RE: Nested Policy

From: Eric.Stuhl@ferguson.com
Date: Wed Apr 26 2006 - 13:26:09 GMT-3

• Next message: CCIE KH49279: "RE: DHCP default-router"
• Previous message: ChicagoCCIE: "Re: DHCP default-router"
• Maybe in reply to: ccie_for_sure@comcast.net: "Nested Policy"
• Next in thread: Ivan Kuchin: "Re: Nested Policy"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Here you're definitely just matching www traffic in the first class,
which will never call your ftp traffic.

I don't see why you'd need a nested policy.

Why not just use:

Extended IP access list FTP
    permit tcp any any eq ftp
    permit tcp any any eq ftp-data
Extended IP access list WWW
    permit tcp any 5.5.9.0 0.0.0.255 eq www

Policy-map Rate-Limit
        Class FTP
                     police cir 128000 bc 4000
               conform-action transmit
               exceed-action drop
      Class TCP
                     police cir 512000 bc 16000
               conform-action transmit
               exceed-action drop
    
If you need to do it for TCP/FTP, it would look more like this (ignoring
certain cases of ftp):

Ip access-list extended name TCP_Traffic
        Permit tcp any any
Ip access-list extended name FTP_Traffic
        Permit tcp any any eq ftp
        Permit tcp any any eq ftp-data

Policy-map Limit_FTP
        Class FTP_Traffic
                police cir 128000 bc 4000
               conform-action transmit
               exceed-action drop
Policy-map Limit_TCP
        Class TCP_Traffic
                police cir 512000 bc 16000
               conform-action transmit
               exceed-action drop
                Service-policy FTP_Traffic

N.B. I've never done nested police statements, so I'm not sure how the
traffic will flow. I've just corrected your logical errors.

Eric Stuhl
CCNP, CCDP, CCSE-NG
Ferguson Enterprises
eric.stuhl@ferguson.com
(757)-969-4146

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ccie_for_sure@comcast.net
Sent: Wednesday, April 26, 2006 10:49 AM
To: ccielab@groupstudy.com
Subject: Nested Policy

I have a question on nested policy. Example rate-limit FTP to 128K and
TCP to 512K.

Since they are both TCP traffic I used a nested policy, but I only see
TCP being hit
and FTP child is ignored.

Anyone have an idea on this?

IOS (tm) C2600 Software (C2600-J1S3-M), Version 12.2(13)T1

Extended IP access list FTP
    permit tcp any any eq ftp
    permit tcp any any eq ftp-data
Extended IP access list TCP
    permit tcp any 5.5.9.0 0.0.0.255 eq www (224 matches)

sho policy-map
  Policy Map FTP
      service-policy FTP

Mar 4 00:53:15.661: SAA(3) Scheduler: Starting an operation
Mar 4 00:53:15.661: SAA(3) CtrlMsg: Sending msg, ver=1, id=105, len=52,
cmd=3,
ip=5.5.3.3, port=21,
duration=5000ms<----------------------------------------------ftp-data
Mar 4 00:53:15.685: SAA(3) CtrlMsg: Receive status = 0
Mar 4 00:53:15.685: SAA(3) tcpConnect operation: Sending tcp packet
Mar 4 00:53:15.697: SAA(3) tcpConnect operation: Timeout
Mar 4 00:53:15.697: SAA(3) Scheduler: Updating result

Mar 4 00:53:32.001: SAA(1) Scheduler: Starting an operation
Mar 4 00:53:32.001: SAA(1) CtrlMsg: Sending msg, ver=1, id=106, len=52,
cmd=3,
ip=5.5.4.4, port=80, duration=5000ms
<----------------------------------------------www
Mar 4 00:53:32.025: SAA(1) CtrlMsg: Receive status = 0
Mar 4 00:53:32.025: SAA(1) tcpConnect operation: Sending tcp packet
Mar 4 00:53:32.041: SAA(1) tcpConnect operation: Timeout
Mar 4 00:53:32.041: SAA(1) Scheduler: Updating result

Mar 4 00:53:40.313: SAA(2) Scheduler: Starting an operation
Mar 4 00:53:40.313: SAA(2) CtrlMsg: Sending msg, ver=1, id=107, len=52,
cmd=3,
ip=5.5.3.3, port=20, duration=5000ms
<----------------------------------------------ftp
Mar 4 00:53:40.337: SAA(2) CtrlMsg: Receive status = 0
Mar 4 00:53:40.337: SAA(2) tcpConnect operation: Sending tcp packet
Mar 4 00:53:40.349: SAA(2) tcpConnect operation: Timeout
Mar 4 00:53:40.349: SAA(2) Scheduler: Updating result
RACK5R1#u all
All possible debugging has been turned off

RACK5R1#sho policy-map interface s0/0

 Serial0/0

  Service-policy output: TCP

    Class-map: TCP (match-all)
      14 packets, 640 bytes
<---------------------------------------Match
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name TCP
      police:
          cir 512000 bps, bc 16000 bytes
        conformed 14 packets, 640 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps

      Service-policy : FTP

        Class-map: FTP (match-all)
          0 packets, 0 bytes <--------------------------------------No
Match
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: access-group name FTP
          police:
              cir 128000 bps, bc 4000 bytes
            conformed 0 packets, 0 bytes; actions:
              transmit
            exceeded 0 packets, 0 bytes; actions:
              drop
            conformed 0 bps, exceed 0 bps

        Class-map: class-default (match-any)
          14 packets, 640 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: any

    Class-map: class-default (match-any)
      580 packets, 32850 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

• Next message: CCIE KH49279: "RE: DHCP default-router"
• Previous message: ChicagoCCIE: "Re: DHCP default-router"
• Maybe in reply to: ccie_for_sure@comcast.net: "Nested Policy"
• Next in thread: Ivan Kuchin: "Re: Nested Policy"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 01 2006 - 11:41:59 GMT-3