Hi D.M.Gore To rate limit the network traffic, we can use either shaping or policing. Policing drops the traffic that exceeds the defined thersold but shaping buffers and then shapes the traffic out. So with policing, the traffic is penalized for exceeding the thersold.
Let's go to some technical aspects of policing. CIR = Bc/Tc Bc is the committed burst size and Tc is the committed time window. Let's consider Bc is 9000 bits and Tc is 0.25 secs. CIR will be 9000 x 0.25 which is 36 Kbps. Hence the CIR of the link is 36 Kbps. If the traffic is within 36 kbps then it's conform and the conform action is taken. If it exceeds 36 Kbps, then the exceed action is taken. If you are an ISP and you want to rate limit yours users, you configure CIR for each user. For user Tom, if you have defined CIR as 256 Kbps, then you will two actions. If Tom's traffic is less than 256 Kbps allow the traffic and if it is more than 256 Kbps drop the traffic exceeding. Why would someone configure drop action for traffic conforming to the CIR? If you configure drop for conform-action all traffic will be mostly denied. Try to configure a policy as following class-map test match any policy-map test class test police 9000 2000 conform-action drop exceed-action drop service-policy test interface inside Please try to ping to the inside interface and check, if it suceeds. With regards Kings On Fri, Sep 4, 2009 at 12:39 PM, Dnyaneshwar Gore <[email protected]>wrote: > Hi Kings, > > As per your below mail "The *conform* action is executed for packets > within the average rate and burst size." That means conform action will take > place for traffic within CIR and Burst rate or for normal traffic or for > traffic flowing as per expections. So if I set conform action as "drop" then > its should drop that normal traffic....isn't it? And this is wrong as I want > to allow normal traffic. I may be wrong but this is what I can figure out > from explanation. > > Another point is that I have tested police coammnd with transmit and drop > action in lab but the result or output is same for all tests. No difference > in output. > > Regards, > D.M.Gore > > On Fri, Sep 4, 2009 at 10:53 AM, Kingsley Charles < > [email protected]> wrote: > >> Hi D.M.Gore >> ASA supports single bucket system. Let's say the CIR is 9000 bps and burst >> size is 1200 bytes. The following is configured as inbound for an Ethernet >> interface. >> >> police input 9000 1200 conform-action transmit exceed-action drop >> >> >> The bucket size is 1200 bytes and that is maximum it can hold. The rate at >> which tokens are added to the bucket is 9000 bps. If the packets exceed the >> burst of 1200 bytes plus 9000 bps rate, the the packets are dropped. >> >> The *conform* action is executed for packets within the average rate and >> burst size. >> >> The *exceed* action for a *police* command specifying traffic *rate* is >> executed for packets within the average rate and excess burst size. >> >> >> >> >> With regards >> Kings >> >> >> >> >> >> >> >> >> >> On Fri, Sep 4, 2009 at 9:36 AM, Dnyaneshwar Gore <[email protected] >> > wrote: >> >>> Hi Stuart, >>> >>> I found following explanation from Cisco command lookup tool: >>> ** >>> *Note *:The *police* command merely enforces the maximum speed and burst >>> rate, forcing them to the conforming rate value. It does not enforce the >>> *conform-action* or the *exceed-action* specification if these are >>> present. >>> >>> So by this explanation it is clear that conform-action and exceed-action >>> does not take place even if they are specified in command. I was right. >>> >>> Regards, >>> D.M.Gore >>> >>> >>> On Thu, Sep 3, 2009 at 3:48 PM, Dnyaneshwar Gore < >>> [email protected]> wrote: >>> >>>> Thansk for your explanation. >>>> >>>> But I have some qeries as follows: >>>> >>>> - if conform action is transmit then it will allow traffic more >>>> than CIR but less than Burst value. >>>> >>>> But when I set conform action as transmit, I get same ping result i.e. >>>> 98 % success rate as it was in when conform action is drop. There should be >>>> some difrerence between two outputs. >>>> >>>> I