Using NBAR - Policing method

ddinh · ‎01-25-2002

Router(config-pmap)#police 1000000 31250 31250 conform-action drop exceed-action drop violate-action drop

In this example, what does the numbers "1000000 31250 31250" correlate with? Is it correlating with the string matching?

I got it from url: http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml#1

The url shows two string matching:

#match protocol http url "*cmd.exe*

#match protocol http url "*root.exe*"

I want to use:

class-map match-any http-hacks

match protocol http url "*default.ida*"

match protocol http url "*x.ida*"

match protocol http url "*.ida*"

match protocol http url "*cmd.exe*"

match protocol http url "*root.exe*"

match protocol http url "*readme.eml*"

ciscomoderator · ‎02-01-2002

Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

mhussein · ‎02-04-2002

These numbers refer to "average rate", "normal burst size", and "excess burst size" respectively.

More information here:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt4/qcfpolsh.htm#xtocid9

and,

http://www.cisco.com/warp/public/105/carburstvalues.html

Hope that helped,

Mustafa Hussein

LAN/WAN Specialist

Comark, Inc.