QoS not working 3

[burtsbees]

I am trying to limit FTP incoming on my WAN interface...

T1---Adtran---switch---router

interface Ethernet0/1
description AT&T_help_1-877-eat-shit
ip address xxxxxxxxxxxxxxx
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip nat outside
ip virtual-reassembly
ip route-cache flow
no ip route-cache cef
no ip mroute-cache
full-duplex
crypto map vpn_cmap_1
service-policy input MeasurFTP

policy-map MeasurFTP
class FTP
police rate 56000 bps
conform-action transmit
exceed-action drop

class-map match-any FTP
match protocol ftp


Any suggestions? FTP packets/downloads are still coming in at whatever bw the link is (i.e., I am downloading from our backup dsl circuit at full speed to our ftp server).

I am trying to rate-limit ftp to our ftp server. CAR did not work...

access-list 107 permit tcp any host 192.168.69.108 eq ftp
int e0/1
rate-limit input access-group 107 56000 2048 2048 conform-action transmit exceed-action drop

Still the same thing. Any suggestions? Whatever works, I can KRON to get rid of the acl at 5:05PM, and put it back in at 7:55AM...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[unclerico]

try applying service-policy outbound

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[lerdalt]

I'd have to agree, typically you don't police inbound to an interface. Haven't tried it so can't say how it would work.

But, it should work policing outbound of the interface. I'd still mark it incoming though.

 

[burtsbees]

Did that, found that class-map default is policing and offering everything at T1 speeds...what to do...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[burtsbees]

I am trying to limit FTP traffic to 56K coming in to our FTP server at 192.168.69.108. I tried

access-list 111 permit tcp any host 192.168.69.108

int e0/1
rate-limit inbound access-group 111 56000 2048 2048 conform-action transmit exceed-action drop

That did nothing. The adsl was still able to dl at 65-70KBps, which is 500-560Kbps. I want that number to be 1/10th of that, 7KBps, or 56000bps...

Suggestions? It has been quite some time since I have done anything with CAR or policing, etc...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[lerdalt]

Ok..I can't find my book so I'm taking a shot from memory and some old notes. You have probably seen something similar to this before:

ip access-list extended ACL-FTP_SERVER
permit tcp host 192.168.69.108 eq ftp
permit tcp host 192.168.69.108 eq ftp-data

class-map match-any CM-FTP_Server
match access-group name ACL-FTP_SERVER

policy-map PM-POLICE_FTP
class CM-FTP_SERVER
police 56
exceed-action drop

Apply policy to your outbound interface with the service-policy command.


**Double check the ACL though. Not certain I have the logice quite right. Didn't really try and test this.

 

[unclerico]

burt!!!!! I labbed this up brah. I had the following topology:
PC --- Switch --- (f0/0) 3640 (f0/1) --- Switch --- FTP Server

I enabled NBAR on my f0/0 interface and created the following:

class-map MATCH_FTP
  match protocol ftp

policy-map FIVE_OH
  class MATCH_FTP
    police 56000 conform-action transmit exceed-action drop

int f0/0
  service-policy input FIVE_OH

It worked like it was supposed to. It limited my uploads from the PC to the FTP server to right around 56kbps but my downloads from the FTP server were limitless. Exactly the same thing as lerdalt's suggestion, only I wanted to use NBAR cuz I can lol

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[burtsbees]

I want it the other way around---limit the downloads and not the uploads...

I cannot remember how to anable NBAR...like route-cache or something? Don't make me look up my old notes...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[lerdalt]

just reverse it and put the outbound policy on your interface to the provider?

 

[unclerico]

I took this

I am trying to limit FTP traffic to 56K coming in to our FTP server at 192.168.69.108. I tried

to mean that you want to limit uploads, don't ask me why lol. then it's like we said earlier, apply it outbound on the interface mayn.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[burtsbees]

Holy crap I'm dumb. What I did would have worked for uploading to the ftp server...

Been working and multitasking too much mayn...lol

I am going to try that this weekend, and I want someone to try and ftp to my server here at home after I make one...

Todd---email me and I'll give you my phone #

Rico---whatever your real name is, my email is

timandlizh at gmail dot com

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[unclerico]

you can just call me Big Pimpin and all will be good ;-)

my eeeeee male is:
shonuff6699 [aA][tT] yawhoooo dott com

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[burtsbees]

Okay---outbound acting right now, HOWEVER...

My police rate set at 256000 bps, downloads after 2 minutes go to only 21KBps, which is 168000 bps. That concurs with the offered rate---how long does it normally take to climb up to the 256000bps, or in actuality will it hover around 65% or so due to the 8000 burst rate, and thus all the dropped packets? In other words, you add the dropped packets into the equation, and the rate is 35% of packets are being dropped, which would be directly proportional and in line with the offered rate PLUS dropped rate=total police rate...

Did I answer my own question?lol

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[burtsbees]

Another ?...

How can I KRON this, like on and off at certain times? KRON (that I know of) can only be programmed at the global config level, and I would need higher level instructions...knowutimean, Vern?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[lerdalt]

how about a timed based acl for matching the traffic?

 

[burtsbees]

Googling...

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[cisconooblet]

its the description on that ethernet0/1 interface thats the problem <chuckles>

CCNA
Network +

 

[lerdalt]

this looked like what you need:

http://www.cisco.com/en/US/tech/tk543/tk759/technologies_tech_note09186a00801aa69d.shtml

 

[burtsbees]

I found that exact page and bookmarked it...

Thanks!

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[burtsbees]

My kron policy-list looks liike

cli int e0/1 service-policy out FTP

and for another kron occurence...

cli int e0/1 no service-policy out FTP

We will see...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!