03-05-2012 05:00 AM - edited 03-04-2019 03:32 PM
Hi .
I need to do some traffic policing.
I have 2 IP in my LAN who needs diferentiated policing.
192.168.15.101 - policing 500k
192.168.15.102 - policing 1M
I have configured the class-maps as folow.
class-map match-any SG1
match access-group 161
class-map match-any SG2
match access-group 162
!
!
policy-map SHAP
class SG1
police 500000 conform-action transmit exceed-action drop
class SG2
police 1000000 conform-action transmit exceed-action drop
access-list 161 permit ip host 192.168.15.101 any
access-list 162 permit ip host 192.168.15.102 any
And i applyed the policy map to the input direction on the Fa4 (wan interface)
The problem is that i don`t see matches on the access-lists .
If i put the any any at the end the shaping functions so i guess the problem is with access-list / NAT.
Vlan 1 ip 192.168.15.1 /24
WAN Ip xx.xx.xx.xx
NAT is performed in order to get to the internet.
Any ideas ?
03-05-2012 07:43 AM
Hello,
192.168.15.0 is your LAN correct? If that is the case the service policy should be applied in the output direction if applied to the WAN interface. Also based on the results of my testing if you police on the WAN interface the acl 161 and 162 would need to match on the NAT'd address. I suggest applying service policy input on the LAN interface. In this configuration you can use the inside local address aka 192.168.15.0 address space.
regards,
ryan
03-05-2012 07:49 AM
Hello,
Policing is fine using on Inbound direction. In your case,you just need to know that Police is done before NAT Process. You may try to change ACLs. It would be "permit ip any host
HTH,
Toshi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide