[c-nsp] 6509/Sup720 Interface Vlan Rate-limit
Gustavo Rodrigues Ramos
gustavo at acmesecurity.org
Fri Jul 29 12:27:47 EDT 2005
Hi,
We're now upgrading from Sup1a to Sup720 and also having some trouble
with rate-limiting our customer's vlan (L3) interface. We are using
Native IOS configuration, like this:
interface Vlan100
description Customers_Vlan
ip address 10.0.0.1 255.255.255.0
no ip redirects
no ip proxy-arp
rate-limit input 64000 8000 8000 conform-action transmit exceed-action
drop
rate-limit output 64000 8000 8000 conform-action transmit
exceed-action drop
ip route-cache policy
ip policy route-map Firewall
no mls ip
no mls switching unicast
!
interface Vlan200
description Internet
ip address 192.168.0.1 255.255.255.0
no mls ip
no mls switching unicast
!
route-map Firewall permit 10
set ip next-hop 192.168.0.1
!
So, when we put some traffic to ingress on Vlan100 and egress on Vlan200
(FTP connection from 192.168.0.2 to 10.0.0.2) we can see that traffic is
being rate-limited because:
sup# sh int vlan 100
(..)
30 second input rate 110000 bits/sec, (...)
30 second output rate 2000 bits/sec, (...)
and
sup# sh int vlan 200
(..)
30 second input rate 100 bits/sec, (...)
30 second output rate 62000 bits/sec, (...) <--- !!
But, the counters I can see with "show interface vlan 100 rate-limit" is
somehow wrong. For example, I can measure this with MRTG (using
CISCO-CAR-MIB ccarStatSwitchedBytes) or doing a snmpget on the router
and see that is passing through the Sup720 more traffic than it's allowed.
I already have a TAC open with Cisco. But it's taking so long to solve.
And thoughts??
Thanks in advance,
Gustavo.
--
Gustavo Rodrigues Ramos
gustavo @ acmesecurity . org
More information about the cisco-nsp
mailing list