Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3048
Views
40
Helpful
15
Replies

QoS Configuration - police cir - netflow - problem

fabiogarcia
Level 1
Level 1

‎03-04-2013 01:04 PM - edited ‎03-04-2019 07:12 PM

Dears,

I have this configuration at my router, can anybody do a suggestion ?

Sorry the long post... tried to simplify as much as I could.

ip access-list extended SHAPE_TRAFEGO_SRC_172.17.196.12

permit ip host 172.17.196.12 any

permit ip any host 172.17.196.12

class-map match-any SHAPE_TRAFEGO_SRC_172.17.196.12

match access-group name SHAPE_TRAFEGO_SRC_172.17.196.12

policy-map qos_new

...

class SHAPE_TRAFEGO_SRC_172.17.196.12

  police cir 8000

    conform-action transmit

    exceed-action drop

    violate-action drop

...

class class-default

  fair-queue

policy-map PARENT_qos_new

class class-default

  shape average 2000000

  service-policy qos_new

**** Thats a Frame relay interface ******

interface Serial0/1/1

description XXXXXX

no ip address

encapsulation frame-relay IETF

invert txclock

!

interface Serial0/1/1.777 point-to-point

description XXXXXXX

bandwidth 2048

ip address 172.26.0.65 255.255.255.252

ip nbar protocol-discovery

ip flow ingress

ip flow egress

frame-relay interface-dlci 777  

    service-policy output PARENT_qos_new

That should be policing all that traffic to 8kbps... but in my NETFLOW tool, I see traffic going above that limit.. a lot of times... below an example

ScreenShot468.jpg

We can see easily that traffic goes at 300Kbps limit...

I see that traffic is using that police as well... but not really policed...

router#sh ip access-lists SHAPE_TRAFEGO_SRC_172.17.196.12

Extended IP access list SHAPE_TRAFEGO_SRC_172.17.196.12

    10 permit ip host 172.17.196.12 any

    20 permit ip any host 172.17.196.12 (2067609 matches) <<<<<<<< increasing all the time

Any suggestion ?

Labels:
0 Helpful
15 Replies 15

bcoverstone
Level 1
Level 1

‎08-30-2014 06:02 PM

Looking at the image you included, the IP address that your testing is coming from 172.16.9.176, while the IP address in your access list is 172.17.196.12.

 

By the way, the policer will work all the time, even when there is not congestion.  I use this exact same technique to limit IMAP traffic and it works great.

With the new HQF (hierarchical queuing framework), you can shape within shapers.  For example, you could shape a service policy at 2Mbits/sec and set one child class to shape at 8kbits/sec.  Even when there is not congestion at 2Mbits, the child class will always shape to 8kbits/sec.  One thing to be aware of, the default delay when shaping is active is about 25 milliseconds, for pre-HQF IOS images.  It's safe to calculate your own bits per interval to bring it down to 4 milliseconds.  This can be done by dividing the bitrate by 250 for the bits per interval (which is what HQF uses by default).  That way you won't notice the delay as much when shaping kicks in. For example, in pre-HQF you would want "shape average 2000000 8000 8000", where in HQF you just need "shape average 2000000".

HQF is pretty handy.

Good luck to you.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card