cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2440
Views
8
Helpful
8
Replies

Policing Traffic Does Not Work

John Peterson
Level 1
Level 1

Hi,

I'm trying to use qos to police traffic where a certain host should not go above 5Mpbs at any time and if the traffic is exceded it should be dropped.

I have trying to play around with the below but the host machine can still access the full bandwidth.

class-map laptop

match access-list laptop_acl

access-list laptop_acl extended permit ip host 192.168.3.10 any

policy-map laptop_sp

class laptop

  police input 5000000

  police output 5000000

service-policy laptop_sp interface outside

8 Replies 8

Julio Carvajal
VIP Alumni
VIP Alumni

Hello John,

Try it like this

policy-map laptop_sp

class laptop

police output 50000 conform-action transmit exceed-action drop 

police input  50000 conform-action transmit exceed-action drop 

Afterwards do a clear local-host 192.168.3.10

Regards,

Julio

CSC is a free support community, rate all the posts of our team,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

Thank you.

The above seems to rate the traffic, but for some reason when I do a speed test the traffic gets policed but after a while of testing I am unable to connect to the internet and connect to the firewall via ssh.  All network access seems to have stopped I have to reload the firewall to get access back?

Hello John,

Of course that should rate it!

Now why you got unable to connect to the internet or even the ASA, that is completely different.

On the ACL you have there you are only including one PC, correct?

Are you able to ping the ASA after you get disconnected?

Regards,

Rate the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

John Peterson
Level 1
Level 1

Hi,

No not able to ping the ASA.

For some reason after the police is applied and when going through a speed test you can see the ASA policing the traffic but during the policing the speed test hangs there and network traffic grind to a halt.

It like the ASA has somehow stopped the host to transmit any data because it has gone past the police rate or tried to burst.

Sent from Cisco Technical Support iPhone App

John Peterson
Level 1
Level 1

Hi,

I've added thoses commands but when i do a:

firewall(config-pmap-c)# show service-policy police

Interface inside:

  Service-policy: speed_limit

    Class-map: rate_limit

      Input police Interface inside:

        cir 3670000 bps, bc 114687 bytes

        conformed 36029 packets, 21519175 bytes; actions:  drop

        exceeded 536 packets, 752429 bytes; actions:  drop

        conformed 117104 bps, exceed 392 bps

      Output police Interface inside:

        cir 3670000 bps, bc 114687 bytes

        conformed 0 packets, 0 bytes; actions:  drop

        exceeded 0 packets, 0 bytes; actions:  drop

        conformed 0 bps, exceed 0 bps

Interface outside:

  Service-policy: speed_limit

    Class-map: rate_limit

      Input police Interface VM:

        cir 3670000 bps, bc 114687 bytes

        conformed 0 packets, 0 bytes; actions:  drop

        exceeded 0 packets, 0 bytes; actions:  drop

        conformed 0 bps, exceed 0 bps

      Output police Interface VM:

        cir 3670000 bps, bc 114687 bytes

        conformed 5097 packets, 1544222 bytes; actions:  drop

        exceeded 0 packets, 0 bytes; actions:  drop

        conformed 17264 bps, exceed 0 bps

I used the 'conform-action transmit exceed-action drop'  but the conformed packets shows drop when it should show transmit.

John Peterson
Level 1
Level 1

Anybody please?

Sent from Cisco Technical Support iPhone App

Hi Bro

If you need me to help you, I need you to paste your complete show running-config here. This is because your show service-policy police output doesn't match the commands you've typed.

Shown below is exactly what I've done in my lab using Cisco ASA 5510 v8.0.2, and the output is good. I don't think the problem that you're having is a software bug. I believe you've typed in the wrong parameters in your show running-config :-)

!

access-list laptop_acl extended permit ip host 192.168.3.10 any

!

class-map rate_limit

match access-list laptop_acl

!

policy-map speed_limit

class rate_limit

  police output 3670000 114687 conform-action transmit exceed-action drop

  police input 3670000 114687 conform-action transmit exceed-action drop

!

service-policy speed_limit interface dmz

!

FW01# show service-policy police

Interface dmz:
  Service-policy: speed_limit
    Class-map: rate_limit
      Input police Interface dmz:
        cir 3670000 bps, bc 114687 bytes
        conformed 0 packets, 0 bytes; actions:  trasnmit
        exceeded 0 packets, 0 bytes; actions:  drop
        conformed 0 bps, exceed 0 bps
      Output police Interface dmz:
        cir 3670000 bps, bc 114687 bytes
        conformed 0 packets, 0 bytes; actions:  trasnmit
        exceeded 0 packets, 0 bytes; actions:  drop
        conformed 0 bps, exceed 0 bps

P/S: Personally, I believe you've used the keyword "drop" in the 'conform-action drop exceed-action drop', but I stand corrected

      

Note: If you think my comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

trasnmit? I wonder did you mispell that or did cisco?  On my 8.2(1) it says conformed...drop in the show service-policy even though I told it transmit and it appears transmit is the default since the config prunes that.  It's not working anyway appears buggy I think I need to upgrade...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: