2950 Traffic Policing

Hi,
I'm trying to configure traffic policing on a Catalyst 2950. The config is pretty straight-forward, or so I thought. I need to set up several policy-maps, each one policing traffic at different levels (5meg, 10meg, 20meg, etc.). My problem is, anything above 1Meg just doesn't seem to work as expected. Here's my config for a 10Meg policer:
class-map match-all ALL-TRAFFIC
match access-group 1
policy-map 10mbs
class ALL-TRAFFIC
police 10000000 65536 exceed-action drop
access-list 1 permit any
Here's the interface config:
interface FastEthernet0/24
switchport access vlan 53
load-interval 30
service-policy input 10mbs
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree link-type point-to-point
What happens is, when uploading files from the server attached to this port (ingress to the switch), my throughput is nowhere near 10Mb/s. I only end up getting about 2Mb/s consistently, with a large 600MB ISO file transfer.
I've configured policers before in routers and other types of switches and I would at least get around 7 to 8Mb/s, if not immediately, after some time, due to TCP's native congestion avoidance. I may be missing something blatantly obvious, though, as I've been wrestling with this the past few hours.

Although the page is about the 3550 I think most of the information is relevent to the 2950 as well (although the 2950 doesn't support the granularity of the 3550).
http://www.cisco.com/en/US/partner/products/hw/switches/ps646/products_tech_note09186a00800feff5.shtml
Have you tried using non connection-oriented traffic (UDP) to see what rates you achieve? I suspect TCP is probably suffering due to the policer dropping the packets.
HTH
Andy

Similar Messages

  • Traffic policing question on Cisco ASR 1001

    Hi Experts,
    I have a request to setup aggregated traffic policing on a Cisco ASR 1001 router for multiple networks within a router.
    Lets say I have a router with several subinterfaces:
    interface GigabitEthernet0/2
     description WAN
     ip address x.x.x.x x.x.x.x
    interface GigabitEthernet0/1.70
     description Lan_1
     encapsulation dot1Q 70
     ip address 192.168.55.1 255.255.255.0
    interface GigabitEthernet0/1.80
     description LAN_2
     encapsulation dot1Q 80
     ip address 192.168.56.1 255.255.255.0
    interface GigabitEthernet0/1.90
     description Servers
     encapsulation dot1Q 90
     ip address 172.16.10.1 255.255.255.0
    I have a WAN link 100Mbit/s and I need to police traffic, so that I have 30Mbit/s for servers (GigabitEthernet0/1.90) and the rest 70Mbit I want to share between Interface Lan_1 and LAN_2. The Idea is that I need 70Mbit/s equally shared between two interfaces, so that I have fair policing on both iunterfaces. What is the best way to achieve this?
    Many Thanks

    Hello
    The below configuration is a possible option, Its provides policing inbound from the clients interfaces and LLQ priority queung on the wan interface for the servers and  shaping values from LAN1 & 2 traffic is set to 35MB.each.
    Notice nothing is defined for the default class, however i am on the understanding this is given by default 1% of Hqos implementations.
    Maybe others on here could review to verify any problems with this post and share their thoughts?
    ip access-list extended SRVS_acl
     permit ip 172.16.10.0 0.0.0.255 any
    ip access-list extended LAN1_acl
     permit ip 192.168.55.0 0.0.0.255 any
    ip access-list extended LAN2_acl
     permit ip 192.168.56.0 0.0.0.255 any
    class-map match-all SRVS_CM
     match access-group name SRVS_acl
    class-map match-all LAN_1_CM
     match access-group name  LAN1_acl
    class-map match-all LAN_2_CM
     match access-group name LAN2_acl
    policy-map SRVS_PM
     class SRVS_CM
        police 30720000 conform-action transmit exceed-action drop
    policy-map LAN_2_PM
     class LAN_2_CM
        police 35840000 conform-action transmit 
    policy-map LAN_1_PM
     class LAN_1_CM
        police 35840000 conform-action transmit 
    interface GigabitEthernet0/1.70
    service-policy input LAN_1_PM
    interface GigabitEthernet0/1.90
     service-policy input SRVS_PM
    interface GigabitEthernet0/1.80
     service-policy input LAN_2_PM
    policy-map WAN_CHILD
     class SRVS_CM
      priority 30720
     class LAN_1_CM
      shape average 35840000
     class LAN_2_CM
      shape average 35840000
     class class-default
      fair-queue
    policy-map WAN_PARENT
     class class-default
      shape average 102400000
      service-policy WAN_CHILD
    int  GigabitEthernet0/2
    bandwidth 102400
    service-policy output WAN_PARENT
    res
    Paul

  • Traffic Policies IN NAC

    Hello friends,
    For host remediation we shld allow for access to a particular destination or by default it is accessible?????
    OR
    traffic policies are applied after a host passes posture assessment and remediation.??? to limit network access.
    Thanks

    Hello Faisal,
    Thanks for reponse,
    My setup is IN-band virtual mode.
    From ur mail what i understand is if the host want to succeed posture assesment he has to be permited for the particular destination.
    for example: host is not updated with full AV then he has to permit access to AV server for the updates in the temporary role,
    access-list will be like : permit tcp any host 10.10.10.10 (AV Server) eq (port)
    correct me if i m wrong  ?????
    2) After host get success in host posture assessment after that also we can limit the host for a particular destination.
    where is option that we can specify such access-list.
    Thanks

  • ISG: Service with traffic policing counts dropped packets.

    Hello,
    Our company has a router Cisco 7304 NPEG100. ("show version" in the  bottom of this message). We are planing to start ISG services at this router, but there is a bug CSCei4190. When I set traffic policing in service, accounting in this service counts  packets that has been dropped by traffic policing.
    Here is example of my definition of service in RADIUS:
    User-Name = 'Internet-Service'
    Cisco-AVPair += "ip:traffic-class=in access-group 2000 priority 10"
    Cisco-AVPair += "ip:traffic-class=out access-group 2001 priority 10"
    Cisco-AVPair += "ip:traffic-class=in default drop"
    Cisco-AVPair += "ip:traffic-class=out default drop"
    Cisco-AVPair += "prepaid-config=TRAFFIC_PREPAID"
    Cisco-AVPair += "accounting-list=ISG_ACCT"
    Cisco-Service-Info += "QU;256000;D;512000"
    Acct-Interim-Interval += '60'
    When I remove Cisco-Service-Info += "QU;256000;D;512000" from service  definition, all traffic are counting correctly.
    I did not found in Bug Details, which version of IOS, I should use in my  7304 router where this bug is fixed.
    Cisco IOS Software, 7300 Software (C7300-A3JK91S-M), Version 12.2(31)SB17,  RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2009 by Cisco Systems, Inc.
    Compiled Fri 30-Oct-09 12:35 by vpernank
    ROM: System Bootstrap, Version 12.2(22r)S, RELEASE SOFTWARE (fc1)
    BOOTLDR: 7300 Software (C7300-BOOT-M), Version 12.2(20)S6, RELEASE 
    SOFTWARE (fc4)
    7304 uptime is 17 hours, 24 minutes
    Uptime for this control processor is 17 hours, 24 minutes
    System returned to ROM by reload at 06:22:24 TSK Wed Feb 23 2005
    System restarted at 18:46:54 TSK Mon Mar 22 2010
    System image file is "disk0:c7300-a3jk91s-mz.122-31.SB17.bin"
    cisco 7300 (NPEG100) processor (revision B) with 983040K/65536K bytes of  memory.
    SB-1 CPU at 800Mhz, Implementation 0x401, Rev 0.2, 512KB L2 Cache
    4 slot midplane, Version 67.49
    Last reset from software reset or reload
    4 FastEthernet interfaces
    3 Gigabit Ethernet interfaces
    1021K bytes of non-volatile configuration memory.
    62592K bytes of ATA compact flash in bootdisk (Sector size 512 bytes).
    125952K bytes of ATA compact flash in disk0 (Sector size 512 bytes).
    Configuration register is 0x2102

    I am getting other logs sent to the syslog server, yes, just not the firewall-related "dropped packet" logs.  Here's an example of one that does make it through:
    5790: *Apr 30 15:05:27.039 UTC: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-647534746 1500 bytes is out-of-order; expectedseq:3647406270. Reason: TCP reassembly queue overflow - session 192.168.1.179:3895 to 54.240.160.142:80 on zone-pair inside-to-Transitclass WB-Browsing
    I am not allowing all the traffic across the box.  The "self-to-inside" zone-pair just allows the *firewall itself* to initiate any traffic to the inside zone.  That's temporary until I get all the management traffic to and from the firewall defined, then I will lock it down further.
    And I added the "ip inspect log drop-pkt" and it did not appear to make any difference.
    Any other suggestions?
    -Mat

  • Traffic Policing on Service Provider Edge router.

    Hi,
    I'm confused about the traffic policing on service provider edge router. Suppose I have taken internet bandwidth from my ISP and he says that they will give me 100 Mbps bandwidth burstable upto 1Gbps. What does that mean? what is burstable here?
    I would appreiciate if anyone from service provider organization, can give a output of their edge router's running config. I just have to understand how the police our traffic. Here I'm talking about the Internet leased lines.

    This is probably something you will have to get your service provider to answer. Different service providers use the term burst in a different context. Some SP's are "NICE' and will setup no policer or shaper and will purely monitor the link for fair use allowing you to exceed what you have purchased as long as you don’t abuse the privilege. Other Serves providers may setup a dual rate policer with a CIR and a PIR to achieve the same. a 3rd scenario is as explained above where the SP will setup a policer for 100Mb/s and then calculate the burst value at 1/8 of a second (or less in some cases) which allows your traffic to burst to full line rate for that time slice,
    There are other scenarios but the point I’m trying to make is that service providers don’t all do this the same way which is why you should ask them what they mean and how long your traffic would be allowed to burst to line rate.
    PJ

  • Cisco ASA QoS traffic policing - how to count conform burst

    hi,
    I have cisco ASA 8.4(5). I will do configuration for QoS traffic policing. Maximum output/input rate will be 850 Mbits/s.
    I am not sure if I need to do configuration also for conform burst ? if yes, can I count suitable value for it ? I must admit that I dont understand difference between conform rate and conform burst.
    access-list acl_qos_policing_admin extended permit ip any any
    class-map class_qos_policing_admin
     match access-list acl_qos_policing_admin
    policy-map policy_qos_policing_admin
     class  class_qos_policing_admin
     police output 850000000 xxxxxxx
     police input 850000000 xxxxxxx
    service-policy policy_qos_policing_admin interface
    inside_ADM

    Hi, I already have done configuration on production firewall. Bandwidth test worked very good for 200Mbps or 300 Mbps. But I got little strange results for bigger rate limits such 600Mbps or 850 Mbps. I could not see any dropped packets. I did test via http://www.speedtest.net. Maybe because
    I need to set conform-burst? there is now only default value (If you set bigger conform-rate then you get bigger conform-burst with default value).
    Interface inside_EDU:
      Service-policy: policy_qos_policing_edu
        Class-map: class_qos_policing_edu
          Output police Interface inside_EDU:
            cir 200000000 bps, bc 6250000 bytes
          Input police Interface inside_EDU:
            cir 200000000 bps, bc 6250000 bytes
    Interface inside_EDU:
      Service-policy: policy_qos_policing_edu
        Class-map: class_qos_policing_edu
          Output police Interface inside_EDU:
            cir 600000000 bps, bc 18750000 bytes
          Input police Interface inside_EDU:
            cir 600000000 bps, bc 18750000 bytes
    Interface inside_ADM:
      Service-policy: policy_qos_policing_admin
        Class-map: class_qos_policing_admin
          Output police Interface inside_ADM:
            cir 300000000 bps, bc 9375000 bytes
          Input police Interface inside_ADM:
            cir 300000000 bps, bc 9375000 bytes
    Interface inside_ADM:
      Service-policy: policy_qos_policing_admin
        Class-map: class_qos_policing_admin
          Output police Interface inside_ADM:
            cir 850000000 bps, bc 26562500 bytes
          Input police Interface inside_ADM:
            cir 850000000 bps, bc 26562500 bytes

  • Application Traffic Policies

    Hi,
    Thanks for your previous helpful responses.
    I will be doing a POC at Customer site, I have the following applications listed that I will optimizing:
    Oracle
    MS windows (CIFS)
    MS Exchange
    EFAX- oracle
    RTGS- Real Traffic Gross settlements
    T24
    internet thru proxy server.
    Banknet - Intranet Service.
    DNS.
    Mcafee antivirus updates service.
    I guess one way to capture the traffic types is to run a sniffer on the network, how do i know exactly how the application works so as to know what kind of ATP to create for some of these applications mentioned and what kind of optimation to apply since all do not have a ATP defined in the default Cisco ATP.
    Thanks

    Obiora,
    There are several apps you list that are in the default application policies (CIFS, Oracle, Proxy server, etc.). I would recommend that you create a policy for Exchange via destination IP with full optimization as long is it's not encrypted by the Outlook clients.
    For the other apps, you are correct, you may have to run a sniffer to look at them as they may be customer apps. After you have found out what ports and/or IP addresses they will use, you can create customer policies if they don't fit into the default set.
    Hope that helps,
    Dan

  • Calling DSCP or IP Precedence on traffic Policing

    Hi Guys,
    I have a good question and I can say it's challenging questiion. we have some policy-map on some interfaces but because these interfaces are dedicated to some customers that they are using just for voice and video. I put some detaqil for better understanding
    router#sh policy-map QOS:POLICE:100M:pm-q
      Policy Map QOS:POLICE:100M:pm-q
        Class class-default
         police cir 100000000 bc 3125000
           conform-action transmit
           exceed-action drop
         service-policy QOS:RATE:30-x:pm-q
    router#sh policy-map QOS:RATE:30-x:pm-q
      Policy Map QOS:RATE:30-x:pm-q
        Class QOS:REALTIME:cm-q
          set qos-group 5
         police cir percent 30
           conform-action transmit
           exceed-action drop
        Class QOS:INTERACTIVE:cm-q
          set qos-group 3
        Class QOS:CONTROL:cm-q
          set qos-group 6
         police cir percent 10
           conform-action transmit
           exceed-action drop
        Class QOS:BUSINESSDATA:cm-q
          set qos-group 1
        Class class-default
          set qos-group 0
    we put this because we expected gauranty 30% of that bandwidth. It means we expected gauranty 30mbps but now guys saying this type of configuration is not working because calling dscp on policing is not working.
    now we have to change it to below
    router#Policy Map QOS:POLV2:GWS:100M:pm-q
        Class QOS:INT:MPLS:cm-q
         police cir 120000000 bc 21000000 be 42000000
           conform-action transmit
           exceed-action drop
           violate-action drop
    now question is this change right ?
    Thanks
    Majid

    Sarah
    1) L2 switches can trust the dscp marking as well. The 2960 is a layer 2 only switch and the default is untrusted but if you then enter
    "mls qos trusted" you have a choice of 'cos|dscp|ip-precedence'. The default if no choice is entered is DSCP.
    2) If "mls qos trust dscp" is entered then the switch will use the DSCP marking found in the packet. This will then be used as the internal DSCP marking that all switches use. Unless you have a DSCP-DSCP mutation map the value used will be the value received in the packet.
    Jon

  • Traffic Shaping and Priortization in ASA

    Hi Everyone,
    I  read that traffic prioritixation is always applied outbound direction when traffic is trying to leave the ASA.
    Also i read that traffic Shaping can be applied to all outgoing traffic on a interface.
    need to know if traffic shaping and priortization means same thing in ASA ?
    There direction is always  outbound?
    Regards
    MAhesh

    Hello Mahesh,
    Not sure I get it but let me see if I can help,
    Priority traffic: Basically allows you to split the interface into 2 different queues, one for low latency traffic and the other for best effor traffic. The one being on the Priority queue will always get served first.
    Traffic Shapping:It's the buffering QoS techique that allows you to configure a limit of bandwith that you will provide to a certain traffic class, when you reach that limit the traffic that goes over the limit will be placed into a software queue, where it will be "holded". That's the different between traffic shapping and policing as whit traffic policing you will drop the offending traffic, with shapping you will hold it (so this is not good for Low latency traffic).
    Now regarding the direction Traffic shapping can only be done on the outbound direction as queuing is an outbound process.
    For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
    Cheers,
    Julio Carvajal Segura

  • Traffic prioritisation on trunked switch port

    Good afternoon all. I am looking into traffic policing and shaping and neither seem to do what I need to do. Basically on a trunked switch port, I would like to prioritise traffic coming into a port by it's VLAN tag, the trunk connects to an ESX host.
    The above options seem to be more about prioritising certain traffic for passing on to downstream devices. Can anyone shed any light on whether this is possible please? I am thinking it would need to be done on the ESX host at the moment...
    Thanks!

    Hi Colhignett,
    Hope the below link might help your query.
    http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/vlntgqos.html#wp1049430
    Regards
    Karthik

  • Traffic limiting

    Hope someone can point me in the right direction on this!
    I have a 6.5MB Internet feed into a 3825 router. I have 3 FastEthernet outputs. I wish to limit the throughput on one output to 512k at all times. I also wish to limit another to 4M, but only between say 8am to 5pm daily. Any ideas?

    It's easy to do. You should use either traffic-policing or traffic-shaping.
    For example use this link to configure generic traffic-shaping:
    http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_installation_and_configuration_guides_list.html

  • Rate Limit Traffic on Router

    Is it possible to limit bandwidth between two IPs using ACL or policy map. Like for example i want to limit 50% file sharing traffic coming or going to an IP 172.19.60.50

    Hello,
    You can rate limit the traffic using Traffic Policing or traffic shapping and YES you can match based on the flow of the traffic
    Looking for some Networking Assistance? 
    Contact me directly at [email protected]
    I will fix your problem ASAP.
    Cheers,
    Julio Carvajal Segura
    http://laguiadelnetworking.com

  • NAC in Inband L2 Virtual mode

    Dear Experts,
    I m planning to implement NAC INBand virtual mode,as if i have HP and cisco switches in my network,I have read the installation guide and cisco press book for NAC,as if now i want confirmation from you'll experts the step by step procedure to setup NAC,
    As  i thought to post because many of you'll have implemented NAC for several times so the general steps to start,as i m going to do antivirus update and windows update for the host posture assessment,
    NAC in Inband L2 Virtual mode
    About my thinking for Implementation is :
    create authentication vlan on access switches,(no SVI for authentication vlan)
    Do authentication mapping and actual user vlan mapping in NAC,
    create a rule such as windows update and antivirus update and then requirement is to access the antivirus server and windows update server,
    allow Access-list for all the user vlan to go these antivirus and windows update server BUT these ip's will be the actual vlan IP subnet because we will not have any authentication subnet in DHCP ???????   Correct me if i m wrong.
    Shift the users from actual vlan to authentication vlan,
    Configure managed subnet for the reply of DHCP request
    Enable L3 and setup static routes
    Manually go on each and every PC to open a browser so that it will be redirected to install NAC agent, IS THERE any other way TO INSTALL NAC AGENT IN 1000 WINDOWS MACHINE, MINE SYSTEM ADMINISTRATOR ARE NOT VERY SMART,SO PLEASE ANY SOLUTION WITHOUT ANY HELP OF SYSTEM ADMINISTRATOR?????? IT WILL BE HIGHLY APPRECIABLE.
    The point above i have worte,, that is what i think NAC is  any other point's if i m missing please plese please advice me.or give proper guidance.

