[c-nsp] Weird Service Policy Issue on SUP720

Richard J. Sears rsears at americanIS.net
Tue Jan 17 15:14:47 EST 2006 

ah...

:-)

I was not aware that the sh int command showed how much arrived at the
interface as opposed to how much was allowed through the interface.
However there was an increase in backbone traffic that fell the exact
amount of his bandwidth when we shut him off.

I guess the next question would be how would I track what the customer
was actually using..? I am using an NMS program that tracks interface
usage and we use that information to bill the customer.

Thanks Ian

On Tue, 17 Jan 2006 11:51:33 -0800
Ian Cox <icox at cisco.com> wrote:

> 
> How are you coming up the conclusion that the policer was not 
> working? The information below does not tell one if the policer was 
> working or not, all it tells you is 51Mbps was coming in the 
> interface. The interface counters reflect how many packets per second 
> were received before policing. You need to look at "show policy 
> interface <blah>" indicate, since that shows the policer statistics.
> 
> 
> Ian
> 
> At 11:35 AM 1/17/2006 -0800, Richard J. Sears wrote:
> >Hey Everyone -
> >
> >We use service policies on our switches to prevent customers from using
> >more bandwidth that they want to use (or more than they want to pay for).
> >
> >We had an issue today where a customer was pushing 50mbps for hours when
> >his service policy was set for 256Kb. (They had been hacked).
> >
> >I was thinking that maybe I had the policy configured wrong (see below),
> >but this same policy appears to prevent other customers from doing the
> >same thing.
> >
> >I was just wondering if this was a glitch on the 6509 or not and if
> >anyone else had seen the same thing..?
> >
> >We are running the SUP720 engines with 512MB RAM and PFC3A and MSFC3
> >cards in Hybryd mode (no cat os)
> >
> >
> >This is our config:
> >
> >
> >!
> >class-map match-all AllTraffic
> >   description Match All Traffic
> >   match access-group name IP_ANY_ANY
> >!
> >
> >policy-map 256Kb-CAP
> >   class AllTraffic
> >      police 290000 256000 256000 conform-action transmit exceed-action drop
> >
> >!
> >ip access-list extended IP_ANY_ANY
> >  permit ip any any
> >!
> >
> >interface FastEthernet9/36
> >  description [22184]
> >  ip address x.x.x.x x.x.x.x
> >  no ip redirects
> >  no ip unreachables
> >  no cdp enable
> >  service-policy input 256Kb-CAP
> >  service-policy output 256Kb-CAP
> >end
> >
> >
> >AR01#sh int f9/36
> >FastEthernet9/36 is up, line protocol is up (connected)
> >   Hardware is C6k 100Mb 802.3, address is 00d0.01a6.b000 (bia 00d0.01a6.b000)
> >   Description: [22184]
> >   Internet address is x.x.x.x/29
> >   MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
> >      reliability 255/255, txload 1/255, rxload 1/255
> >   Encapsulation ARPA, loopback not set
> >   Keepalive set (10 sec)
> >   Full-duplex, 100Mb/s
> >   input flow-control is off, output flow-control is unsupported
> >   ARP type: ARPA, ARP Timeout 04:00:00
> >   Last input 00:43:12, output 00:00:29, output hang never
> >   Last clearing of "show interface" counters never
> >   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
> >   Queueing strategy: fifo
> >   Output queue: 0/40 (size/max)
> >   5 minute input rate 56694000 bits/sec, 110690 packets/sec
> >   5 minute output rate 1000 bits/sec, 2 packets/sec
> >   L2 Switched: ucast: 80550 pkt, 5157126 bytes - mcast: 11431 pkt, 
> > 732133 bytes
> >   L3 in Switched: ucast: 64024893 pkt, 5616293227 bytes - mcast: 0 
> > pkt, 0 bytes mcast
> >   L3 out Switched: ucast: 18049976 pkt, 2738967335 bytes mcast: 0 
> > pkt, 0 bytes
> >      4072217083 packets input, 261588083018 bytes, 0 no buffer
> >      Received 11432 broadcasts (5 IP multicast)
> >      0 runts, 0 giants, 0 throttles
> >      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
> >      0 watchdog, 0 multicast, 0 pause input
> >      0 input packets with dribble condition detected
> >      18214991 packets output, 2774118358 bytes, 0 underruns
> >      0 output errors, 0 collisions, 3 interface resets
> >      0 babbles, 0 late collision, 0 deferred
> >      0 lost carrier, 0 no carrier, 0 PAUSE output
> >      0 output buffer failures, 0 output buffers swapped out
> >AR01#
> >
> >
> >
> >
> >Thanks
> >
> >
> >******************************************
> >Richard J. Sears
> >
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/


******************************************
Richard J. Sears
CCNP/CCDP/F5SE
Vice President & CTO         
American Internet Services                          
----------------------------------------------------
rsears at americanis.net
http://www.americanis.net
----------------------------------------------------
858.576.4272 - Phone
858.427.2401 - Fax
INOC-DBA - 6130
----------------------------------------------------

I fly because it releases my mind 
from the tyranny of petty things . . 


"Work like you don't need the money, love like you've
never been hurt and dance like you do when nobody's
watching."

More information about the cisco-nsp mailing list