Netflow and QoS Policing

From: Swap (ccie77@gmail.com)
Date: Sun Feb 01 2009 - 07:14:46 ARST

• Next message: GAURAV MADAN: "Re: Layer 2 Protocol Info'"
• Previous message: Dishan Gamage: "Re: SP workbook MPLS TE dynamic tunnel not comming up"
• Next in thread: Pavel Bykov: "Re: Netflow and QoS Policing"
• Maybe reply: Pavel Bykov: "Re: Netflow and QoS Policing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Guys,

We are using policing (using the Modular QoS CLI) and Netflow on Cisco 6500
(SUP720, PFC3B, MSFC3) for some specific traffic. We are getting
inconsistent data in netflow software. I expect the netflow graphs not to
cross the policed CIR but it is not happening. For e.g. On a 1 Minute scale,
the bandwidth goes to 42 Mbps while the policed CIR is 12.5Mbps. The
ingress/egress interfaces are shared by other traffic which are not
subjected to QoS.

What is the order of operation for MQC Qos and netflow? I have seen the
order on Cisco and Joe Harris's 6200networks.com but it's not very clear.

What is the best way of doing this.how are others doing this.especially in
Service provider environment?

-------------------------

Sample config-

interface Vlan100

** THIS IS INCOMING SVI FOR LOCAL TRAFFIC **

 ip address X X

 ip route-cache flow

 ip route-cache policy

 ip policy route-map XX

 load-interval 30

 standby 3 ip X

 standby 3 priority 120

 standby 3 preempt

 service-policy input BANDWIDTH_IN_2

 service-policy output BANDWIDTH_OUT_2

interface Vlan200

**THIS IS ISP CONNECTED, Default route via this SVI pointed to ISP gateway**

 ip address

 ip route-cache flow

 ip route-cache policy

 load-interval 30

 no mop enabled

 standby 10 ip X

 standby 10 priority 120

 standby 10 preempt

 standby 10 name VPNHA

 crypto map pix

 crypto engine slot 7

 service-policy input BANDWIDTH_IN

 service-policy output BANDWIDTH_OUT

class-map match-all _ABC_WEB_OUT_2

  match access-group name _ABC_WEB_IN

class-map match-all _ABC_WEB_IN

  match access-group name _ABC_WEB_IN

class-map match-all _ABC_WEB_OUT

  match access-group name _ABC_WEB_OUT

class-map match-all _ABC_WEB_IN_2

  match access-group name _ABC_WEB_OUT

!

policy-map BANDWIDTH_IN

  class _ABC_WEB_IN

   police cir 12500000 bc 390625 be 390625 conform-action transmit
exceed-action drop

policy-map BANDWIDTH_OUT_2

  class _ABC_WEB_OUT_2

   police cir 12500000 bc 390625 be 390625 conform-action transmit
exceed-action drop

policy-map BANDWIDTH_IN_2

  class _ABC_WEB_IN_2

   police cir 12500000 bc 390625 be 390625 conform-action transmit
exceed-action drop

policy-map BANDWIDTH_OUT

  class _ABC_WEB_OUT

   police cir 12500000 bc 390625 be 390625 conform-action transmit
exceed-action drop

Access-lists are configured correctly to classify the traffic..

Netflow is configured correctly classifying layer2 switched and L3 routed
packets using NDE/mls.

---------------------------------

Regards

Swap

#19804

Blogs and organic groups at http://www.ccie.net

• Next message: GAURAV MADAN: "Re: Layer 2 Protocol Info'"
• Previous message: Dishan Gamage: "Re: SP workbook MPLS TE dynamic tunnel not comming up"
• Next in thread: Pavel Bykov: "Re: Netflow and QoS Policing"
• Maybe reply: Pavel Bykov: "Re: Netflow and QoS Policing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:09 ARST