From: ccie_for_sure@comcast.net
Date: Wed Apr 26 2006 - 17:28:43 GMT-3
Thanks Scott and to all who replied. I made some changes and it works great ! Here is the config for those interested:
ip cef
!
class-map match-all TCP-FTP
match access-group name FTP
class-map match-all TCP-WWW
match access-group name TCP-WWW
class-map match-all TCP-FULL
match access-group name TCP-FULL
!
!
policy-map TCP-TRAFFIC
class TCP-FTP
bandwidth 128
class TCP-WWW
bandwidth 128
class TCP-FULL
police cir 256000
policy-map default-tcp
class class-default
shape average 384000
fair-queue
service-policy TCP-TRAFFIC
!
sho access-lists
Extended IP access list FTP
permit tcp any host 5.5.3.3 eq ftp (8 matches)
permit tcp any host 5.5.3.3 eq ftp-data (8 matches)
Extended IP access list TCP-FULL
permit tcp any host 5.5.3.3 (8 matches)
Extended IP access list TCP-WWW
permit tcp any host 5.5.3.3 eq www (8 matches)
sho policy-map interface s0/0
Serial0/0
Service-policy output: default-tcp
Class-map: class-default (match-any)
246 packets, 14670 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Traffic Shaping
Target/Average Byte Sustain Excess Interval Increment
Rate Limit bits/int bits/int (ms) (bytes)
384000/384000 2400 9600 9600 25 1200
Adapt Queue Packets Bytes Packets Bytes Shaping
Active Depth Delayed Delayed Active
- 0 185 13816 0 0 no
Queueing
Flow Based Fair Queueing
Maximum Number of Hashed Queues 256
(total queued/total drops/no-buffer drops) 0/0/0
Service-policy : TCP-TRAFFIC
Class-map: TCP-FTP (match-all)
16 packets, 736 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name FTP
Queueing
Output Queue: Conversation 41
Bandwidth 128 (kbps) Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
Class-map: TCP-WWW (match-all)
8 packets, 368 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name TCP-WWW
Queueing
Output Queue: Conversation 42
Bandwidth 128 (kbps) Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
Class-map: TCP-FULL (match-all)
8 packets, 368 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name TCP-FULL
police:
cir 256000 bps, bc 8000 bytes
conformed 8 packets, 368 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
Class-map: class-default (match-any)
214 packets, 13198 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
rtr 1
type tcpConnect dest-ipaddr 5.5.3.3 dest-port 20
timeout 10
rtr schedule 1 start-time now
rtr 2
type tcpConnect dest-ipaddr 5.5.3.3 dest-port 21
timeout 10
rtr schedule 2 start-time now
rtr 3
type tcpConnect dest-ipaddr 5.5.3.3 dest-port 80
timeout 10
rtr schedule 3 start-time now
rtr 4
type tcpConnect dest-ipaddr 5.5.3.3 dest-port 443
timeout 10
rtr schedule 4 start-time now
-------------- Original message ----------------------
From: Ivan Kuchin <ivan@iip.net>
> Policing config is ok. To be sure you can see non-zero counters on Class-map:
> class-default in service-policy FTP.
> To be policied (and then service-policied FTP) packets need to match
> access-list TCP. Access-list TCP matches only packet with dst port 80 (www).
> Then packet policied to 512000 bps. Then packet go into service policie FTP.
> Here it try to match access-list FTP (dst port [21|20]). Attention !!! Packet
> will never match this list because it has dst port 80 (before match ACL TCP).
> Once packet not matched class FTP it go into class-map: class-default.
>
> > I have a question on nested policy. Example rate-limit FTP to 128K and TCP
> > to 512K.
> >
> > Since they are both TCP traffic I used a nested policy, but I only see TCP
> > being hit and FTP child is ignored.
> >
> > Anyone have an idea on this?