    Hi,
    1. This is correct. Auth VLANs shouldn't have SVIs anywhere on the network
    2. Okay
    3. Okay. For posture assessment, look at chalktalk 5 from this link: http://bit.ly/chalktalks
    4. For a L2 VGW setup (assuming In-Band), you will only have one set of IP addresses to work with, and those would be the Access VLAN IP addresses. You don't get a different IP address in your Auth VLAN. You can limit the resources you want your clients to have access to by tweaking the Traffic Policies
    5. You would map the users, and you do that by defining the VLAN mappings
    6. For L2 deployments, you will need managed subnets for all the IP subnets that you work with.
    7. You don't need static routes for L2 deployments
    8. If your clients are using any managed software system, like GPOs using AD, or SMS, or Altiris, you can push out the agent to them using those mechanims.
    HTH,
    Faisal

  • ACE load balancing based on URL

    I am trying to send traffic to one server or another based on the URL. I want traffic to foo.com/selfserv to direct to server A and traffic to foo.com/webui to direct to server B. I found URL inspection etc but I am not sure how to apply it the scenario as I do not want the ACE to inspect all inbound HTTP requests.

    The ACE performs regular expression matching against the received packet data from a particular connection based on the HTTP URL string. To configure a class map to make Layer 7 SLB decisions based on the URL name and, optionally, the HTTP method, use the match http url command in class-map HTTP load balance configuration mode.
    The ACE performs regular expression matching against the received packet data from a particular connection based on the RTSP URL string. You can configure a class map to make Layer 7 SLB decisions based on the URL name and optionally, the RTSP method, by using the match rtsp url command in class-map RTSP load balance configuration mode.
    Configuring Traffic Policies for Server Load Balancing:
    http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html

  • Ask the Expert:Configuring, Troubleshooting & Best Practices on ASA & FWSM Failover

    With Prashanth Goutham R.
    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Configuring, Troubleshooting & Best Practices on Adaptive Security Appliances (ASA) & Firewall Services Module (FWSM) Failover with Prashanth Goutham. 
    Firewall Services Module (FWSM) is a high-performance stateful-inspection firewall that integrates into the Cisco® 6500 switch and 7600 router chassis. The FWSM monitors traffic flows using application inspection engines to provide a strong level of network security. Cisco ASA is a key component of the Cisco SecureX Framework, protects networks of all sizes with MultiScale performance and a comprehensive suite of highly integrated, market-leading security services.
    Prashanth Goutham is an experienced support engineer with the High Touch Technical Support (HTTS) Security team, covering all Cisco security technologies. During his four years with Cisco, he has worked with Cisco's major customers, troubleshooting routing, LAN switching, and security technologies. He is also qualified as a GIAC Certified Incident Handler (GCIH) by the SANS Institute.
    Remember to use the rating system to let Prashanth know if you have received an adequate response. 
    Prashanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community forum shortly after the event. This event lasts through July 13, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

    Hello John,
    This session is on Failover Functionality on all Cisco Firewalls, im not a geek on QOS however i have the answer for what you need. The way to limit traffic would be to enable QOS Policing on your Firewalls. The requirement that you have is about limiting 4 different tunnels to be utilizing the set limits and drop any further packets. This is called Traffic Policing. I tried out the following in my lab and it looks good.
    access-list tunnel_one extended permit ip 10.1.0.0 255.255.0.0 20.1.0.0 255.255.0.0access-list tunnel_two extended permit ip 10.2.0.0 255.255.0.0 20.2.0.0 255.255.0.0access-list tunnel_three extended permit ip 10.3.0.0 255.255.0.0 20.3.0.0 255.255.0.0access-list tunnel_four extended permit ip 10.4.0.0 255.255.0.0 20.4.0.0 255.255.0.0    class-map Tunnel_Policy1     match access-list tunnel_one   class-map Tunnel_Policy2     match access-list tunnel_two   class-map Tunnel_Policy3     match access-list tunnel_three   class-map Tunnel_Policy4     match access-list tunnel_four  policy-map tunnel_traffic_limit     class Tunnel_Policy1      police output 4096000   policy-map tunnel_traffic_limit     class Tunnel_Policy2      police output 5734400   policy-map tunnel_traffic_limit     class Tunnel_Policy3      police output 2457600    policy-map tunnel_traffic_limit     class Tunnel_Policy4      police output 4915200service-policy tunnel_traffic_limit interface outside
    You might want to watch out for the following changes in values:
    HTTS-SEC-R2-7-ASA5510-02(config-cmap)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy1HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 4096000HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy2HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 5734400WARNING: police rate 5734400 not supported. Rate is changed to 5734000    
    HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#HTTS-SEC-R2-7-ASA5510-02(config)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy3HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 2457600WARNING: police rate 2457600 not supported. Rate is changed to 2457500HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy4HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 4915200WARNING: police rate 4915200 not supported. Rate is changed to 4915000I believe this is because of the software granularity and the way IOS rounds it off in multiples of a certain value, so watch out for the exact values you might get finally. I used this website to calculate your Kilobyte values to Bits: http://www.matisse.net/bitcalc/
    The Final outputs of the configured values were :
        Class-map: Tunnel_Policy1      Output police Interface outside:        cir 4096000 bps, bc 128000 bytes        conformed 0 packets, 0 bytes; actions:  transmit        exceeded 0 packets, 0 bytes; actions:  drop        conformed 0 bps, exceed 0 bps     Class-map: Tunnel_Policy2      Output police Interface outside:        cir 5734000 bps, bc 179187 bytes        conformed 0 packets, 0 bytes; actions:  transmit        exceeded 0 packets, 0 bytes; actions:  drop        conformed 0 bps, exceed 0 bps    Class-map: Tunnel_Policy3      Output police Interface outside:        cir 2457500 bps, bc 76796 bytes        conformed 0 packets, 0 bytes; actions:  transmit        exceeded 0 packets, 0 bytes; actions:  drop        conformed 0 bps, exceed 0 bps    Class-map: Tunnel_Policy4      Output police Interface outside:        cir 4915000 bps, bc 153593 bytes        conformed 0 packets, 0 bytes; actions:  transmit        exceeded 0 packets, 0 bytes; actions:  drop        conformed 0 bps, exceed 0 bps
    Please refer to the QOS document on CCO here for further information: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns_qos.html
    Hope that helps..

Maybe you are looking for

  • Trying to catch on to using 'discover'

    I am upgrading our Solaris C++ compilation system all the way from SolStudio v6 Update 2 on Solaris 8 to SolarisStudio 12.2 on Solaris 10. (About time, huh?) Things seem to be going well enough but am struggling with the included 'discover' tool. The

  • ConnectIOException: JRMP

    Hi, I've got a problem with my program. I'm using Tomcat and Java 1.4.2_01 on Redhat. The program works fine, but sometimes I get the following exception and I must restart my program: java.rmi.ConnectIOException: error during JRMP connection establi

  • Oracle 8i stored functions

    Can one use collections as parameters to an Oracle 8i stored function and can it return a collection? Does anyone have examples?

  • Some album artwork no longer displays

    I recently started having a problem where some of my album artwork will not display on my Ipod. It does show on Itunes. Some are Itunes purchases and some not. I tried deselecting artwork and resyncing, then selecting it and resyncing again with no l

  • Putting one project in another

    I have one project that was made in Premier Pro and I want to put it into another project made on the same computer with the same Preimier Pro. When I import it, the voice overs are not located on the time line. The project I am bring it to is for a