Hi D.M.Gore ASA supports single bucket system. Let's say the CIR is 9000 bps and burst size is 1200 bytes. The following is configured as inbound for an Ethernet interface.
police input 9000 1200 conform-action transmit exceed-action drop The bucket size is 1200 bytes and that is maximum it can hold. The rate at which tokens are added to the bucket is 9000 bps. If the packets exceed the burst of 1200 bytes plus 9000 bps rate, the the packets are dropped. The *conform* action is executed for packets within the average rate and burst size. The *exceed* action for a *police* command specifying traffic *rate* is executed for packets within the average rate and excess burst size. With regards Kings On Fri, Sep 4, 2009 at 9:36 AM, Dnyaneshwar Gore <[email protected]>wrote: > Hi Stuart, > > I found following explanation from Cisco command lookup tool: > ** > *Note *:The *police* command merely enforces the maximum speed and burst > rate, forcing them to the conforming rate value. It does not enforce the * > conform-action* or the *exceed-action* specification if these are present. > > > So by this explanation it is clear that conform-action and exceed-action > does not take place even if they are specified in command. I was right. > > Regards, > D.M.Gore > > > On Thu, Sep 3, 2009 at 3:48 PM, Dnyaneshwar Gore > <[email protected]>wrote: > >> Thansk for your explanation. >> >> But I have some qeries as follows: >> >> - if conform action is transmit then it will allow traffic more than >> CIR but less than Burst value. >> >> But when I set conform action as transmit, I get same ping result i.e. 98 >> % success rate as it was in when conform action is drop. There should be >> some difrerence between two outputs. >> >> I have attached results for different cases. >> >> Also what should be the difference if I set exceed action as transmit. >> >> Regards, >> D.M.Gore >> >> On Thu, Sep 3, 2009 at 3:10 PM, Stuart Hare >> <[email protected]>wrote: >> >>> So this looks to be expected behaviour to me. >>> As soon as the 64k is reached your telling it to drop the traffic. >>> >>> Exceeded action will never enter into this equation as you are dropping >>> conformed traffic, and theres no where else to go. >>> >>> So basically your CIR sets your nominal rate of transfer, once you exceed >>> the CIR and enter the burst rate you are conforming, thus the conform action >>> comes into play. If you continue to use more than the burst rate you are >>> deemed to be exceeding and the exceed action steps in. >>> >>> HTH >>> >>> Stu >>> >>> 2009/9/3 Dnyaneshwar Gore <[email protected]> >>> >>>> PFA configuration and result. The diagrame is >>>> >>>> R1 (router) (136.1.121.13) -------------------(Inside/136.1.121.12) ASA >>>> (Outside/136.1.122.12) --------------------R2(router) (136.1.122.13) >>>> >>>> On Thu, Sep 3, 2009 at 1:31 PM, Stuart Hare < >>>> [email protected]> wrote: >>>> >>>>> Can you post the output and config? >>>>> >>>>> What device are you doing this on? >>>>> >>>>> Stu >>>>> >>>>> 2009/9/3 Dnyaneshwar Gore <[email protected]> >>>>> >>>>>> I am assuming that by using "police {inbound | outbound} CIR [Burst] >>>>>> conform-action drop exceed-action drop" command, all traffic should drop >>>>>> as >>>>>> conform action is drop. But it is not happening. I am pinging from inside >>>>>> host to outside host with 1000 counts and 1500 size and result is >>>>>> successful ping but with about 9 drops. >>>>>> Same result with "police {inbound | outbound} CIR [Burst] >>>>>> conform-action transmit exceed-action transmit" command. >>>>>> >>>>>> By seeing this, conform and exceed action does not drop the packets. >>>>>> Then what is their use? >>>>>> >>>>>> Also why one will set exceed action as transmit? It should be drop as >>>>>> it is crossing comitted rate. >>>>>> >>>>>> Regards, >>>>>> D.M.Gore >>>>>> >>>>>> On Thu, Sep 3, 2009 at 12:58 PM, Stuart Hare < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> You say you found the output the same, but what about the result for >>>>>>> each? If you are using the same tests and cir/burst values then I would >>>>>>> expect the output from your show commands to be the same. >>>>>>> >>>>>>> Of the top of my head (and it is still early in the morning), i cant >>>>>>> see why you would use 2 & 3. >>>>>>> 2 is saying drop everything regardless, which you could have done >>>>>>> with the drop command instead of police. >>>>>>> 3 is saying permit everything regardless. >>>>>>> >>>>>>> For policing to be efficient and effective you need to set differing >>>>>>> actions for your conform and exceed, even if this is just marking the >>>>>>> packets with an ip precedence or dscp value, upon exceeding the rate. >>>>>>> >>>>>>> Stu >>>>>>> >>>>>>> 2009/9/3 Dnyaneshwar Gore <[email protected]> >>>>>>> >>>>>>>> Hi ALL, >>>>>>>> >>>>>>>> I am not able to understand the difference between following >>>>>>>> commands: >>>>>>>> 1. police {inbound | outbound} CIR [Burst] >>>>>>>> 2. police {inbound | outbound} CIR [Burst] conform-action drop >>>>>>>> exceed-action drop >>>>>>>> 3. police {inbound | outbound} CIR [Burst] conform-action transmit >>>>>>>> exceed-action transmit >>>>>>>> >>>>>>>> I tested these commands in lab and found output same for all. >>>>>>>> >>>>>>>> I think conform-action and exceed-action does not work even if they >>>>>>>> are specified. >>>>>>>> >>>>>>>> Request your opinion. >>>>>>>> >>>>>>>> Regards, >>>>>>>> D.M.Gore >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>>> please visit www.ipexpert.com >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
