Cisco Systems OL-4387-02 manual Restrictions for SSG Hierarchical Policing

Chapter 8 SSG Hierarchical Policing

Restrictions for SSG Hierarchical Policing

Restrictions for SSG Hierarchical Policing

The SSG Hierarchical Policing feature has the following restrictions:

•When using SSG hierarchical policing on Cisco 10000 Series routers, a maximum of 8 policing rates can be used per uplink interface and R attribute combination. Of these 8 rates, 1 is reserved for “no policing”, leaving 7 different police rates available per uplink interface and R attribute combination For example, if eight SSG services are bound to the same SSG next-hop and all eight services carry an R attribute of “R0.0.0.0;0.0.0.0”, the ninth service will fail to acquire correct policing rates and this error message may appear:

%GENERAL-3-EREVENT: C10KSSG: Vi2.8 svc_bitmap 0x2 Unable to set connection rate

•The Cisco 10000 router supports per-session and per-interface quality of service (QoS). This type of QoS is available on non-SSG interfaces and is applied to the sessions or interfaces using modular QoS CLI (MQC) service policies.

•SSG interfaces do not use MQC service policies and cannot use the more complete set of classification rules and QoS actions available through MQC. QoS support for SSG interfaces is limited to first classifying to a per-user level and then to a per-session level. At each level, the only action supported is applying a policed rate that either drops the packet or allows the packet to continue to be processed. You cannot mark or queue the packet in a specific manner. You also cannot use an ACL to classify packets for a QoS class.

•The upstream and downstream policing rates at the per-session level must be specified in pairs. You cannot individually specify the upstream and downstream policing rates to a particular service.

•If you configure an inbound or outbound MQC service policy on a downlink SSG interface, SSG ignores the service policy.

•You must configure the committed rate parameter at 8000 or larger. If you set the committed rate lower than 8000, it is automatically configured at 8000.

•If the normal burst parameter is less than the IP maximum transmission unit (MTU) of an interface, the normal burst parameter is set equal to the IP MTU of the interface.

•Only packets destined to subscribed services are policed. The following packets are not policed:

–Multicast packets

–Open Garden packets

–Default network packets

SSG Hierarchical Policing Configuration

The configuration of SSG Hierarchical Policing requires you to:

•Modify user profiles and service profiles in RADIUS.

•Enable per-user and per-session policing using the ssg qos police command in global configuration mode.

For more information, refer to the Service Selection Gateway Hierarchical Policing, Release 12.2(4)B feature module.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide