If the traffic rate is beloe the CIR, then there is no burst traffic. Normal traffic below the CIR does not fall into the conform action or the exceed action, because it is not bursting. This traffic is allowed through no matter what. The conform action is only when the cir is exceeded but still falls below the burst rate. during your tests, was there enough traffic to exceed your cir? if not then all of your tests would have the same result as the cir is never exceeded? how did you generate traffic though the firewall to perform your tests?
_____ From: [email protected] [mailto:[email protected]] On Behalf Of Dnyaneshwar Gore Sent: Friday, September 04, 2009 1:09 AM To: Kingsley Charles Cc: [email protected] Subject: Re: [OSL | CCIE_Security] ASA, Ver 8.0, QoS - Police query Hi Kings, As per your below mail "The conform action is executed for packets within the average rate and burst size." That means conform action will take place for traffic within CIR and Burst rate or for normal traffic or for traffic flowing as per expections. So if I set conform action as "drop" then its should drop that normal traffic....isn't it? And this is wrong as I want to allow normal traffic. I may be wrong but this is what I can figure out from explanation. Another point is that I have tested police coammnd with transmit and drop action in lab but the result or output is same for all tests. No difference in output. Regards, D.M.Gore On Fri, Sep 4, 2009 at 10:53 AM, Kingsley Charles <[email protected]> wrote: Hi D.M.Gore ASA supports single bucket system. Let's say the CIR is 9000 bps and burst size is 1200 bytes. The following is configured as inbound for an Ethernet interface. police input 9000 1200 conform-action transmit exceed-action drop The bucket size is 1200 bytes and that is maximum it can hold. The rate at which tokens are added to the bucket is 9000 bps. If the packets exceed the burst of 1200 bytes plus 9000 bps rate, the the packets are dropped. The conform action is executed for packets within the average rate and burst size. The exceed action for a police command specifying traffic rate is executed for packets within the average rate and excess burst size. With regards Kings On Fri, Sep 4, 2009 at 9:36 AM, Dnyaneshwar Gore <[email protected]> wrote: Hi Stuart, I found following explanation from Cisco command lookup tool: Note <http://tools.cisco.com/i/templates/blank.gif> :The police command merely enforces the maximum speed and burst rate, forcing them to the conforming rate value. It does not enforce the conform-action or the exceed-action specification if these are present. So by this explanation it is clear that conform-action and exceed-action does not take place even if they are specified in command. I was right. Regards, D.M.Gore On Thu, Sep 3, 2009 at 3:48 PM, Dnyaneshwar Gore <[email protected]> wrote: Thansk for your explanation. But I have some qeries as follows: * if conform action is transmit then it will allow traffic more than CIR but less than Burst value. But when I set conform action as transmit, I get same ping result i.e. 98 % success rate as it was in when conform action is drop. There should be some difrerence between two outputs. I have attached results for different cases. Also what should be the difference if I set exceed action as transmit. Regards, D.M.Gore On Thu, Sep 3, 2009 at 3:10 PM, Stuart Hare <[email protected]> wrote: So this looks to be expected behaviour to me. As soon as the 64k is reached your telling it to drop the traffic. Exceeded action will never enter into this equation as you are dropping conformed traffic, and theres no where else to go. So basically your CIR sets your nominal rate of transfer, once you exceed the CIR and enter the burst rate you are conforming, thus the conform action comes into play. If you continue to use more than the burst rate you are deemed to be exceeding and the exceed action steps in. HTH Stu 2009/9/3 Dnyaneshwar Gore <[email protected]> PFA configuration and result. The diagrame is R1 (router) (136.1.121.13) -------------------(Inside/136.1.121.12 <http://136.1.121.12/> ) ASA (Outside/136.1.122.12 <http://136.1.122.12/> ) --------------------R2(router) (136.1.122.13) On Thu, Sep 3, 2009 at 1:31 PM, Stuart Hare <[email protected]> wrote: Can you post the output and config? What device are you doing this on? Stu 2009/9/3 Dnyaneshwar Gore <[email protected]> I am assuming that by using "police {inbound | outbound} CIR [Burst] conform-action drop exceed-action drop" command, all traffic should drop as conform action is drop. But it is not happening. I am pinging from inside host to outside host with 1000 counts and 1500 size and result is successful ping but with about 9 drops. Same result with "police {inbound | outbound} CIR [Burst] conform-action transmit exceed-action transmit" command. By seeing this, conform and exceed action does not drop the packets. Then what is their use? Also why one will set exceed action as transmit? It should be drop as it is crossing comitted rate. Regards, D.M.Gore On Thu, Sep 3, 2009 at 12:58 PM, Stuart Hare <[email protected]> wrote: You say you found the output the same, but what about the result for each? If you are using the same tests and cir/burst values then I would expect the output from your show commands to be the same. Of the top of my head (and it is still early in the morning), i cant see why you would use 2 & 3. 2 is saying drop everything regardless, which you could have done with the drop command instead of police. 3 is saying permit everything regardless. For policing to be efficient and effective you need to set differing actions for your conform and exceed, even if this is just marking the packets with an ip precedence or dscp value, upon exceeding the rate. Stu 2009/9/3 Dnyaneshwar Gore <[email protected]> Hi ALL, I am not able to understand the difference between following commands: 1. police {inbound | outbound} CIR [Burst] 2. police {inbound | outbound} CIR [Burst] conform-action drop exceed-action drop 3. police {inbound | outbound} CIR [Burst] conform-action transmit exceed-action transmit I tested these commands in lab and found output same for all. I think conform-action and exceed-action does not work even if they are specified. Request your opinion. Regards, D.M.Gore _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
