Re: Problem with class-based Policing

jeff · ‎09-24-2002

I have a 2621 router with 64Mb DRAM and 16 Mb Flash. The IOS version is 12.1 (5)T7 softare option c2600-IS-M. My goal is to limit bandwidth based upon IP address. The server IPs will be on interface F0/1 and the Internet will be on interface F0/0. I've read as much as I could about the QOS class-based policing but my configuration is not working. Below is the commands I used for a test environment. Please not that all IP addresses on both interfaces are public and two different IP segments.

access-list 100 permit ip host xxx.xxx.xxx.2 any

class-map test

match access-group 100

policy-map testpolicy

class test

police 1500000 conform-action transmit exceed-action drop

int f0/0

service-policy output testpolicy

int f0/1

service-policy input testpolicy

All the commands are entered without a problem and look good from a show running. Access from the .2 server is not restricted to 1.5 Mb as what I'm trying to achieve. The access from the .2 server is unrestricted according to the bandwidth tests that I ran, acting as if the QOS policing is not even configured.

Thanks for any help.

Jeff

a-vazquez · ‎09-30-2002

Your config looks alright. What does the show policy-map output show?

Is the classification happening correctly? Are the counters increasing in the class test or are they increasing in the default class?

jeff · ‎09-30-2002

Thanks for the reply.

I changed the input/output on the interfaces. It's easier for me to do the bandwith testing when coming from the Internet to my server (F0/0 to F0/1). The commands I changed are below:

int f0/0

service-policy input testpolicy

int f0/1

service-policy output testpolicy

With these changes and many other different combinations it's still not restricting the bandwidth. Below is a copy of the "show policy-map int" command.

R9#sh policy-map int

FastEthernet0/0

Service-policy input: testpolicy (1045)

Class-map: test (match-all) (1047/2)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group 100 (1051)

police:

1500000 bps, 46750 limit, 46750 extended limit

conformed 0 packets, 0 bytes; action: transmit

exceeded 0 packets, 0 bytes; action: drop

conformed 0 bps, exceed 0 bps violate 0 bps

Class-map: class-default (match-any) (1055/0)

13475 packets, 20334428 bytes

5 minute offered rate 349000 bps, drop rate 0 bps

Match: any (1059)

FastEthernet0/1

Service-policy output: testpolicy (1077)

Class-map: test (match-all) (1079/2)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group 100 (1083)

police:

1500000 bps, 46750 limit, 46750 extended limit

conformed 0 packets, 0 bytes; action: transmit

exceeded 0 packets, 0 bytes; action: drop

conformed 0 bps, exceed 0 bps violate 0 bps

Class-map: class-default (match-any) (1087/0)

13668 packets, 20356116 bytes

5 minute offered rate 350000 bps, drop rate 0 bps

Match: any (1091)

Thanks for any help.

Jeff

vramanaiah · ‎10-03-2002

This looks like a bug to me. All traffic is being handled by class-default.

Why dont you try with some other version?

jeff · ‎10-03-2002

Thanks for the reply.

I purchased a support contract on the router so that I can have tech support and download the latest IOS. I'm waiting for the registration to process, but I understand it takes 48 hours. I submitted the registration on Cisco's website yesterday but I guess it does take 48 hours because I'm still getting access denied when trying to download the latest IOS.

Jeff

jeff · ‎10-07-2002

I upgraded my IOS to 12.2(12) and it's still not working. I tried many configurations with the service-policy on the interfaces but no luck.

Jeff

thisisshanky · ‎09-30-2002

Your accesslist, first of all only matches traffic going from your server to internet.

This should have policed, the traffic going outward atleast, however.

Try adding a second statement for policing inbound traffic, and run a bandwidth test.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

jeff · ‎10-01-2002

Thanks for the reply.

I changed the input/output on the interfaces. It's easier for me to do the bandwith testing when coming from the Internet to my server (F0/0 to F0/1). The commands I changed are below:

int f0/0

service-policy input testpolicy

int f0/1

service-policy output testpolicy

With this configuration, it's still not working. I notice the class-default is seeing traffic, but my policy is not.

Thanks for any help.

Jeff