×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Policing Traffic Does Not Work

Unanswered Question
Jul 16th, 2012
User Badges:

Hi,


I'm trying to use qos to police traffic where a certain host should not go above 5Mpbs at any time and if the traffic is exceded it should be dropped.


I have trying to play around with the below but the host machine can still access the full bandwidth.


class-map laptop

match access-list laptop_acl


access-list laptop_acl extended permit ip host 192.168.3.10 any


policy-map laptop_sp

class laptop

  police input 5000000

  police output 5000000


service-policy laptop_sp interface outside

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Julio Carvajal Mon, 07/16/2012 - 11:38
User Badges:
  • Purple, 4500 points or more

Hello John,


Try it like this


policy-map laptop_sp

class laptop


police output 50000 conform-action transmit exceed-action drop 

police input  50000 conform-action transmit exceed-action drop 


Afterwards do a clear local-host 192.168.3.10


Regards,


Julio


CSC is a free support community, rate all the posts of our team,

John Peterson Mon, 07/16/2012 - 13:18
User Badges:

Hi Julio,


Thank you.


The above seems to rate the traffic, but for some reason when I do a speed test the traffic gets policed but after a while of testing I am unable to connect to the internet and connect to the firewall via ssh.  All network access seems to have stopped I have to reload the firewall to get access back?

Julio Carvajal Mon, 07/16/2012 - 14:29
User Badges:
  • Purple, 4500 points or more

Hello John,


Of course that should rate it!


Now why you got unable to connect to the internet or even the ASA, that is completely different.


On the ACL you have there you are only including one PC, correct?


Are you able to ping the ASA after you get disconnected?


Regards,


Rate the helpful posts

John Peterson Mon, 07/16/2012 - 22:21
User Badges:

Hi,


No not able to ping the ASA.


For some reason after the police is applied and when going through a speed test you can see the ASA policing the traffic but during the policing the speed test hangs there and network traffic grind to a halt.


It like the ASA has somehow stopped the host to transmit any data because it has gone past the police rate or tried to burst.


Sent from Cisco Technical Support iPhone App

John Peterson Wed, 07/18/2012 - 01:28
User Badges:

Hi,


I've added thoses commands but when i do a:


firewall(config-pmap-c)# show service-policy police



Interface inside:

  Service-policy: speed_limit

    Class-map: rate_limit

      Input police Interface inside:

        cir 3670000 bps, bc 114687 bytes

        conformed 36029 packets, 21519175 bytes; actions:  drop

        exceeded 536 packets, 752429 bytes; actions:  drop

        conformed 117104 bps, exceed 392 bps

      Output police Interface inside:

        cir 3670000 bps, bc 114687 bytes

        conformed 0 packets, 0 bytes; actions:  drop

        exceeded 0 packets, 0 bytes; actions:  drop

        conformed 0 bps, exceed 0 bps



Interface outside:

  Service-policy: speed_limit

    Class-map: rate_limit

      Input police Interface VM:

        cir 3670000 bps, bc 114687 bytes

        conformed 0 packets, 0 bytes; actions:  drop

        exceeded 0 packets, 0 bytes; actions:  drop

        conformed 0 bps, exceed 0 bps

      Output police Interface VM:

        cir 3670000 bps, bc 114687 bytes

        conformed 5097 packets, 1544222 bytes; actions:  drop

        exceeded 0 packets, 0 bytes; actions:  drop

        conformed 17264 bps, exceed 0 bps



I used the 'conform-action transmit exceed-action drop'  but the conformed packets shows drop when it should show transmit.

Ramraj Sivagnan... Thu, 07/19/2012 - 19:44
User Badges:
  • Silver, 250 points or more

Hi Bro

If you need me to help you, I need you to paste your complete show running-config here. This is because your show service-policy police output doesn't match the commands you've typed.


Shown below is exactly what I've done in my lab using Cisco ASA 5510 v8.0.2, and the output is good. I don't think the problem that you're having is a software bug. I believe you've typed in the wrong parameters in your show running-config :-)


!

access-list laptop_acl extended permit ip host 192.168.3.10 any

!

class-map rate_limit

match access-list laptop_acl

!

policy-map speed_limit

class rate_limit

  police output 3670000 114687 conform-action transmit exceed-action drop

  police input 3670000 114687 conform-action transmit exceed-action drop

!

service-policy speed_limit interface dmz

!



FW01# show service-policy police

Interface dmz:
  Service-policy: speed_limit
    Class-map: rate_limit
      Input police Interface dmz:
        cir 3670000 bps, bc 114687 bytes
        conformed 0 packets, 0 bytes; actions:  trasnmit
        exceeded 0 packets, 0 bytes; actions:  drop
        conformed 0 bps, exceed 0 bps
      Output police Interface dmz:
        cir 3670000 bps, bc 114687 bytes
        conformed 0 packets, 0 bytes; actions:  trasnmit
        exceeded 0 packets, 0 bytes; actions:  drop
        conformed 0 bps, exceed 0 bps



P/S: Personally, I believe you've used the keyword "drop" in the 'conform-action drop exceed-action drop', but I stand corrected

      




Note: If you think my comment is useful, please do rate them nicely :-)

Nelson Minica Wed, 01/23/2013 - 15:02
User Badges:

trasnmit? I wonder did you mispell that or did cisco?  On my 8.2(1) it says conformed...drop in the show service-policy even though I told it transmit and it appears transmit is the default since the config prunes that.  It's not working anyway appears buggy I think I need to upgrade...

Actions

This Discussion