Policing not working

Unanswered Question
May 28th, 2008

i want to implement LLQ for my users. I want that when specific user try to access specific subnets it gets

only 8 KBps. I have cisco router 2821 with two FE ports.

I have made the following configuration but still not able to restrict the user to 8 KBps, user when try to download

from remote computer, no policing and LLQ comes in action.

below mention is configuration that I made on router.

class-map match-all testclass

match access-group 150

!

!

policy-map testpolicy

class testclass

police cir 8000 bc 1000 be 1000

conform-action transmit

exceed-action drop

violate-action drop

interface FastEthernet0/0

ip address 10.1.3.1 255.255.255.0

ip nat outside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

service-policy input testpolicy

!

interface FastEthernet0/1

ip address 10.1.4.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.1.3.2

!

!

ip http server

no ip http secure-server

ip nat inside source list 100 interface FastEthernet0/0 overload

!

access-list 100 permit ip any any

access-list 150 permit ip host 10.1.4.3 any

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

login

!

scheduler allocate 20000 1000

!

end

Router-C#

Router-C#wr me

Building configuration...

[OK]

Router-C#show int

Router-C#show poli

Router-C#show policy-map inte

Router-C#show policy-map interface fas

Router-C#show policy-map interface fastEthernet 0/0

FastEthernet0/0

Service-policy input: testpolicy

Class-map: testclass (match-all)

14 packets, 1605 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: access-group 150

police:

cir 8000 bps, bc 1000 bytes, be 1000 bytes

conformed 1 packets, 243 bytes; actions:

transmit

exceeded 0 packets, 0 bytes; actions:

drop

violated 0 packets, 0 bytes; actions:

drop

conformed 0 bps, exceed 0 bps, violate 0 bps

Class-map: class-default (match-any)

315852 packets, 461648032 bytes

30 second offered rate 2000 bps, drop rate 0 bps

Match: any

Router-C#show int

Router-C#show interfaces fas

Router-C#show interfaces fastEthernet 0/0

FastEthernet0/0 is up, line protocol is up

Hardware is MV96340 Ethernet, address is 001d.a16c.9b70 (bia 001d.a16c.9b70)

Internet address is 10.1.3.1/24

MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 100Mb/s, 100BaseTX/FX

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:27, output 00:00:03, output hang never

Last clearing of "show interface" counters 00:16:00

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

30 second input rate 0 bits/sec, 0 packets/sec

30 second output rate 0 bits/sec, 0 packets/sec

315916 packets input, 461657577 bytes

Received 461 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog

0 input packets with dribble condition detected

167296 packets output, 11153399 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
michael.leblanc Wed, 05/28/2008 - 13:34

You have a directional issue.

access-list 150 permit ip host 10.1.4.3 any

... matches packets where 10.1.4.3 is the "source" ip address.

A host with this address would reside on the FastEthernet0/1 side of the router, NOT the FastEthernet0/0 side of the router where you have applied input service-policy (service-policy input testpolicy).

Apply the "input" policy to FastEthernet0/1, or reverse your ACE if you want the policy to be applied to FastEthernet0/0.

e.g.:

access-list 150 permit ip any host 10.1.4.3

Change one or the other, but not both.

wasiimcisco Wed, 05/28/2008 - 14:16

Thanks for the reply, I wil change it in the morning and then let u know the effect, one thing more please tell me i m using ethernet interface and ethernet has bandwidth 100 Mbps,

is there any need to change the bandwidth to actual bandwidth like 2 MB, 3 MB that i will get from my service provider.

bcz router will assign bandwidth by seeing the interface actual bandwidth.?????? am i right or

michael.leblanc Wed, 05/28/2008 - 15:00

The interface "bandwidth" command is use for setting routing metrics on the interface.

The policy-map "bandwidth" command used in queueing can reference a specific bandwidth, or a percentage of "available bandwidth".

I find the term "available bandwidth" to be too ambiguous. I'd stick to setting specific bandwidth requirements rather than percentages.

wasiimcisco Thu, 05/29/2008 - 05:33

thanks for the reply, i m configure the policing by modifying the access-list and now it is working fine for me.

But LLQ is not working for me in the same setup

i want user 10.1.4.5 always get 74990 and other user get 8 kbps

i want reservation via LLQ. I configure the following below mention command on router but not able to get the desired result.

version 12.4

!

!

class-map match-all testclass2

match access-group 160

class-map match-all testclass

match access-group 150

!

!

policy-map testpolicy

class testclass

priority 8

class testclass2

priority 74990

!