> >
> > IOS (tm) C2600 Software (C2600-J1S3-M), Version 12.2(13)T1
> >
> >
> > Extended IP access list FTP
> > permit tcp any any eq ftp
> > permit tcp any any eq ftp-data
> > Extended IP access list TCP
> > permit tcp any 5.5.9.0 0.0.0.255 eq www (224 matches)
> >
> >
> > sho policy-map
> > Policy Map FTP
> > Class FTP
> > police cir 128000 bc 4000
> > conform-action transmit
> > exceed-action drop
> >
> > Policy Map TCP
> > Class TCP
> > police cir 512000 bc 16000
> > conform-action transmit
> > exceed-action drop
> > service-policy FTP
> >
> >
> > Mar 4 00:53:15.661: SAA(3) Scheduler: Starting an operation
> > Mar 4 00:53:15.661: SAA(3) CtrlMsg: Sending msg, ver=1, id=105, len=52,
> > cmd=3, ip=5.5.3.3, port=21,
> > duration=5000ms<----------------------------------------------ftp-data Mar
> > 4 00:53:15.685: SAA(3) CtrlMsg: Receive status = 0
> > Mar 4 00:53:15.685: SAA(3) tcpConnect operation: Sending tcp packet
> > Mar 4 00:53:15.697: SAA(3) tcpConnect operation: Timeout
> > Mar 4 00:53:15.697: SAA(3) Scheduler: Updating result
> >
> >
> > Mar 4 00:53:32.001: SAA(1) Scheduler: Starting an operation
> > Mar 4 00:53:32.001: SAA(1) CtrlMsg: Sending msg, ver=1, id=106, len=52,
> > cmd=3, ip=5.5.4.4, port=80, duration=5000ms
> > <----------------------------------------------www Mar 4 00:53:32.025:
> > SAA(1) CtrlMsg: Receive status = 0
> > Mar 4 00:53:32.025: SAA(1) tcpConnect operation: Sending tcp packet
> > Mar 4 00:53:32.041: SAA(1) tcpConnect operation: Timeout
> > Mar 4 00:53:32.041: SAA(1) Scheduler: Updating result
> >
> > Mar 4 00:53:40.313: SAA(2) Scheduler: Starting an operation
> > Mar 4 00:53:40.313: SAA(2) CtrlMsg: Sending msg, ver=1, id=107, len=52,
> > cmd=3, ip=5.5.3.3, port=20, duration=5000ms
> > <----------------------------------------------ftp Mar 4 00:53:40.337:
> > SAA(2) CtrlMsg: Receive status = 0
> > Mar 4 00:53:40.337: SAA(2) tcpConnect operation: Sending tcp packet
> > Mar 4 00:53:40.349: SAA(2) tcpConnect operation: Timeout
> > Mar 4 00:53:40.349: SAA(2) Scheduler: Updating result
> > RACK5R1#u all
> > All possible debugging has been turned off
> >
> >
> >
> > RACK5R1#sho policy-map interface s0/0
> >
> > Serial0/0
> >
> > Service-policy output: TCP
> >
> > Class-map: TCP (match-all)
> > 14 packets, 640 bytes <---------------------------------------Match
> > 5 minute offered rate 0 bps, drop rate 0 bps
> > Match: access-group name TCP
> > police:
> > cir 512000 bps, bc 16000 bytes
> > conformed 14 packets, 640 bytes; actions:
> > transmit
> > exceeded 0 packets, 0 bytes; actions:
> > drop
> > conformed 0 bps, exceed 0 bps
> >
> > Service-policy : FTP
> >
> > Class-map: FTP (match-all)
> > 0 packets, 0 bytes <--------------------------------------No
> > Match 5 minute offered rate 0 bps, drop rate 0 bps
> > Match: access-group name FTP
> > police:
> > cir 128000 bps, bc 4000 bytes
> > conformed 0 packets, 0 bytes; actions:
> > transmit
> > exceeded 0 packets, 0 bytes; actions:
> > drop
> > conformed 0 bps, exceed 0 bps
> >
> > Class-map: class-default (match-any)
> > 14 packets, 640 bytes
> > 5 minute offered rate 0 bps, drop rate 0 bps
> > Match: any
> >
> > Class-map: class-default (match-any)
> > 580 packets, 32850 bytes
> > 5 minute offered rate 0 bps, drop rate 0 bps
> > Match: any
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> --
> iWAN kU^IN (mail to: ivan@iip.net)
> NOC iip.net
> 137-31-04
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon May 01 2006 - 11:41:59 GMT-3