[c-nsp] Weird Service Policy Issue on SUP720

Ian Cox icox at cisco.com
Tue Jan 17 14:51:33 EST 2006


How are you coming up the conclusion that the policer was not 
working? The information below does not tell one if the policer was 
working or not, all it tells you is 51Mbps was coming in the 
interface. The interface counters reflect how many packets per second 
were received before policing. You need to look at "show policy 
interface <blah>" indicate, since that shows the policer statistics.


Ian

At 11:35 AM 1/17/2006 -0800, Richard J. Sears wrote:
>Hey Everyone -
>
>We use service policies on our switches to prevent customers from using
>more bandwidth that they want to use (or more than they want to pay for).
>
>We had an issue today where a customer was pushing 50mbps for hours when
>his service policy was set for 256Kb. (They had been hacked).
>
>I was thinking that maybe I had the policy configured wrong (see below),
>but this same policy appears to prevent other customers from doing the
>same thing.
>
>I was just wondering if this was a glitch on the 6509 or not and if
>anyone else had seen the same thing..?
>
>We are running the SUP720 engines with 512MB RAM and PFC3A and MSFC3
>cards in Hybryd mode (no cat os)
>
>
>This is our config:
>
>
>!
>class-map match-all AllTraffic
>   description Match All Traffic
>   match access-group name IP_ANY_ANY
>!
>
>policy-map 256Kb-CAP
>   class AllTraffic
>      police 290000 256000 256000 conform-action transmit exceed-action drop
>
>!
>ip access-list extended IP_ANY_ANY
>  permit ip any any
>!
>
>interface FastEthernet9/36
>  description [22184]
>  ip address x.x.x.x x.x.x.x
>  no ip redirects
>  no ip unreachables
>  no cdp enable
>  service-policy input 256Kb-CAP
>  service-policy output 256Kb-CAP
>end
>
>
>AR01#sh int f9/36
>FastEthernet9/36 is up, line protocol is up (connected)
>   Hardware is C6k 100Mb 802.3, address is 00d0.01a6.b000 (bia 00d0.01a6.b000)
>   Description: [22184]
>   Internet address is x.x.x.x/29
>   MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
>      reliability 255/255, txload 1/255, rxload 1/255
>   Encapsulation ARPA, loopback not set
>   Keepalive set (10 sec)
>   Full-duplex, 100Mb/s
>   input flow-control is off, output flow-control is unsupported
>   ARP type: ARPA, ARP Timeout 04:00:00
>   Last input 00:43:12, output 00:00:29, output hang never
>   Last clearing of "show interface" counters never
>   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
>   Queueing strategy: fifo
>   Output queue: 0/40 (size/max)
>   5 minute input rate 56694000 bits/sec, 110690 packets/sec
>   5 minute output rate 1000 bits/sec, 2 packets/sec
>   L2 Switched: ucast: 80550 pkt, 5157126 bytes - mcast: 11431 pkt, 
> 732133 bytes
>   L3 in Switched: ucast: 64024893 pkt, 5616293227 bytes - mcast: 0 
> pkt, 0 bytes mcast
>   L3 out Switched: ucast: 18049976 pkt, 2738967335 bytes mcast: 0 
> pkt, 0 bytes
>      4072217083 packets input, 261588083018 bytes, 0 no buffer
>      Received 11432 broadcasts (5 IP multicast)
>      0 runts, 0 giants, 0 throttles
>      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
>      0 watchdog, 0 multicast, 0 pause input
>      0 input packets with dribble condition detected
>      18214991 packets output, 2774118358 bytes, 0 underruns
>      0 output errors, 0 collisions, 3 interface resets
>      0 babbles, 0 late collision, 0 deferred
>      0 lost carrier, 0 no carrier, 0 PAUSE output
>      0 output buffer failures, 0 output buffers swapped out
>AR01#
>
>
>
>
>Thanks
>
>
>******************************************
>Richard J. Sears
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list