[c-nsp] Weird Service Policy Issue on SUP720

Richard J. Sears rsears at americanIS.net
Tue Jan 17 14:35:35 EST 2006 

Hey Everyone - 

We use service policies on our switches to prevent customers from using
more bandwidth that they want to use (or more than they want to pay for).

We had an issue today where a customer was pushing 50mbps for hours when
his service policy was set for 256Kb. (They had been hacked).

I was thinking that maybe I had the policy configured wrong (see below),
but this same policy appears to prevent other customers from doing the
same thing.

I was just wondering if this was a glitch on the 6509 or not and if
anyone else had seen the same thing..?

We are running the SUP720 engines with 512MB RAM and PFC3A and MSFC3
cards in Hybryd mode (no cat os)


This is our config:


!         
class-map match-all AllTraffic
  description Match All Traffic
  match access-group name IP_ANY_ANY
!

policy-map 256Kb-CAP
  class AllTraffic
     police 290000 256000 256000 conform-action transmit exceed-action drop

!         
ip access-list extended IP_ANY_ANY
 permit ip any any
!

interface FastEthernet9/36
 description [22184]
 ip address x.x.x.x x.x.x.x
 no ip redirects
 no ip unreachables
 no cdp enable
 service-policy input 256Kb-CAP
 service-policy output 256Kb-CAP
end


AR01#sh int f9/36
FastEthernet9/36 is up, line protocol is up (connected)
  Hardware is C6k 100Mb 802.3, address is 00d0.01a6.b000 (bia 00d0.01a6.b000)
  Description: [22184]
  Internet address is x.x.x.x/29
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s
  input flow-control is off, output flow-control is unsupported 
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:43:12, output 00:00:29, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 56694000 bits/sec, 110690 packets/sec
  5 minute output rate 1000 bits/sec, 2 packets/sec
  L2 Switched: ucast: 80550 pkt, 5157126 bytes - mcast: 11431 pkt, 732133 bytes
  L3 in Switched: ucast: 64024893 pkt, 5616293227 bytes - mcast: 0 pkt, 0 bytes mcast
  L3 out Switched: ucast: 18049976 pkt, 2738967335 bytes mcast: 0 pkt, 0 bytes
     4072217083 packets input, 261588083018 bytes, 0 no buffer
     Received 11432 broadcasts (5 IP multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     18214991 packets output, 2774118358 bytes, 0 underruns
     0 output errors, 0 collisions, 3 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out
AR01#




Thanks


******************************************
Richard J. Sears

More information about the cisco-nsp mailing list