From: Scott Morris (swm@emanon.com)
Date: Wed Apr 26 2006 - 13:06:39 GMT-3
Your "TCP" ACL only matches web traffic! You can't be both web traffic AND
FTP traffic at the same time. :)
If you want to work this way, change your TCP ACL to simply be "permit tcp
any any" and then see your effect.
HTH,
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
#153, CISSP, et al.
CCSI/JNCI
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ccie_for_sure@comcast.net
Sent: Wednesday, April 26, 2006 10:49 AM
To: ccielab@groupstudy.com
Subject: Nested Policy
I have a question on nested policy. Example rate-limit FTP to 128K and TCP
to 512K.
Since they are both TCP traffic I used a nested policy, but I only see TCP
being hit and FTP child is ignored.
Anyone have an idea on this?
IOS (tm) C2600 Software (C2600-J1S3-M), Version 12.2(13)T1
Extended IP access list FTP
permit tcp any any eq ftp
permit tcp any any eq ftp-data
Extended IP access list TCP
permit tcp any 5.5.9.0 0.0.0.255 eq www (224 matches)
sho policy-map
Policy Map FTP
Class FTP
police cir 128000 bc 4000
conform-action transmit
exceed-action drop
Policy Map TCP
Class TCP
police cir 512000 bc 16000
conform-action transmit
exceed-action drop
service-policy FTP
Mar 4 00:53:15.661: SAA(3) Scheduler: Starting an operation Mar 4
00:53:15.661: SAA(3) CtrlMsg: Sending msg, ver=1, id=105, len=52, cmd=3,
ip=5.5.3.3, port=21,
duration=5000ms<----------------------------------------------ftp-data
Mar 4 00:53:15.685: SAA(3) CtrlMsg: Receive status = 0 Mar 4 00:53:15.685:
SAA(3) tcpConnect operation: Sending tcp packet Mar 4 00:53:15.697: SAA(3)
tcpConnect operation: Timeout Mar 4 00:53:15.697: SAA(3) Scheduler:
Updating result
Mar 4 00:53:32.001: SAA(1) Scheduler: Starting an operation
Mar 4 00:53:32.001: SAA(1) CtrlMsg: Sending msg, ver=1, id=106, len=52,
cmd=3,
ip=5.5.4.4, port=80, duration=5000ms
<----------------------------------------------www
Mar 4 00:53:32.025: SAA(1) CtrlMsg: Receive status = 0
Mar 4 00:53:32.025: SAA(1) tcpConnect operation: Sending tcp packet
Mar 4 00:53:32.041: SAA(1) tcpConnect operation: Timeout
Mar 4 00:53:32.041: SAA(1) Scheduler: Updating result
Mar 4 00:53:40.313: SAA(2) Scheduler: Starting an operation
Mar 4 00:53:40.313: SAA(2) CtrlMsg: Sending msg, ver=1, id=107, len=52,
cmd=3,
ip=5.5.3.3, port=20, duration=5000ms
<----------------------------------------------ftp
Mar 4 00:53:40.337: SAA(2) CtrlMsg: Receive status = 0
Mar 4 00:53:40.337: SAA(2) tcpConnect operation: Sending tcp packet
Mar 4 00:53:40.349: SAA(2) tcpConnect operation: Timeout
Mar 4 00:53:40.349: SAA(2) Scheduler: Updating result
RACK5R1#u all
All possible debugging has been turned off
RACK5R1#sho policy-map interface s0/0
Serial0/0
Service-policy output: TCP
Class-map: TCP (match-all)
14 packets, 640 bytes <---------------------------------------Match
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name TCP
police:
cir 512000 bps, bc 16000 bytes
conformed 14 packets, 640 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
Service-policy : FTP
Class-map: FTP (match-all)
0 packets, 0 bytes <--------------------------------------No Match
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name FTP
police:
cir 128000 bps, bc 4000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
Class-map: class-default (match-any)
14 packets, 640 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Class-map: class-default (match-any)
580 packets, 32850 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
This archive was generated by hypermail 2.1.4 : Mon May 01 2006 - 11:41:59 GMT-3