05-06-2011 01:50 PM - edited 03-11-2019 01:30 PM
I'm working in my lab trying to do proof of concept for traffic policing on the ASA 5510 running 8.0(4). I have two laptops running Ubuntu one on the outside and one on the inside. Both laptops have 100Mbps interfaces. My tests consists of downloading a file from one laptop using HTTP. Without any QoS I can see speeds close to 100Mbps which I would expect. On a side note, try using XP and you won't come close to those speeds. Anyhow, I implement policing using the config below and expect to see the max rate on the laptops during the transfer max out close to the CIR. However, I see speeds much higher on the laptops.
When I set the CIR to 10000 bps with bc at 1500 bytes I get speeds that range from 300Kbps to 700Kbps. I would expect to see speeds max out at the CIR which would be 10Kbps.
I'm having a hard time understanding why my numbers don't match. I would really appreciate it if somebody could "dumb this down" for me.
FYI...the download is going from the inside to the outside.
Relevent Config.
access-list nonvoice extended permit ip any any
priority-queue inside
queue-limit 488
tx-ring-limit 8
priority-queue outside
class-map qos-restricted
match access-list nonvoice
policy-map qos-policy
class qos-restricted
police input 10000
service-policy qos-policy interface outside
Output from the show service-policy police command:
Interface outside:
Service-policy: qos-policy
Class-map: qos-restricted
Input police Interface outside:
cir 10000 bps, bc 1500 bytes
conformed 4377 packets, 291037 bytes; actions: transmit
exceeded 3126 packets, 206316 bytes; actions: drop
conformed 9992 bps, exceed 6552 bps
05-06-2011 02:15 PM
Hi Pete,
The configuration needs some changes, kindly go through this document, this should clarify all your questions:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml#rate
Hope this helps.
Thanks,
Varun
05-11-2011 08:03 AM
Varun,
Thanks for your reply. I've went through the document and I still don't understand why my traffic is not adhering to the specified rate limits. Is there a specific section of that document that answers that question? It seems simple, classify the traffic, apply a policy to the traffic (rate limit) and then apply it to an interface. I just don't understand why the lab results don't match the rate limit speeds.
Pete
05-11-2011 11:05 AM
Hi Pete,
Kindly let me know your requirements with a brief description again, i understand that you are trying to rate limit the download speed to 10 kbps, also please provide me the outputs from current configuration:
show service-policy
show run policy-map
show run class-map
I'll give it a hsot tomorrow in my lab, and let you knowt the correct config.
Thanks,
Varun
05-12-2011 11:08 AM
Yes, I want to limit traffic between two host to no more than 10kbps. Here are the configs you requested.
show run service-policy:
service-policy global_policy global
service-policy qos-policy interface outside
show run policy-map:
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map qos-policy
class qos-restricted
police input 1000000
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
show run class-map:
class-map qos-restricted
match access-list nonvoice
class-map inspection_default
match default-inspection-traffic
class-map Voice-IN
match access-list VOIP-Classification
05-12-2011 11:29 AM
Thanks for the info, i'll get back to you on this tomorrow, in the meanwhile could you also provide the access-list that you have created for qos, you may give me dummy ip's.
Regards,
Varun
05-12-2011 12:58 PM
access-list nonvoice extended permit ip any any
Basically I just have two hosts right now that I'm using to see if I can control the speed with. Once I can control the speed with those two hosts then I will introduce additional hosts and modify the ACL accordingly to control the speed for traffic between host 1 and host 2 and then provide priority for communication between host 3 and host 4. That's for later on down the road. I am just confused as to why my hosts are restricted to the bandwidth limitations specified with the police command.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide