Re: [cisco-ttl] 4506 ve policy-map/class-map match sorunu

From: Serhat Uslay <serhat.uslay_at_....>
Date: Mon, 27 Oct 2008 22:37:50 +1100

Acaba class default a da bir ACL yazip "permit ip ay any log" deseniz onlari log'a yazar mi ? Yanliz trafik cok ise pek cok sey yazabilir, belki kisa bir sure icin deneyebilirsiniz ?

         Serhat

Emre SÜMENGEN <emresumengen_at_gmail.com>
Sent by: cisco-ttl_at_yahoogroups.com
27/10/2008 04:37 AM
Please respond to
cisco-ttl_at_yahoogroups.com

To
cisco-ttl_at_yahoogroups.com
cc

Subject
[cisco-ttl] 4506 ve policy-map/class-map match sorunu

Merhabalar,

Cisco 4506 uzerinde policy-map'ler ile ugrasiyoruz. Ancak cok anlamsiz gelen bir durum var:

Yerel agimizda n adet network var, diyelim 10.10.0.0/24, 10.20.0.0/24 ve 10.30.0.0/24 olsun... Bir de yonetim agimiz oldugunu
(192.168.0.0/24 gibi) ve burada da sistem yoneticilerinin
bilgisayarlarinin oldugunu farzedelim.

Bu aglardan birkac makinaya daha yuksek trafik limiti uygulamak, agin geriye kalanina da daha az da olsa limit koymak istiyoruz. Kalan tum trafik de dogal olarak limitlenecek ve onceligi biraz dusurulecek
(ornekte yonetim agi)... Hedefimiz internete dogru upload trafigini
kontrol etmek.

Bunun icin asagidaki gibi bir config yaptik:

  1. Once, limitlemek istedigimiz hostlara acl ve class olusturduk
    (10.10.0.10, 10.20.0.20 ve 10.30.0.30 olsun bu hostlar)
                 ip access-list extended VL10_HOST_IN_ACL
                  permit ip host 10.10.0.10 any
                 class-map match-any VL10_HOST_IN_CLASS
                  match access-group name VL10_HOST_IN_ACL
 
                 ip access-list extended VL20_HOST_IN_ACL
                  permit ip host 10.20.0.20 any
                 class-map match-any VL20_HOST_IN_CLASS
                  match access-group name VL20_HOST_IN_ACL
 
                 ip access-list extended VL30_HOST_IN_ACL
                  permit ip host 10.30.0.30 any
                 class-map match-any VL30_HOST_IN_CLASS
                  match access-group name VL30_HOST_IN_ACL

2) Sonra kalan tum bilgisayarlar icin networklere bagli acl'ler ve class'lar olusturduk...

                 ip access-list extended VL10_IN_ACL
                  permit ip 10.10.0.0 0.0.0.255 any
 
                 ip access-list extended VL20_IN_ACL
                  permit ip 10.20.0.0 0.0.0.255 any
 
                 ip access-list extended VL30_IN_ACL
                  permit ip 10.30.0.0 0.0.0.255 any

                 class-map match-any VLANS_IN_CLASS
                  match access-group name VL10_IN_ACL
                  match access-group name VL20_IN_ACL
                  match access-group name VL30_IN_ACL

3) Sonra da policy-map'imizi olusturduk

                 policy-map INPUT_POLICY
                  class VL10_HOST_IN_CLASS
                   dbl
                   police 100m 512k conform-action transmit exceed-action 
drop
                  class VL20_HOST_IN_CLASS
                   dbl
                   police 80m 512k conform-action transmit exceed-action 
drop
                  class VL30_HOST_IN_CLASS
                   dbl
                   police 70m 512k conform-action transmit exceed-action 
drop
                  class VLANS_IN_CLASS
                   dbl
                   police 50m 512k conform-action transmit exceed-action 
drop
                  class class-default
                   police 50m 256k conform-action transmit exceed-action 
drop
                   set precedence routine
                   set ip precedence routine

gibi...

Ancak, uygulamada gordugumuze gore, policy-map'te nedense class-default'a surekli exceed dusmesine ragmen, VLANS_IN_CLASS 'da hic exceed yok, surekli conform edip trafik akiyor.

Boyle bir yapida, bu class'lara match eden trafigi gormemizin
(real-time vb) imkani var midir? Ozellikle hicbir class'a uymayip
default'a dusen trafigi gormek istiyoruz. Cunku, sadece yonetim VLAN'inin default'a dusmesi gerekiyor ama bekledigimizden cok daha fazla conform/exceed var. Sanki VLANS_IN_CLASS sinifina policy uygulanmiyor, yada bir sekilde trafik match etmiyor...

Yorumu olan var mi acaba?

NOT: Cihaz uzerinde Sup5 var ve kullandigimiz ios versiyonu 12.2(25)EWA7

NOT2: Olusturdugumuz policy-map tum bu aglarin routing ile geldigi tek bir gigabit interface uzerinde uygulaniyor, input yonunde...

Emre SUMENGEN


--
Cisco Teknik Tartisma Listesi (Cisco-ttl)

Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk 
kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya 
da 
bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu 
tutulamazlar.Yahoo! Groups Links






lll 
Zurich is proud to support football as an Official Partner of the Hyundai 
A-League 




----
This email is intended for the named recipient only. It may contain information which is confidential, commercially sensitive, or copyright. If you are not the intended recipient you must not reproduce or distribute any part of the email, disclose its contents, or take any action in reliance. If you have received this email in error, please contact the sender and delete the message. It is your responsibility to scan this email and any attachments for viruses and other defects.
To the extent permitted by law, Zurich and its associates will not be liable for any loss or damage arising in any way from this communication including any file attachments. We may monitor email you send to us, either as a reply to this email or any email you send to us, to confirm our systems are protected and for compliance with company policies. Although we take reasonable precautions to protect the confidentiality of our email systems, we do not warrant the confidentiality or security of email or attachments we receive.

[Non-text portions of this message have been removed]
Received on Mon Oct 27 2008 - 14:14:41 CET

This archive was generated by hypermail 2.2.0 : Mon Oct 27 2008 - 14:14:42 CET