[c-nsp] policing question

Leslie Meade lmeade at signal.ca
Wed Jul 29 11:30:36 EDT 2009 

I have a question,  I have over 50 vlans and each needs to be policed at different speeds. I have a cat 6509 with sup32's
Creating access-lists, class maps etc. are no issues for me. To my understanding that I can only police in one direction on any given interface. So I put a service-policy output on a vlan and another service-policy input on the other. But when I add more than 4 class’s to a policy map on my transit internet network it crawls to a dead stop. Anyone tell me why ? I gather the sup32’s/int cannot handle the output. To give you an idea of how much data I push out, in one week I will do over a Terabyte of data.

Here is an example of the standard ACL’s and policy-maps that I am using..

ip access-list extended VLAN14_WWW 
10 permit tcp any eq www any
20 permit tcp any any eq www


class-map match-any VLAN14_WWW-CL
  match access-group name VLAN14_WWW
  
policy-map VLAN14_OUTBOUND-PM
class VLAN14_WWW-CL 
                police cir 2097000 bc 66406 be 66406 conform-action transmit exceed-action drop violate-action drop

policy-map Internet-Access-PM
class VLAN14_WWW-CL 
                police cir 2097000 bc 66406 be 66406 conform-action transmit exceed-action drop violate-action drop
class VLAN15_WWW-CL 
                police cir 2097000 bc 66406 be 66406 conform-action transmit exceed-action drop violate-action drop
class VLAN16_WWW-CL 
                police cir 2097000 bc 66406 be 66406 conform-action transmit exceed-action drop violate-action drop
class VLAN17_WWW-CL 
                police cir 2097000 bc 66406 be 66406 conform-action transmit exceed-action drop violate-action drop


interface Vlan14
description VFS
ip address 10.1.14.2 255.255.255.0
ip helper-address 10.1.6.10
no ip redirects
no ip unreachables
ip flow ingress
ip route-cache flow
no ip mroute-cache
mls netflow sampling
standby 15 ip 10.1.14.1
standby 15 priority 250
standby 15 preempt
service-policy output  VLAN14_OUTBOUND-PM

interface Vlan254
description Transient 
 ip address 10.1.254.2 255.255.255.0
 no ip redirects
no ip unreachables
ip flow ingress
ip route-cache flow
no ip mroute-cache
mls netflow sampling
standby 15 ip 10.1.254.1
standby 15 priority 250
standby 15 preempt
service-policy input  Internet-Access-PM

Cheers

Leslie

More information about the cisco-nsp mailing list