Policing Traffic Does Not Work

John Peterson · ‎07-16-2012

Hi,

I'm trying to use qos to police traffic where a certain host should not go above 5Mpbs at any time and if the traffic is exceded it should be dropped.

I have trying to play around with the below but the host machine can still access the full bandwidth.

class-map laptop

match access-list laptop_acl

access-list laptop_acl extended permit ip host 192.168.3.10 any

policy-map laptop_sp

class laptop

police input 5000000

police output 5000000

service-policy laptop_sp interface outside

Julio Carvajal · ‎07-16-2012

Hello John,

Try it like this

policy-map laptop_sp

class laptop

police output 50000 conform-action transmit exceed-action drop

police input 50000 conform-action transmit exceed-action drop

Afterwards do a clear local-host 192.168.3.10

Regards,

Julio

CSC is a free support community, rate all the posts of our team,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

John Peterson · ‎07-16-2012

Hi Julio,

Thank you.

The above seems to rate the traffic, but for some reason when I do a speed test the traffic gets policed but after a while of testing I am unable to connect to the internet and connect to the firewall via ssh. All network access seems to have stopped I have to reload the firewall to get access back?

Julio Carvajal · ‎07-16-2012

Hello John,

Of course that should rate it!

Now why you got unable to connect to the internet or even the ASA, that is completely different.

On the ACL you have there you are only including one PC, correct?

Are you able to ping the ASA after you get disconnected?

Regards,

Rate the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

John Peterson · ‎07-16-2012

Hi,

No not able to ping the ASA.

For some reason after the police is applied and when going through a speed test you can see the ASA policing the traffic but during the policing the speed test hangs there and network traffic grind to a halt.

It like the ASA has somehow stopped the host to transmit any data because it has gone past the police rate or tried to burst.

Sent from Cisco Technical Support iPhone App

John Peterson · ‎07-18-2012

Hi,

I've added thoses commands but when i do a:

firewall(config-pmap-c)# show service-policy police

Interface inside:

Service-policy: speed_limit

Class-map: rate_limit

Input police Interface inside:

cir 3670000 bps, bc 114687 bytes

conformed 36029 packets, 21519175 bytes; actions: drop

exceeded 536 packets, 752429 bytes; actions: drop

conformed 117104 bps, exceed 392 bps

Output police Interface inside:

cir 3670000 bps, bc 114687 bytes

conformed 0 packets, 0 bytes; actions: drop

exceeded 0 packets, 0 bytes; actions: drop

conformed 0 bps, exceed 0 bps

Interface outside:

Service-policy: speed_limit

Class-map: rate_limit

Input police Interface VM:

cir 3670000 bps, bc 114687 bytes

conformed 0 packets, 0 bytes; actions: drop

exceeded 0 packets, 0 bytes; actions: drop

conformed 0 bps, exceed 0 bps

Output police Interface VM:

cir 3670000 bps, bc 114687 bytes

conformed 5097 packets, 1544222 bytes; actions: drop

exceeded 0 packets, 0 bytes; actions: drop

conformed 17264 bps, exceed 0 bps

I used the 'conform-action transmit exceed-action drop' but the conformed packets shows drop when it should show transmit.

John Peterson · ‎07-19-2012

Anybody please?

Sent from Cisco Technical Support iPhone App

Ramraj Sivagnanam Sivajanam · ‎07-19-2012

Hi Bro

If you need me to help you, I need you to paste your complete show running-config here. This is because your show service-policy police output doesn't match the commands you've typed.

Shown below is exactly what I've done in my lab using Cisco ASA 5510 v8.0.2, and the output is good. I don't think the problem that you're having is a software bug. I believe you've typed in the wrong parameters in your show running-config :-)

!

access-list laptop_acl extended permit ip host 192.168.3.10 any

!

class-map rate_limit

match access-list laptop_acl

!

policy-map speed_limit

class rate_limit

police output 3670000 114687 conform-action transmit exceed-action drop

police input 3670000 114687 conform-action transmit exceed-action drop

!

service-policy speed_limit interface dmz

!

FW01# show service-policy police

Interface dmz:
Service-policy: speed_limit
    Class-map: rate_limit
      Input police Interface dmz:
        cir 3670000 bps, bc 114687 bytes
        conformed 0 packets, 0 bytes; actions: trasnmit
        exceeded 0 packets, 0 bytes; actions: drop
        conformed 0 bps, exceed 0 bps
      Output police Interface dmz:
        cir 3670000 bps, bc 114687 bytes
        conformed 0 packets, 0 bytes; actions: trasnmit
        exceeded 0 packets, 0 bytes; actions: drop
        conformed 0 bps, exceed 0 bps

P/S: Personally, I believe you've used the keyword "drop" in the 'conform-action drop exceed-action drop', but I stand corrected

Note: If you think my comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

Nelson Minica · ‎01-23-2013

trasnmit? I wonder did you mispell that or did cisco? On my 8.2(1) it says conformed...drop in the show service-policy even though I told it transmit and it appears transmit is the default since the config prunes that. It's not working anyway appears buggy I think I need to upgrade...