the application of "full-flow" in microflow policing

Answered Question

we have two sites A and B. let us say IP ranges are 10/8 in A and 20/8 in B

I want to apply microflow policing on user/server port at site A, so that for this host at site A, let us say

1. allowe 1Mbps to host at site B

2. allowe 1Mbps to host at site B

basically the goal is to police EACH flow at 1Mbps to host range 20.x.x.x. NOT to police ALL flows at 1mbps

should I use key word "full-flow". does it mean each flow is identified as source/dest IP?

access-list 101 permit ip any

class-map 1m-eachflow

match access-group 101

policy-map per-flow-map

class 1m-eachflow

police flow mask full-flow 1000000 conform-action transmit exceed-action drop

interface range g1/1 -48

service-policy input per-flow-map

so will this work with "full-flow" keyword?

I have this problem too.
0 votes
Correct Answer by Edison Ortiz about 7 years 9 months ago


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Edison Ortiz Tue, 04/07/2009 - 11:09

In theory, that's how micro-flow policing works. With that said, what type of hardware this configuration is going to be implemented and IOS version?



Edison Ortiz Tue, 04/07/2009 - 11:38

Be aware, when applying policers to a physical port in the 6500, you may run out of agg-ids. Best practice is to use vlan-based QoS but the drawback is that the policy must be the aggregated value of all participating ports.

For information on agg-ids issue, see this technote:




Edison Ortiz Wed, 04/08/2009 - 05:38

The error is misleading. It consumes agg-ids on any QoS applied to the physical port.

You can do a quick test and apply your configuration on 48 ports and then type the command:

show mls qos ip

and look under the Agg-ID column. Once you reach 1023, you are out of luck.




This Discussion