!

interface FastEthernet0/0

bandwidth 8000

ip address 10.1.3.1 255.255.255.0

ip nat outside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.1.4.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.1.3.2

!

ip nat inside source list 100 interface FastEthernet0/0 overload

!

access-list 150 permit ip host 10.1.4.3 any

access-list 160 permit ip host 10.1.4.5 any

Router-C#show policy-map interface fastEthernet 0/0

FastEthernet0/0

Service-policy output: testpolicy

Class-map: testclass (match-all)

91678 packets, 5680284 bytes

30 second offered rate 698000 bps, drop rate 0 bps

Match: access-group 150

Queueing

Strict Priority

Output Queue: Conversation 264

Bandwidth 8 (kbps) Burst 200 (Bytes)

(pkts matched/bytes matched) 9/612

(total drops/bytes drops) 0/0

Class-map: testclass2 (match-all)

144133 packets, 8696430 bytes

30 second offered rate 898000 bps, drop rate 0 bps

Match: access-group 160

Queueing

Strict Priority

Output Queue: Conversation 264

Bandwidth 5990 (kbps) Burst 149750 (Bytes)

(pkts matched/bytes matched) 22/1251

(total drops/bytes drops) 0/0

Class-map: class-default (match-any)

27 packets, 2235 bytes

30 second offered rate 0 bps, drop rate 0 bps

michael.leblanc Thu, 05/29/2008 - 07:42

If you factor your desired rate 74990 (kbps) by 0.8 (due to the "bandwidth 8000" (kbps) command on your FastEthernet0/0 interface), you will get 5990 (kbps).

This is the value confirmed by your "show policy-map interface fastEthernet 0/0" output:

Class-map: testclass2 (match-all)

144133 packets, 8696430 bytes

30 second offered rate 898000 bps, drop rate 0 bps

Match: access-group 160

Queueing

Strict Priority

Output Queue: Conversation 264

Bandwidth 5990 (kbps) Burst 149750 (Bytes)

(pkts matched/bytes matched) 22/1251

(total drops/bytes drops) 0/0

The output also confirms that you are matching packets.

If you were to set the interface bandwidth command to 10000, you should be able to set the queue bandwidth to the desired 74990 (kbps), but obviously you have set the interface bandwidth to 8000 for a reason.

wasiimcisco Thu, 05/29/2008 - 10:21

I didnt get what you are saying, kindly see my fresh configuration, I wana put restriction on user for certain bandwidth but user is still able to get bandwidth in MB

Building configuration...

*May 29 15:25:44.768: %SYS-5-CONFIG_I: Configured from console by console

Current configuration : 1247 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router-C

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

ip subnet-zero

!

!

ip cef

no ip dhcp use vrf connected

!

ip dhcp pool users

network 10.1.4.0 255.255.255.0

default-router 10.1.4.1

!

!

!

!

voice-card 0

no dspfarm

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

class-map match-all testclass2

match access-group 160

class-map match-all testclass

match access-group 150

!

!

policy-map testpolicy

class testclass

priority 8

class testclass2

priority 5990

class class-default

fair-queue

!

!

!

!

!

!

interface FastEthernet0/0

ip address 10.1.3.1 255.255.255.0

duplex auto

speed auto

service-policy output testpolicy

!

interface FastEthernet0/1

ip address 10.1.4.1 255.255.255.0

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.1.3.2

!

!

ip http server

no ip http secure-server

ip nat inside source list 100 interface FastEthernet0/0 overload

!

access-list 150 permit ip host 10.1.4.3 any

access-list 160 permit ip host 10.1.4.5 any

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

login

!

scheduler allocate 20000 1000

!

end

Router-C#

Router-C#sh run

Building configuration...

Current configuration : 1247 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router-C

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

ip subnet-zero

!

!

ip cef

no ip dhcp use vrf connected

!

ip dhcp pool users

network 10.1.4.0 255.255.255.0

default-router 10.1.4.1

!

!

!

!

voice-card 0

no dspfarm

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

class-map match-all testclass2

match access-group 160

class-map match-all testclass

match access-group 150

!

!

policy-map testpolicy

class testclass

priority 8

class testclass2

priority 5990

class class-default

fair-queue

!

!

!

!

!

!

interface FastEthernet0/0

ip address 10.1.3.1 255.255.255.0

duplex auto

speed auto

service-policy output testpolicy

!

interface FastEthernet0/1

ip address 10.1.4.1 255.255.255.0

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.1.3.2

!

!

ip http server

no ip http secure-server

ip nat inside source list 100 interface FastEthernet0/0 overload

!

access-list 150 permit ip host 10.1.4.3 any

access-list 160 permit ip host 10.1.4.5 any

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

login

!

scheduler allocate 20000 1000

!

end

Actions

This Discussion