From: Ivan Kuchin (ivan@iip.net)
Date: Wed Apr 26 2006 - 14:00:59 GMT-3
Policing config is ok. To be sure you can see non-zero counters on Class-map:
class-default in service-policy FTP.
To be policied (and then service-policied FTP) packets need to match
access-list TCP. Access-list TCP matches only packet with dst port 80 (www).
Then packet policied to 512000 bps. Then packet go into service policie FTP.
Here it try to match access-list FTP (dst port [21|20]). Attention !!! Packet
will never match this list because it has dst port 80 (before match ACL TCP).
Once packet not matched class FTP it go into class-map: class-default.
> I have a question on nested policy. Example rate-limit FTP to 128K and TCP
> to 512K.
>
> Since they are both TCP traffic I used a nested policy, but I only see TCP
> being hit and FTP child is ignored.
>
> Anyone have an idea on this?
>
> IOS (tm) C2600 Software (C2600-J1S3-M), Version 12.2(13)T1
>
>
> Extended IP access list FTP
> permit tcp any any eq ftp
> permit tcp any any eq ftp-data
> Extended IP access list TCP
> permit tcp any 5.5.9.0 0.0.0.255 eq www (224 matches)
>
>
> sho policy-map
> Policy Map FTP
> Class FTP
> police cir 128000 bc 4000
> conform-action transmit
> exceed-action drop
>
> Policy Map TCP
> Class TCP
> police cir 512000 bc 16000
> conform-action transmit
> exceed-action drop
> service-policy FTP
>
>
> Mar 4 00:53:15.661: SAA(3) Scheduler: Starting an operation
> Mar 4 00:53:15.661: SAA(3) CtrlMsg: Sending msg, ver=1, id=105, len=52,
> cmd=3, ip=5.5.3.3, port=21,
> duration=5000ms<----------------------------------------------ftp-data Mar
> 4 00:53:15.685: SAA(3) CtrlMsg: Receive status = 0
> Mar 4 00:53:15.685: SAA(3) tcpConnect operation: Sending tcp packet
> Mar 4 00:53:15.697: SAA(3) tcpConnect operation: Timeout
> Mar 4 00:53:15.697: SAA(3) Scheduler: Updating result
>
>
> Mar 4 00:53:32.001: SAA(1) Scheduler: Starting an operation
> Mar 4 00:53:32.001: SAA(1) CtrlMsg: Sending msg, ver=1, id=106, len=52,
> cmd=3, ip=5.5.4.4, port=80, duration=5000ms
> <----------------------------------------------www Mar 4 00:53:32.025:
> SAA(1) CtrlMsg: Receive status = 0
> Mar 4 00:53:32.025: SAA(1) tcpConnect operation: Sending tcp packet
> Mar 4 00:53:32.041: SAA(1) tcpConnect operation: Timeout
> Mar 4 00:53:32.041: SAA(1) Scheduler: Updating result
>
> Mar 4 00:53:40.313: SAA(2) Scheduler: Starting an operation
> Mar 4 00:53:40.313: SAA(2) CtrlMsg: Sending msg, ver=1, id=107, len=52,
> cmd=3, ip=5.5.3.3, port=20, duration=5000ms
> <----------------------------------------------ftp Mar 4 00:53:40.337:
> SAA(2) CtrlMsg: Receive status = 0
> Mar 4 00:53:40.337: SAA(2) tcpConnect operation: Sending tcp packet
> Mar 4 00:53:40.349: SAA(2) tcpConnect operation: Timeout
> Mar 4 00:53:40.349: SAA(2) Scheduler: Updating result
> RACK5R1#u all
> All possible debugging has been turned off
>
>
>
> RACK5R1#sho policy-map interface s0/0
>
> Serial0/0
>
> Service-policy output: TCP
>
> Class-map: TCP (match-all)
> 14 packets, 640 bytes <---------------------------------------Match
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: access-group name TCP
> police:
> cir 512000 bps, bc 16000 bytes
> conformed 14 packets, 640 bytes; actions:
> transmit
> exceeded 0 packets, 0 bytes; actions:
> drop
> conformed 0 bps, exceed 0 bps
>
> Service-policy : FTP
>
> Class-map: FTP (match-all)
> 0 packets, 0 bytes <--------------------------------------No
> Match 5 minute offered rate 0 bps, drop rate 0 bps
> Match: access-group name FTP
> police:
> cir 128000 bps, bc 4000 bytes
> conformed 0 packets, 0 bytes; actions:
> transmit
> exceeded 0 packets, 0 bytes; actions:
> drop
> conformed 0 bps, exceed 0 bps
>
> Class-map: class-default (match-any)
> 14 packets, 640 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: any
>
> Class-map: class-default (match-any)
> 580 packets, 32850 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: any
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
-- iWAN kU^IN (mail to: ivan@iip.net) NOC iip.net 137-31-04
This archive was generated by hypermail 2.1.4 : Mon May 01 2006 - 11:41:59 GMT-3