Thanks for your response (just came from my vacation...)

show service-policy police output:

police Interface outside:

cir 100000 bps, bc 1000 bytes

conformed 363452 packets, 69590935 bytes; actions: transmit

exceeded 198 packets, 229644 bytes; actions: drop

conformed 288 bps, exceed 0 bps

What this output means?

Regards,

Ofir

Hi,

the output means a policer with a rate of 100 kbps (should be 1000 kbps?) is configured and it got 69590935 bytes within the rate allowed to transmit and 229644 bytes outside the configured bandwidth, which were dropped.

The average bandwidth since last reset of counters is 288 bps of conforming data and 0 bps of exceeding data. This is somewhat misleading, if you do not take into account measurement time. F.e. if you transfer 1 minute at 10 Mbps there will be lot of dropped packets. If this was the only transfer in a measurement intervall of 100 minutes, it would average to 100 kbps in the display.

In your case make sure source and destination IPs in your access-list match your environment. A config, which should work:

static (DMZ1,outside) 212.117.212.237 FTP netmask 255.255.255.255

access-list outside_mpc_in extended permit ip host FTP any

access-list outside_mpc_in extended permit any ip host FTP

access-list dmz_mpc_in extended permit ip host 10.1.1.1 any

access-list dmz_mpc_in extended permit any ip host 10.1.1.1

!replace 10.1.1.1 with your real FTP server IP

class-map outside-class

match access-list outside_mpc_in

policy-map outside-policy

description Outside_FTP_policy

class outside-class

police 1000000 1000

service-policy outside-policy interface outside

class-map dmz-class

match access-list dmz_mpc_in

policy-map dmz-policy

description dmz_FTP_policy

class dmz-class

police 1000000 1000

service-policy dmz-policy interface dmz1

Hope this helps! Please rate all posts.

Regards, Martin

Any idea?

Ofir,

Ok let me try this again since I had some descrepancies in the 1st post. Here is what I think would be an accurate configuration.

access-list outside_mpc_ftp_out extended permit ip host x.x.x.x ftp-data any

!This will limit your outbound data stream from DMZ FTP to any host

access-list dmz_mpc_ftp_out extended permit ip any ftp-data host x.x.x.x

!This will limit your any ftp data stream in to the DMZ FTP host

class-map outside-class

match access-list outside_mpc_ftp_out

class-map dmz-class

match access-list dmz_mpc_ftp_out

policy-map outside-policy

description Outside_FTP_policy

class outside-class

police 1000000 1000

policy-map dmz-policy

description DMZ_FTP_policy

class dmz-class

police 1000000 1000

service-policy outside-policy interface outside

service-policy dmz-policy interface dmz1

Thanks

Fred

Thank you.

Can you please answer the follwing:

If I want to match traffic from Inside to DMZ, all traffic from inside local network to specific DMZ IP server. Should I do it on Inside interface or DMZ interface? maybe both?

As I understands it's possible to match only inside traffic to an interface and not both inside and outside (like NAT).

Same for all traffic from DMZ server to Outside and Outside to DMZ server? Should I

have two policies one for outside and one for DMZ?

Regards,

Ofir.

Ofir,

For maximum coverage you want the QoS policy applied to all egress interfaces that require queueing and policing. This usually is also cleaner and easier to troubleshoot when you are trying to determine traffic rates and drops.

Thanks

Fred