[nsp] Example code of how to "rate limit" a port on a 3550
Jon Lewis
jlewis at lewis.org
Fri Jul 2 10:20:41 EDT 2004
match any may be allowed in the class-map, but it doesn't actually work
(for egress or ingress) when that class is used in a service-policy to
police traffic.
Here's what I've come up with that works in both directions, which is a
combination of what I had and thought was working and what Matthew Crocker
posted:
class-map match-any all-out
match ip dscp 0
class-map match-any all-in
match access-group 100
!
policy-map 1mbit-in
class all-in
police 1000000 16000 exceed-action drop
!
policy-map 1mbit-out
class all-out
police 1000000 16000 exceed-action drop
!
interface FastEthernet0/14
service-policy input 1mbit-in
service-policy output 1mbit-out
!
access-list 100 permit ip any any
The box I have on FastEthernet0/14 is definitely being limited in both
directions now. I thought when I'd originally tested this that matching
ip dscp 0 worked in both directions, but I see now that it does not.
Can this be done with a single policy handling both ingress and egress?
Is matching dscp 0 (with no trust configured anywhere) dangerous in that
packets with a different dscp will escape policing? I don't think it is.
I just did a test where I downloaded files to the box on port 14 from
another box which I used iptables on to mark all outgoing tcp packets with
another dscp value, and the policing (match ip dscp 0) still worked. One
source I've read suggests that these flags generally get cleared by
routers (intermediate hops) not configured to utilize them.
According to the web page I quoted before, "match ip dscp" is the only
valid match statement for the egress policy.
Changing the config to:
class-map match-any all-both
match ip dscp 0
match access-group 100
policy-map 1mbit-in
class all-both
police 1000000 16000 exceed-action drop
policy-map 1mbit-out
class all-both
police 1000000 16000 exceed-action drop
results in the egress policing working, but ingress traffic is not
policed at all. That makes no sense to me.
One other thing I've seen that worries me, though its meaning isn't
entirely clear to me is, http://www.cisco.com/warp/public/473/153-2.gif
Does 8 policers for FE mean I can only define 8 different policy-maps used
for policing, or that an FE can have a service-policy that polices 8
different classes differently?
On Fri, 2 Jul 2004 sam_ml at spacething.org wrote:
> This is irrelevant. You can use the "match any" statement in the class-map
> and rate-limit inbound about outbound.
>
> Sam
>
> On Thu, 1 Jul 2004, Jon Lewis wrote:
>
> > Part of why I posted was I wasn't 100% sure about this, so I wanted to see
> > if someone would suggest it was wrong. It worked 'in the lab', but I made
> > no effort to mess with DSCP. My understanding was that without
> > configuring interfaces to trust DSCP, DSCP is always 0.
> >
> > http://www.cisco.com/en/US/customer/products/hw/switches/ps646/products_tech_note09186a00800feff5.shtml
> >
> > When an interface is not trusted (this is the default state when QoS is
> > enabled), the internal DSCP will be derived from the configurable default
> > CoS for the corresponding interface. If no default CoS is configured, the
> > default value will be zero.
> >
> >
> > On Thu, 1 Jul 2004, Warren Kumari, PhD, CCIE#9190 wrote:
> >
> > > Well, yeah, but only on dscp 0 traffic. Traffic with other DSCP bits
> > > wont get policed (and it seems that more and more virii and DoS are
> > > setting DSCP). You will need to match all of hte DSCP bits for police
> > > this way.
> > >
> > > Warren
> > > On Jul 1, 2004, at 3:57 PM, Jon Lewis wrote:
> > >
> > > > On Thu, 1 Jul 2004, Matthew Crocker wrote:
> > > >
> > > >> This is what I use, works pretty well for me.
> > > >> !
> > > >> class-map match-all allip
> > > >> match access-group 100
> > > >> !
> > > >> policy-map 2mbps
> > > >> class allip
> > > >> police 2000000 32000 exceed-action drop
> > > >> !
> > > >> int f0/1
> > > >> service-policy input 1mbps
> > > >> !
> > > >> access-list 100 permit ip any any
> > > >>
> > > >> This only works to police packets as they enter the switch port. You
> > > >> can't use 'match access-group' in a output service-policy on the 3550.
> > > >
> > > > If, in the class map, you match ip dscp 0, instead of an access-group,
> > > > you
> > > > can police in both directions.
> > > >
> > > > ----------------------------------------------------------------------
> > > > Jon Lewis | I route
> > > > Senior Network Engineer | therefore you are
> > > > Atlantic Net |
> > > > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
> > > > _______________________________________________
> > > > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > > >
> > > >
> > > --
> > > Outside of a dog, a book is your best friend, and inside of a dog, it's
> > > too dark to read
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> >
> > ----------------------------------------------------------------------
> > Jon Lewis | I route
> > Senior Network Engineer | therefore you are
> > Atlantic Net |
> > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the cisco-nsp
mailing list