Restrictions For Ssg Hierarchical Policing; Ssg Hierarchical Policing Configuration - Cisco OL-4387-02 Configuration Manual

Restrictions for SSG Hierarchical Policing

Restrictions for SSG Hierarchical Policing
The SSG Hierarchical Policing feature has the following restrictions:
•
•
•
•
•
•
•
•

SSG Hierarchical Policing Configuration

The configuration of SSG Hierarchical Policing requires you to:
•
•
For more information, refer to the
feature
Cisco 10000 Series Router Service Selection Gateway Configuration Guide
8-2
When using SSG hierarchical policing on Cisco 10000 Series routers, a maximum of 8 policing rates
can be used per uplink interface and R attribute combination. Of these 8 rates, 1 is reserved for "no
policing", leaving 7 different police rates available per uplink interface and R attribute combination
For example, if eight SSG services are bound to the same SSG next-hop and all eight services carry
an R attribute of "R0.0.0.0;0.0.0.0", the ninth service will fail to acquire correct policing rates and
this error message may appear:
%GENERAL-3-EREVENT: C10KSSG: Vi2.8 svc_bitmap 0x2 Unable to set connection rate
The Cisco 10000 router supports per-session and per-interface quality of service (QoS). This type
of QoS is available on non-SSG interfaces and is applied to the sessions or interfaces using modular
QoS CLI (MQC) service policies.
SSG interfaces do not use MQC service policies and cannot use the more complete set of
classification rules and QoS actions available through MQC. QoS support for SSG interfaces is
limited to first classifying to a per-user level and then to a per-session level. At each level, the only
action supported is applying a policed rate that either drops the packet or allows the packet to
continue to be processed. You cannot mark or queue the packet in a specific manner. You also cannot
use an ACL to classify packets for a QoS class.
The upstream and downstream policing rates at the per-session level must be specified in pairs. You
cannot individually specify the upstream and downstream policing rates to a particular service.
If you configure an inbound or outbound MQC service policy on a downlink SSG interface, SSG
ignores the service policy.
You must configure the committed rate parameter at 8000 or larger. If you set the committed rate
lower than 8000, it is automatically configured at 8000.
If the normal burst parameter is less than the IP maximum transmission unit (MTU) of an interface,
the normal burst parameter is set equal to the IP MTU of the interface.
Only packets destined to subscribed services are policed. The following packets are not policed:
Multicast packets
–
Open Garden packets
–
Default network packets
–
Modify user profiles and service profiles in RADIUS.
Enable per-user and per-session policing using the ssg qos police command in global configuration
mode.
module.
Service Selection Gateway Hierarchical Policing, Release 12.2(4)B
Chapter 8 SSG Hierarchical Policing
OL-4387-02