Control plane or QoS

Unanswered Question
May 28th, 2010
User Badges:
  • Purple, 4500 points or more


If a router is totally maxed out on the outside interface, I'm able to telnet but the cli is choppy at times. Is creating a control-plane policy the best way to handle incoming telnet traffic? I've never done one of these before....



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading. Fri, 05/28/2010 - 07:34
User Badges:

Hey John,

In this situation (happened all the time to me in the past), you need to use CBWFQ to create a class called Mgt Class.  And then assign telnet, SSH, NTP, etc to that Class so that any management traffic can be protected during high bandwidth utilization period.

Most of the transit traffic is CEF switched so there should not be any high CPU utilization.

John Blakley Fri, 05/28/2010 - 07:38
User Badges:
  • Purple, 4500 points or more

Thanks Kevin. Where would you apply this? I can't apply it as inbound because it won't let me do it when I'm matching on an acl....


John Blakley Fri, 05/28/2010 - 08:05
User Badges:
  • Purple, 4500 points or more

Okay, so here's what I did that seemed to work.

I created an inbound service policy that marked telnet traffic to dscp af31.

I applied that to s0/0/0

Then I created an outbound service policy that match on af31 and gave 2% of bandwidth

I applied this outbound to fa0/0

Seemed to speed up things quite a bit....



John Blakley Fri, 05/28/2010 - 08:19
User Badges:
  • Purple, 4500 points or more

Unfortunately, I think it was just conincidental that the packages that were being pushed were paused. I'm back to square one now that they're starting to use the bandwidth again. Any other suggestions? Fri, 05/28/2010 - 08:31
User Badges:


You can only police input traffic and not queue input traffic.  Here are the commands you should use.

class-map match-any mgt
match protocol telnet

policy-map ingress-wan
class mgt
   police cir percent 5

interface Serial1/0
service-policy input ingress-wan

John Blakley Fri, 05/28/2010 - 08:46
User Badges:
  • Purple, 4500 points or more


I'm still getting very choppy response. Here's what I have:

class-map match-all MANAGEMENT
match access-group 123

Extended IP access list 123
    10 permit tcp any any eq telnet (2703 matches)

policy-map S_INBOUND
   police cir 256000
     conform-action transmit
     exceed-action transmit

Service-policy input: S_INBOUND

    Class-map: MANAGEMENT (match-all)
      2588 packets, 170169 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group 123
          cir 256000 bps, bc 8000 bytes
        conformed 1042 packets, 47346 bytes; actions:
        exceeded 0 packets, 0 bytes; actions:
        conformed 0 bps, exceed 0 bps

    Class-map: class-default (match-any)
      287636 packets, 269795265 bytes
      5 minute offered rate 1319000 bps, drop rate 0 bps
      Match: any

It's matching, but it's not doing anything. I've also tried 5 and 10%. It's not "unuseable" so to speak, just choppy and I would think that it would speed up even if the bandwidth is used up.




This Discussion