cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
724
Views
5
Helpful
4
Replies

Traffic Policing to avoid log message %CERM-4-RX_BW_LIMIT: Maximum Rx

quadrabe
Level 1
Level 1

Hi

We're trying to implement traffic policing to avoid following log message:

 

 

%CERM-4-RX_BW_LIMIT: Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

 

Following the whitepages https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/118746-technote-isr-00.html#anc4 and this https://www.cisco.com/c/en/us/support/docs/quality-of-service-qos/qos-policing/19645-policevsshape.html

However we still get the log message, does anyone know what we did wrong?
This is our config.

 

interface GigabitEthernet0/0
 description UPLINK WAN
 ip address dhcp
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map CRYPTO_MAP
 service-policy input PM-Policing
Policy Map PM-Policing
    Class CL-Policing
     police rate 80000000 
       conform-action transmit 
       exceed-action drop 

Class Map match-all CL-Policing (id 1)
   Match any 
sh policy-map interface gi0/0
 GigabitEthernet0/0 

  Service-policy input: PM-Policing

    Class-map: CL-Policing (match-all)  
      870906 packets, 1119424862 bytes
      5 minute offered rate 63000 bps, drop rate 0000 bps
      Match: any 
      police:
          rate 80000000 bps, burst 2500000 bytes
        conformed 869659 packets, 1040884091 bytes; actions:
          transmit 
        exceeded 0 packets, 0 bytes; actions:
          drop 
        conformed 49000 bps, exceeded 0000 bps

    Class-map: class-default (match-any)  
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: any 

 

4 Replies 4

@quadrabe use shaping, here is an example of the exact same scenario. You'd probably want to purchase the HSEC license, rather than rely on this workaround.

Hi

For the location this issue is happening the business will not invest in the HSEC license.

It's a good article but not valid for us as we have to apply an input service-policy. Shaping is only possible with output policies.
It is not possible for us the apply an output policy on the other side as it is ISP material.

tvotna
Spotlight
Spotlight

It appears that you're using old IOS or an old platform, because in IOS-XE versions the CERM limit was changed to 250Mbps many years ago. The problem with CERM is that its measurement interval is very small, e.g. 1 sec or so. There can be microbursts and the 85Kbps limit is hit. Did you check show platform cerm-information?