Hi Vibhor,Thank you very much

rizwanr74 · ‎08-04-2015

Hi Guys,

I have an ASA primarly used for guest-wireless access, I have applied rate-limiting as shown in the below table, but this morning I notice interface utilization hit 320-Mbps, I was under the impression, it should not allow above and beyond 100-Mbps.

Someone can help me out, what is missing on my configuration?

access-list 100mgabit-acl extended permit ip any any

class-map cls-100mgabit
match access-list 100mgabit-acl

policy-map pmap-100mgabit
class cls-100mgabit
police output 90000000 1250000
police input 90000000 1250000

service-policy pmap-100mgabit interface outside

Vibhor Amrodia · ‎08-11-2015

Hi,

What is the conform-action and exceed action set on the ASA device ?

"show service-policy" would show that.

Also , try to change both action to drop and see if that resolves the issue.

Thanks and Regards,

Vibhor Amrodia

rizwanr74 · ‎08-11-2015

Hi Vibhor,

Thank you very much for your input.

I have had set as "conform-action transmit" and "exceed-action drop" but it is showing on the Solarwind NPM for outside interface ulization is hitting 126Mpbs, whereas I set transit-action for 90Mbps and set BC for an additional 10Mbps, which then should total up to 100Mbps.

ASA5510# show service-policy police

Interface outside:
Service-policy: pmap-100mgabit
Class-map: cls-100mgabit
Output police Interface outside:
cir 100000000 bps, bc 3125000 bytes
conformed 58496758 packets, 16742993776 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 284800 bps, exceed 0 bps
Input police Interface outside:
cir 100000000 bps, bc 3125000 bytes
conformed 115001100 packets, 136201618892 bytes; actions: transmit
exceeded 1515 packets, 2172510 bytes; actions: drop
conformed 1971360 bps, exceed 0 bps
ASA5510#

And right now, I have configured as shown below.

access-list 100mgabit-acl extended permit ip any any

class-map cls-100mgabit
match access-list 100mgabit-acl
!
!
policy-map pmap-100mgabit
class cls-100mgabit
police output 100000000
police input 100000000

!
service-policy pmap-100mgabit interface outside

Vibhor Amrodia · ‎08-11-2015

Hi,

Change the Conform Rate action to drop.

Thanks and Regards,

Vibhor Amrodia

rizwanr74 · ‎08-11-2015

Hi Vibhor,

If I change "police input 100000000 conform-action drop", will it not drop all traffic without ever transmitting it?

thanks

Vibhor Amrodia · ‎08-11-2015

Hi,

No , This will only drop the packets which are above the conform Burst:- 3125000 bytes

Thanks and Regards,

Vibhor Amrodia

rizwanr74 · ‎08-12-2015

I will set as per your suggestion "police input 100000000 conform-action drop" and I am puzzled with "3125000 byte", was set by ASA itself.

As you know 3125000 byte is 25Mbps all in its own and policying is set to "100000000" which is 100Mpbs and total sum up to 125Mpbs.

When policying is set to "100000000" = 100Mpbs, why does it burst upto 125Mpbs?

I don't get it.

Rate-limit set for 100-Mbps but interface utilization hit 320-Mbps ?