Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
656
Views
0
Helpful
6
Replies

Rate-limit set for 100-Mbps but interface utilization hit 320-Mbps ?

rizwanr74
Level 7
Level 7

‎08-04-2015 10:23 AM - edited ‎03-11-2019 11:22 PM

Hi Guys,

 

I have an ASA primarly used for guest-wireless access, I have applied rate-limiting as shown in the below table, but this morning I notice interface utilization hit 320-Mbps, I was under the impression, it should not allow above and beyond 100-Mbps.

 

Someone can help me out, what is missing on my configuration?

access-list 100mgabit-acl extended permit ip any any

 

class-map cls-100mgabit
 match access-list 100mgabit-acl

 

policy-map pmap-100mgabit
 class cls-100mgabit
  police output 90000000 1250000
  police input 90000000 1250000


service-policy pmap-100mgabit interface outside

 

Labels:
0 Helpful
6 Replies 6

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎08-11-2015 06:55 AM

Hi,

What is the conform-action and exceed action set on the ASA device ?

"show service-policy" would show that.

Also , try to change both action to drop and see if that resolves the issue.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

rizwanr74
Level 7
Level 7
In response to Vibhor Amrodia

‎08-11-2015 07:24 AM

Hi Vibhor,

Thank you very much for your input.

I have had set as "conform-action transmit" and "exceed-action drop" but it is showing on the Solarwind NPM for outside interface ulization is hitting 126Mpbs, whereas I set transit-action for 90Mbps and set BC for an additional 10Mbps, which then should total up to 100Mbps.

 

ASA5510# show service-policy police

Interface outside:
  Service-policy: pmap-100mgabit
    Class-map: cls-100mgabit
      Output police Interface outside:
        cir 100000000 bps, bc 3125000 bytes
        conformed 58496758 packets, 16742993776 bytes; actions:  transmit
        exceeded 0 packets, 0 bytes; actions:  drop
        conformed 284800 bps, exceed 0 bps
      Input police Interface outside:
        cir 100000000 bps, bc 3125000 bytes
        conformed 115001100 packets, 136201618892 bytes; actions:  transmit
        exceeded 1515 packets, 2172510 bytes; actions:  drop
        conformed 1971360 bps, exceed 0 bps
ASA5510#

 

And right now, I have configured as shown below.

access-list 100mgabit-acl extended permit ip any any

class-map cls-100mgabit
 match access-list 100mgabit-acl
!
!
policy-map pmap-100mgabit
 class cls-100mgabit
  police output 100000000
  police input 100000000

!
service-policy pmap-100mgabit interface outside

 

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to rizwanr74

‎08-11-2015 07:28 AM

Hi,

Change the Conform Rate action to drop.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

rizwanr74
Level 7
Level 7
In response to Vibhor Amrodia

‎08-11-2015 08:50 AM

Hi Vibhor,

 

If I change "police input 100000000 conform-action drop", will it not drop all traffic without ever transmitting it?

 

thanks

 

 

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to rizwanr74

‎08-11-2015 09:17 PM

Hi,

No , This will only drop the packets which are above the conform Burst:- 3125000 bytes

Thanks and Regards,

Vibhor Amrodia

0 Helpful

rizwanr74
Level 7
Level 7
In response to Vibhor Amrodia

‎08-12-2015 07:20 AM

I will set as per your suggestion "police input 100000000 conform-action drop" and I am puzzled with "3125000 byte", was set by ASA itself.  


As you know 3125000 byte is 25Mbps all in its own and policying is set to "100000000" which is 100Mpbs and total sum up to 125Mpbs.

When policying is set to "100000000" = 100Mpbs, why does it burst upto 125Mpbs?

I don't get it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card