5.4.4, port=80, duration=5000ms <----------------------------------------------www
Mar 4 00:53:32.025: SAA(1) CtrlMsg: Receive status = 0
Mar 4 00:53:32.025: SAA(1) tcpConnect operation: Sending tcp packet
Mar 4 00:53:32.041: SAA(1) tcpConnect operation: Timeout
Mar 4 00:53:32.041: SAA(1) Scheduler: Updating result
Mar 4 00:53:40.313: SAA(2) Scheduler: Starting an operation
Mar 4 00:53:40.313: SAA(2) CtrlMsg: Sending msg, ver=1, id=107, len=52, cmd=3,
ip=5.5.3.3, port=20, duration=5000ms <----------------------------------------------ftp
Mar 4 00:53:40.337: SAA(2) CtrlMsg: Receive status = 0
Mar 4 00:53:40.337: SAA(2) tcpConnect operation: Sending tcp packet
Mar 4 00:53:40.349: SAA(2) tcpConnect operation: Timeout
Mar 4 00:53:40.349: SAA(2) Scheduler: Updating result
RACK5R1#u all
All possible debugging has been turned off
RACK5R1#sho policy-map interface s0/0
Serial0/0
Service-policy output: TCP
Class-map: TCP (match-all)
14 packets, 640 bytes <---------------------------------------Match
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name TCP
police:
cir 512000 bps, bc 16000 bytes
conformed 14 packets, 640 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
Service-policy : FTP
Class-map: FTP (match-all)
0 packets, 0 bytes <--------------------------------------No Match
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name FTP
police:
cir 128000 bps, bc 4000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
Class-map: class-default (match-any)
14 packets, 640 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Class-map: class-default (match-any)
580 packets, 32850 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
This archive was generated by hypermail 2.1.4 : Mon May 01 2006 - 11:41:59 GMT-3