have attached results for different cases. >>>> >>>> Also what should be the difference if I set exceed action as transmit. >>>> >>>> Regards, >>>> D.M.Gore >>>> >>>> On Thu, Sep 3, 2009 at 3:10 PM, Stuart Hare <[email protected] >>>> > wrote: >>>> >>>>> So this looks to be expected behaviour to me. >>>>> As soon as the 64k is reached your telling it to drop the traffic. >>>>> >>>>> Exceeded action will never enter into this equation as you are dropping >>>>> conformed traffic, and theres no where else to go. >>>>> >>>>> So basically your CIR sets your nominal rate of transfer, once you >>>>> exceed the CIR and enter the burst rate you are conforming, thus the >>>>> conform >>>>> action comes into play. If you continue to use more than the burst rate >>>>> you >>>>> are deemed to be exceeding and the exceed action steps in. >>>>> >>>>> HTH >>>>> >>>>> Stu >>>>> >>>>> 2009/9/3 Dnyaneshwar Gore <[email protected]> >>>>> >>>>>> PFA configuration and result. The diagrame is >>>>>> >>>>>> R1 (router) (136.1.121.13) -------------------(Inside/136.1.121.12) >>>>>> ASA (Outside/136.1.122.12) --------------------R2(router) >>>>>> (136.1.122.13) >>>>>> >>>>>> On Thu, Sep 3, 2009 at 1:31 PM, Stuart Hare < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Can you post the output and config? >>>>>>> >>>>>>> What device are you doing this on? >>>>>>> >>>>>>> Stu >>>>>>> >>>>>>> 2009/9/3 Dnyaneshwar Gore <[email protected]> >>>>>>> >>>>>>>> I am assuming that by using "police {inbound | outbound} CIR [Burst] >>>>>>>> conform-action drop exceed-action drop" command, all traffic should >>>>>>>> drop as >>>>>>>> conform action is drop. But it is not happening. I am pinging from >>>>>>>> inside >>>>>>>> host to outside host with 1000 counts and 1500 size and result is >>>>>>>> successful ping but with about 9 drops. >>>>>>>> Same result with "police {inbound | outbound} CIR [Burst] >>>>>>>> conform-action transmit exceed-action transmit" command. >>>>>>>> >>>>>>>> By seeing this, conform and exceed action does not drop the packets. >>>>>>>> Then what is their use? >>>>>>>> >>>>>>>> Also why one will set exceed action as transmit? It should be drop >>>>>>>> as it is crossing comitted rate. >>>>>>>> >>>>>>>> Regards, >>>>>>>> D.M.Gore >>>>>>>> >>>>>>>> On Thu, Sep 3, 2009 at 12:58 PM, Stuart Hare < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> You say you found the output the same, but what about the result >>>>>>>>> for each? If you are using the same tests and cir/burst values then I >>>>>>>>> would >>>>>>>>> expect the output from your show commands to be the same. >>>>>>>>> >>>>>>>>> Of the top of my head (and it is still early in the morning), i >>>>>>>>> cant see why you would use 2 & 3. >>>>>>>>> 2 is saying drop everything regardless, which you could have done >>>>>>>>> with the drop command instead of police. >>>>>>>>> 3 is saying permit everything regardless. >>>>>>>>> >>>>>>>>> For policing to be efficient and effective you need to set >>>>>>>>> differing actions for your conform and exceed, even if this is just >>>>>>>>> marking >>>>>>>>> the packets with an ip precedence or dscp value, upon exceeding the >>>>>>>>> rate. >>>>>>>>> >>>>>>>>> Stu >>>>>>>>> >>>>>>>>> 2009/9/3 Dnyaneshwar Gore <[email protected]> >>>>>>>>> >>>>>>>>>> Hi ALL, >>>>>>>>>> >>>>>>>>>> I am not able to understand the difference between following >>>>>>>>>> commands: >>>>>>>>>> 1. police {inbound | outbound} CIR [Burst] >>>>>>>>>> 2. police {inbound | outbound} CIR [Burst] conform-action drop >>>>>>>>>> exceed-action drop >>>>>>>>>> 3. police {inbound | outbound} CIR [Burst] conform-action transmit >>>>>>>>>> exceed-action transmit >>>>>>>>>> >>>>>>>>>> I tested these commands in lab and found output same for all. >>>>>>>>>> >>>>>>>>>> I think conform-action and exceed-action does not work even if >>>>>>>>>> they are specified. >>>>>>>>>> >>>>>>>>>> Request your opinion. >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> D.M.Gore >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>>>>> please visit www.ipexpert.com >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
