Re: Nested Policy

From: Alexei Monastyrnyi (alexeim@orcsoftware.com)
Date: Thu Apr 27 2006 - 06:06:07 GMT-3

• Next message: Alexei Monastyrnyi: "Re: Failed CCIE LAB R&S Attempt 1"
• Previous message: Alexei Monastyrnyi: "Re: Nested Policy"
• Maybe in reply to: ccie_for_sure@comcast.net: "Nested Policy"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

but your goals have been changed... or you haven't achieved previous
ones....
"I have a question on nested policy. Example rate-limit FTP to 128K and
TCP to 512K"

"bandwith" in your policy-map will never rate-limit but rather guarantee
in times of congestion... IMO

A.

on 26/04/2006 22:28 ccie_for_sure@comcast.net wrote:
> Thanks Scott and to all who replied. I made some changes and it works great ! Here is the config for those interested:
>
> ip cef
> !
> class-map match-all TCP-FTP
> match access-group name FTP
> class-map match-all TCP-WWW
> match access-group name TCP-WWW
> class-map match-all TCP-FULL
> match access-group name TCP-FULL
> !
> !
> policy-map TCP-TRAFFIC
> class TCP-FTP
> bandwidth 128
> class TCP-WWW
> bandwidth 128
> class TCP-FULL
> police cir 256000
> policy-map default-tcp
> class class-default
> shape average 384000
> fair-queue
> service-policy TCP-TRAFFIC
> !
>
>
> sho access-lists
> Extended IP access list FTP
> permit tcp any host 5.5.3.3 eq ftp (8 matches)
> permit tcp any host 5.5.3.3 eq ftp-data (8 matches)
> Extended IP access list TCP-FULL
> permit tcp any host 5.5.3.3 (8 matches)
> Extended IP access list TCP-WWW
> permit tcp any host 5.5.3.3 eq www (8 matches)
>
> sho policy-map interface s0/0
>
> Serial0/0
>
> Service-policy output: default-tcp
>
> Class-map: class-default (match-any)
> 246 packets, 14670 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: any
> Traffic Shaping
> Target/Average Byte Sustain Excess Interval Increment
> Rate Limit bits/int bits/int (ms) (bytes)
> 384000/384000 2400 9600 9600 25 1200
>
> Adapt Queue Packets Bytes Packets Bytes Shaping
> Active Depth Delayed Delayed Active
> - 0 185 13816 0 0 no
> Queueing
> Flow Based Fair Queueing
> Maximum Number of Hashed Queues 256
> (total queued/total drops/no-buffer drops) 0/0/0
>
> Service-policy : TCP-TRAFFIC
>
> Class-map: TCP-FTP (match-all)
> 16 packets, 736 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: access-group name FTP
> Queueing
> Output Queue: Conversation 41
> Bandwidth 128 (kbps) Max Threshold 64 (packets)
> (pkts matched/bytes matched) 0/0
> (depth/total drops/no-buffer drops) 0/0/0
>
> Class-map: TCP-WWW (match-all)
> 8 packets, 368 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: access-group name TCP-WWW
> Queueing
> Output Queue: Conversation 42
> Bandwidth 128 (kbps) Max Threshold 64 (packets)
> (pkts matched/bytes matched) 0/0
> (depth/total drops/no-buffer drops) 0/0/0
>
> Class-map: TCP-FULL (match-all)
> 8 packets, 368 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: access-group name TCP-FULL
> police:
> cir 256000 bps, bc 8000 bytes
> conformed 8 packets, 368 bytes; actions:
> transmit
> exceeded 0 packets, 0 bytes; actions:
> drop
> conformed 0 bps, exceed 0 bps
>
> Class-map: class-default (match-any)
> 214 packets, 13198 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: any
>
>
>
> rtr 1
> type tcpConnect dest-ipaddr 5.5.3.3 dest-port 20
> timeout 10
> rtr schedule 1 start-time now
> rtr 2
> type tcpConnect dest-ipaddr 5.5.3.3 dest-port 21
> timeout 10
> rtr schedule 2 start-time now
> rtr 3
> type tcpConnect dest-ipaddr 5.5.3.3 dest-port 80
> timeout 10
> rtr schedule 3 start-time now
> rtr 4
> type tcpConnect dest-ipaddr 5.5.3.3 dest-port 443
> timeout 10
> rtr schedule 4 start-time now
>
> -------------- Original message ----------------------
> From: Ivan Kuchin <ivan@iip.net>
>
>> Policing config is ok. To be sure you can see non-zero counters on Class-map:
>> class-default in service-policy FTP.
>> To be policied (and then service-policied FTP) packets need to match
>> access-list TCP. Access-list TCP matches only packet with dst port 80 (www).
>> Then packet policied to 512000 bps. Then packet go into service policie FTP.
