Re: Traffic policing

Brunhuber Adrian · ‎03-05-2012

Hi .

I need to do some traffic policing.

I have 2 IP in my LAN who needs diferentiated policing.

192.168.15.101 - policing 500k

192.168.15.102 - policing 1M

I have configured the class-maps as folow.

class-map match-any SG1

match access-group 161

class-map match-any SG2

match access-group 162

!

policy-map SHAP

class SG1

police 500000 conform-action transmit exceed-action drop

class SG2

police 1000000 conform-action transmit exceed-action drop

access-list 161 permit ip host 192.168.15.101 any

access-list 162 permit ip host 192.168.15.102 any

And i applyed the policy map to the input direction on the Fa4 (wan interface)

The problem is that i don`t see matches on the access-lists .

If i put the any any at the end the shaping functions so i guess the problem is with access-list / NAT.

Vlan 1 ip 192.168.15.1 /24

WAN Ip xx.xx.xx.xx

NAT is performed in order to get to the internet.

Any ideas ?

Ryan Newell · ‎03-05-2012

Hello,

192.168.15.0 is your LAN correct? If that is the case the service policy should be applied in the output direction if applied to the WAN interface. Also based on the results of my testing if you police on the WAN interface the acl 161 and 162 would need to match on the NAT'd address. I suggest applying service policy input on the LAN interface. In this configuration you can use the inside local address aka 192.168.15.0 address space.

regards,

ryan

Thotsaphon Lueangwattanaphong · ‎03-05-2012

Hello,

Policing is fine using on Inbound direction. In your case,you just need to know that Police is done before NAT Process. You may try to change ACLs. It would be "permit ip any host ".

HTH,

Toshi