Re: traffic policing and bandwidth management

cthree6mafia · ‎03-26-2006

I am A bit confused about this feature,

what is it supposed to do, cause when I configure the class maps for say ftp and smpt to controll the amount of bandwidth to 56k, and then I do a test the monitoring and debuging show that the packets are conformed and some are dropped. but when you check say ftp download it exceeds the 56k. Does this feature only work when the line is full with other stuff. I have tried also rate-limiting with access-list and still no luck.

any Ideas or real working configurations cause the ones on the net seem not to work properly

costas

balajitvk · ‎03-26-2006

Hi,

Ftp download excceding 56K depends upon your configuration. What action u taken for the exceeding traffic ??? did u given drop or permitting with lower precedenc.

If possible pls. post the config.

rgs,

cthree6mafia · ‎03-26-2006

what am i suppossed to do when exceeded, I have drop, to keep it stable at 56k what must i put

costas

balajitvk · ‎03-27-2006

Hi,

Thatzz again depends upon your requriment. If you strictly want to allocate only 56K to ftp download you should configure drop action for exceeded traffic.

But if you want to allow exceeded traffic if there is bandwidth then you can allow that traffic, might be with less priority!

http://www.cisco.com/en/US/products/ps5763/products_configuration_guide_chapter09186a00803b7c7b.html#wp1060249

http://www.cisco.com/en/US/products/sw/iosswrel/ps5014/products_feature_guide_chapter09186a00800ca4f2.html

Rate if it helps,

Rgs,

pkhatri · ‎03-27-2006

You could use something like the following:

class-map match-any FTP_SMTP

match protocol ftp

match protocol smtp

!

policy-map LIMIT_FTP_SMTP

class FTP_SMTP

police 56000 1750

!

interface Serial0

service-policy input LIMIT_FTP_SMTP

service-policy output LIMIT_FTP_SMTP

!

Hope that helps - pls rate the post if it does.

Paresh

cthree6mafia · ‎03-27-2006

I have tried this and it still does not work, does the line need to be full for this to work. Just something I forgot to mention, I have a point to point VPN for this link.

costas

pkhatri · ‎03-27-2006

That puts a different spin on things... Can you post your config ? Things tend to get a little more complicated with VPNs...

Paresh

cthree6mafia · ‎03-27-2006

check it out

pkhatri · ‎03-27-2006

Your config seems okay but the problem is that NBAR does not work over tunnel interfaces .... which means that the 'match protocol ftp' is not working.

If you are limiting traffic to/from a FTP server, I suggest you configure an access-list to match the traffic and use 'match access-group' instead of 'match protocol'....

Hope that helps - pls rate the post if it does.

Paresh

cthree6mafia · ‎03-27-2006

I have done that as well, with an access-list. the strange thing is that when i do a show policy map interface,it starts to count in the class map for ftp then it starts counting in the default class-map.

any ideas

pkhatri · ‎03-27-2006

Did you use an extended ACL with the ftp/ftp-data ports ? That does not work ... because of the dynamic nature of FTP data ports....

You need to match on just the FTP server address without any ports for this to work.

Paresh

cthree6mafia · ‎03-27-2006

I have done that too, Is there something special for vpn connections, will the confuration work for non vpn connections

pkhatri · ‎03-27-2006

Well, you've got me beat... that configuration works pretty well for non-vpn connections....

Paresh

cthree6mafia · ‎03-27-2006

Now it does not mark at all in the class map packets.

Its getting worser by the hour