>> Here it try to match access-list FTP (dst port [21|20]). Attention !!! Packet
>> will never match this list because it has dst port 80 (before match ACL TCP).
>> Once packet not matched class FTP it go into class-map: class-default.
>>
>>
>>> I have a question on nested policy. Example rate-limit FTP to 128K and TCP
>>> to 512K.
>>>
>>> Since they are both TCP traffic I used a nested policy, but I only see TCP
>>> being hit and FTP child is ignored.
>>>
>>> Anyone have an idea on this?
>>>
>>> IOS (tm) C2600 Software (C2600-J1S3-M), Version 12.2(13)T1
>>>
>>>
>>> Extended IP access list FTP
>>> permit tcp any any eq ftp
>>> permit tcp any any eq ftp-data
>>> Extended IP access list TCP
>>> permit tcp any 5.5.9.0 0.0.0.255 eq www (224 matches)
>>>
>>>
>>> sho policy-map
>>> Policy Map FTP
>>> Class FTP
>>> police cir 128000 bc 4000
>>> conform-action transmit
>>> exceed-action drop
>>>
>>> Policy Map TCP
>>> Class TCP
>>> police cir 512000 bc 16000
>>> conform-action transmit
>>> exceed-action drop
>>> service-policy FTP
>>>
>>>
>>> Mar 4 00:53:15.661: SAA(3) Scheduler: Starting an operation
>>> Mar 4 00:53:15.661: SAA(3) CtrlMsg: Sending msg, ver=1, id=105, len=52,
>>> cmd=3, ip=5.5.3.3, port=21,
>>> duration=5000ms<----------------------------------------------ftp-data Mar
>>> 4 00:53:15.685: SAA(3) CtrlMsg: Receive status = 0
>>> Mar 4 00:53:15.685: SAA(3) tcpConnect operation: Sending tcp packet
>>> Mar 4 00:53:15.697: SAA(3) tcpConnect operation: Timeout
>>> Mar 4 00:53:15.697: SAA(3) Scheduler: Updating result
>>>
>>>
>>> Mar 4 00:53:32.001: SAA(1) Scheduler: Starting an operation
>>> Mar 4 00:53:32.001: SAA(1) CtrlMsg: Sending msg, ver=1, id=106, len=52,
>>> cmd=3, ip=5.5.4.4, port=80, duration=5000ms
>>> <----------------------------------------------www Mar 4 00:53:32.025:
>>> SAA(1) CtrlMsg: Receive status = 0
>>> Mar 4 00:53:32.025: SAA(1) tcpConnect operation: Sending tcp packet
>>> Mar 4 00:53:32.041: SAA(1) tcpConnect operation: Timeout
>>> Mar 4 00:53:32.041: SAA(1) Scheduler: Updating result
>>>
>>> Mar 4 00:53:40.313: SAA(2) Scheduler: Starting an operation
>>> Mar 4 00:53:40.313: SAA(2) CtrlMsg: Sending msg, ver=1, id=107, len=52,
>>> cmd=3, ip=5.5.3.3, port=20, duration=5000ms
>>> <----------------------------------------------ftp Mar 4 00:53:40.337:
>>> SAA(2) CtrlMsg: Receive status = 0
>>> Mar 4 00:53:40.337: SAA(2) tcpConnect operation: Sending tcp packet
>>> Mar 4 00:53:40.349: SAA(2) tcpConnect operation: Timeout
>>> Mar 4 00:53:40.349: SAA(2) Scheduler: Updating result
>>> RACK5R1#u all
>>> All possible debugging has been turned off
>>>
>>>
>>>
>>> RACK5R1#sho policy-map interface s0/0
>>>
>>> Serial0/0
>>>
>>> Service-policy output: TCP
>>>
>>> Class-map: TCP (match-all)
>>> 14 packets, 640 bytes <---------------------------------------Match
>>> 5 minute offered rate 0 bps, drop rate 0 bps
>>> Match: access-group name TCP
>>> police:
>>> cir 512000 bps, bc 16000 bytes
>>> conformed 14 packets, 640 bytes; actions:
>>> transmit
>>> exceeded 0 packets, 0 bytes; actions:
>>> drop
>>> conformed 0 bps, exceed 0 bps
>>>
>>> Service-policy : FTP
>>>
>>> Class-map: FTP (match-all)
>>> 0 packets, 0 bytes <--------------------------------------No
>>> Match 5 minute offered rate 0 bps, drop rate 0 bps
>>> Match: access-group name FTP
>>> police:
>>> cir 128000 bps, bc 4000 bytes
>>> conformed 0 packets, 0 bytes; actions:
>>> transmit
>>> exceeded 0 packets, 0 bytes; actions:
>>> drop
>>> conformed 0 bps, exceed 0 bps
>>>
>>> Class-map: class-default (match-any)
>>> 14 packets, 640 bytes
>>> 5 minute offered rate 0 bps, drop rate 0 bps
>>> Match: any
>>>
>>> Class-map: class-default (match-any)
>>> 580 packets, 32850 bytes
>>> 5 minute offered rate 0 bps, drop rate 0 bps
>>> Match: any
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>> --
>> iWAN kU^IN (mail to: ivan@iip.net)
>> NOC iip.net
>> 137-31-04
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Alexei Monastyrnyi: "Re: Failed CCIE LAB R&S Attempt 1"
• Previous message: Alexei Monastyrnyi: "Re: Nested Policy"
• Maybe in reply to: ccie_for_sure@comcast.net: "Nested Policy"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 01 2006 - 11:41:59 GMT-3