1. Home
  2. Cisco Systems
  3. police not working on 4500

police not working on 4500

Hi,

I am trying to limit traffic entering and leaving a L3 int on my 4500 using the following config but it appears to do nothing..

class-map match-all test match access-group 100

policy-map limit-traffic class test police 400000 1000 exceed drop

int gi 3/1 service-policy input limit-traffic service-policy output limit-traffic

access-list 100 permit tcp host 10.0.0.1 any eq ftp-data access-list 100 permit tcp any eq ftp-data host 10.0.0.1

It sometimes shows me a match on the show policy-map int.. but nothing ever on the conform or drop -- no matter how much traffic I generate or what I set the limit to.. my ftp's whizz through at full speed.

I even set the ACL to permit ip any any and the behaviour was the same..

Thought I was maybe missing a global 'MLS qos' style command or an interface traffic-shapping - but no.

Any ideas anyone??

Please!!

TIA

T
Reply to
traust
Loading thread data ...

Maybe you are testing with passive FTP? If so, then ftp-data port is not used for ftp data...

Good luck,

Sylvek

PS. If you come up with an easy way of detecting passive ftp data streams post it here. I'd like to know this too.

Reply to
sylvek

Hi Sylvek,

No.. because I also tried with permit ip any any to catch everything from these test machines - but still no luck.. I will try another IOS today to see if it is related to a bug.. and if not then I am lost!

Reply to
traust

Just for info.... it was the 'mls qos' style command! Doh!.. has been replaced by simply 'qos'. "mls qos' is still there but is now undocumented and phasing out.

would be easier if they had an IOS that detects you are using qos when you type in class-map!

Reply to
traust

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.