05-28-2010 07:25 AM - edited 03-04-2019 08:37 AM
All,
If a router is totally maxed out on the outside interface, I'm able to telnet but the cli is choppy at times. Is creating a control-plane policy the best way to handle incoming telnet traffic? I've never done one of these before....
Thanks,
John
05-28-2010 07:34 AM
Hey John,
In this situation (happened all the time to me in the past), you need to use CBWFQ to create a class called Mgt Class. And then assign telnet, SSH, NTP, etc to that Class so that any management traffic can be protected during high bandwidth utilization period.
Most of the transit traffic is CEF switched so there should not be any high CPU utilization.
05-28-2010 07:38 AM
Thanks Kevin. Where would you apply this? I can't apply it as inbound because it won't let me do it when I'm matching on an acl....
Thanks,
05-28-2010 08:05 AM
Okay, so here's what I did that seemed to work.
I created an inbound service policy that marked telnet traffic to dscp af31.
I applied that to s0/0/0
Then I created an outbound service policy that match on af31 and gave 2% of bandwidth
I applied this outbound to fa0/0
Seemed to speed up things quite a bit....
Thanks,
John
05-28-2010 08:08 AM
Yup, you got it!
05-28-2010 08:19 AM
Unfortunately, I think it was just conincidental that the packages that were being pushed were paused. I'm back to square one now that they're starting to use the bandwidth again. Any other suggestions?
05-28-2010 08:31 AM
John,
You can only police input traffic and not queue input traffic. Here are the commands you should use.
class-map match-any mgt
match protocol telnet
policy-map ingress-wan
class mgt
police cir percent 5
interface Serial1/0
service-policy input ingress-wan
05-28-2010 08:46 AM
Kevin,
I'm still getting very choppy response. Here's what I have:
class-map match-all MANAGEMENT
match access-group 123
Extended IP access list 123
10 permit tcp any any eq telnet (2703 matches)
policy-map S_INBOUND
class MANAGEMENT
police cir 256000
conform-action transmit
exceed-action transmit
Service-policy input: S_INBOUND
Class-map: MANAGEMENT (match-all)
2588 packets, 170169 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 123
police:
cir 256000 bps, bc 8000 bytes
conformed 1042 packets, 47346 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
transmit
conformed 0 bps, exceed 0 bps
Class-map: class-default (match-any)
287636 packets, 269795265 bytes
5 minute offered rate 1319000 bps, drop rate 0 bps
Match: any
It's matching, but it's not doing anything. I've also tried 5 and 10%. It's not "unuseable" so to speak, just choppy and I would think that it would speed up even if the bandwidth is used up.
Thanks,
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide