Modify Traffic Policy

  • 1
  • Question
  • Updated 6 months ago
  • Acknowledged
Hi all,

This may be a silly question, but I can't seem to find the answer for it.

How does one modify a traffic policy?

I understand I would use the no command to remove a setting.

I want to adjust the rate limiting and enable counting, but it keeps stating can't modify while in use.

I removed the traffic policy from all the ACLs, although it still bawks at me.

Do I have to reload the switch after removing the traffic policy from the ACLs?

Any input helps and thanks
Photo of eu scada

eu scada

  • 5 Posts
  • 1 Reply Like

Posted 7 months ago

  • 1
Photo of Jijo Panangat

Jijo Panangat, Employee

  • 102 Posts
  • 35 Reply Likes
Hello,

You need to first unbind the ACL that references the traffic policy to modify or delete it.


Thanks
Jijo
Photo of eu scada

eu scada

  • 5 Posts
  • 1 Reply Like
Hello,

I did remove all ACLs

Does one need to “reload” the switch after removing the ACLs to unbind the traffic policy?

Thanks much for the reply
Photo of Jijo Panangat

Jijo Panangat, Employee

  • 102 Posts
  • 35 Reply Likes
Hello,

Reload isn't necessary, Could you share 'show run' and error log you see while modifying ?


Thanks
Jijo 
Photo of eu scada

eu scada

  • 5 Posts
  • 1 Reply Like
Hello, below is the current running config and at the bottom is the error I see when attempting to modify the traffic policy

Thanks for the help

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2019.12.17 05:56:57 =~=~=~=~=~=~=~=~=~=~=~=
login as: cor-admin
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server
[email protected]>show run
Current configuration:
!
ver 08.0.30aT7f3
!
stack unit 1
  module 1 icx6610-48-port-management-module
  module 2 icx6610-qsfp-10-port-160g-module
  module 3 icx6610-8-port-10g-dual-mode-module
  priority 240
  stack-trunk 1/2/1 to 1/2/2
  stack-trunk 1/2/6 to 1/2/7
  stack-port 1/2/1 1/2/6
stack unit 2
  module 1 icx6610-48-port-management-module
  module 2 icx6610-qsfp-10-port-160g-module
  module 3 icx6610-8-port-10g-dual-mode-module
  priority 240
  stack-trunk 2/2/1 to 2/2/2
  stack-trunk 2/2/6 to 2/2/7
  stack-port 2/2/1 2/2/6
stack unit 3
  module 1 icx6610-24f-sf-port-management-module
  module 2 icx6610-qsfp-10-port-160g-module
  module 3 icx6610-8-port-10g-dual-mode-module
  stack-trunk 3/2/1 to 3/2/2
  stack-trunk 3/2/6 to 3/2/7
  stack-port 3/2/1 3/2/6
stack enable
stack mac cc4e.24b5.d5d0
!
global-stp
!
!
lag NAS dynamic id 2047
 ports ethernet 1/1/9 to 1/1/10 
 primary-port 1/1/9
 lacp-timeout long 
 deploy
 port-name "NAS LAG 1" ethernet 1/1/10
!
!
vlan 1 name Plant-Existing by port
 tagged ethe 1/1/21 ethe 2/1/47 ethe 3/1/1 to 3/1/7 ethe 3/1/9 to 3/1/12 
 untagged ethe 1/1/1 ethe 1/1/3 to 1/1/6 ethe 1/1/19 ethe 1/1/23 to 1/1/24 ethe 1/1/42 to 1/1/43 ethe 2/1/1 to 2/1/4 ethe 2/1/9 to 2/1/16 ethe 2/1/19 to 2/1/20 ethe 2/1/42 to 2/1/43 
 monitor ethe 1/1/13
 router-interface ve 1
 spanning-tree 802-1w
 spanning-tree 802-1w priority 8192
!
vlan 99 name DEFAULT-VLAN by port
 spanning-tree 802-1w
 spanning-tree 802-1w priority 8192
!
vlan 210 name Switch-Mgmt by port
 tagged ethe 1/1/21 ethe 2/1/47 ethe 3/1/1 to 3/1/7 ethe 3/1/9 to 3/1/12 
 router-interface ve 210
 spanning-tree 802-1w
 spanning-tree 802-1w priority 8192
!
vlan 240 name HMI-Server by port
 tagged ethe 1/1/21 ethe 1/1/29 to 1/1/31 ethe 1/3/1 to 1/3/3 ethe 2/1/29 to 2/1/31 ethe 2/3/1 to 2/3/3 ethe 3/1/4 ethe 3/1/9 
 untagged ethe 1/1/9 to 1/1/10 ethe 1/1/17 ethe 1/1/28 ethe 1/1/32 ethe 1/1/46 ethe 2/1/17 to 2/1/18 ethe 2/1/25 ethe 2/1/28 ethe 2/1/32 ethe 2/1/46 
 monitor ethe 1/1/13
 router-interface ve 240
 spanning-tree 802-1w
 spanning-tree 802-1w priority 8192
!
vlan 250 name Server-Mgmt by port
 tagged ethe 1/1/29 to 1/1/31 ethe 1/3/1 to 1/3/3 ethe 2/1/29 to 2/1/31 ethe 2/3/1 to 2/3/3 
 untagged ethe 1/1/36 to 1/1/38 ethe 2/1/36 to 2/1/38 
 monitor ethe 1/1/13
 router-interface ve 250
 spanning-tree 802-1w
 spanning-tree 802-1w priority 8192
!
vlan 270 name SUPPORT by port
 untagged ethe 1/1/11 
 router-interface ve 270
 spanning-tree 802-1w
 spanning-tree 802-1w priority 8192
!
vlan 280 name MAINT by port
 tagged ethe 2/1/47 ethe 3/1/1 to 3/1/7 ethe 3/1/9 to 3/1/12 
 untagged ethe 1/1/33 to 1/1/35 ethe 2/1/33 to 2/1/35 
 router-interface ve 280
 spanning-tree 802-1w
 spanning-tree 802-1w priority 8192
!
vlan 290 name FIELD-DEVICE by port
 untagged ethe 1/1/39 to 1/1/41 ethe 2/1/39 to 2/1/41 
 router-interface ve 290
 spanning-tree 802-1w
 spanning-tree 802-1w priority 8192
!
vlan 300 name ZERO-CLIENT by port
 tagged ethe 1/1/21 ethe 3/1/1 ethe 3/1/4 ethe 3/1/9 
 untagged ethe 1/1/25 to 1/1/27 ethe 1/1/48 ethe 2/1/26 to 2/1/27 
 router-interface ve 300
 spanning-tree 802-1w
 spanning-tree 802-1w priority 8192
!
vlan 350 name NTP-MGMT by port
 untagged ethe 1/1/47 
 router-interface ve 350
 spanning-tree 802-1w
 spanning-tree 802-1w priority 8192
!
vlan 360 name FIREWALL by port
 untagged ethe 1/1/45 ethe 2/1/45 ethe 2/1/48 
 router-interface ve 360
 spanning-tree 802-1w
 spanning-tree 802-1w priority 8192
!
vlan 410 name HMI-SYNC by port
 tagged ethe 1/1/29 to 1/1/31 ethe 1/3/1 to 1/3/3 ethe 2/1/29 to 2/1/31 ethe 2/3/1 to 2/3/3 
 spanning-tree 802-1w
 spanning-tree 802-1w priority 8192
!
vlan 430 name RF1-RMT by port
 untagged ethe 1/1/44 ethe 2/1/44 
 router-interface ve 430
 spanning-tree 802-1w
 spanning-tree 802-1w priority 8192
!
vlan 440 name RF2-RMT by port
!
!
!
!
!
system-max ip-filter-sys 8192
!
traffic-policy TP-ACLD1 rate-limit fixed 100 exceed-action Drop
aaa authentication web-server default local
aaa authentication enable default local
aaa authentication login default local
boot sys fl sec
jumbo
default-vlan-id 99
enable super-user-password .....
hostname brwtp-6610-stack
ip route 10.4.61.0/24 172.17.31.1
ip route 10.4.62.0/24 172.17.31.1
ip route 10.4.63.0/24 172.17.31.1
ip route 136.0.0.0/8 172.17.31.1
ip route 172.17.0.0/24 172.17.31.1
ip route 172.17.64.0/18 172.17.31.1
ip route 172.17.64.0/21 172.17.31.1
ip route 172.17.128.0/24 172.17.31.1
ip route 172.18.16.0/20 172.17.31.1
ip route 172.19.16.0/20 172.17.31.1
ip multicast active
!
logging host 10.4.62.24 
logging host 10.4.62.24  udp-port 1514
logging host 10.4.62.24  udp-port 5544
logging facility syslog
logging buffered 1000
logging console
mirror-port ethernet 1/1/13
!
no telnet server
username architect password .....
username tesco privilege 4 password .....
username cor-admin password .....
username support privilege 5 password .....
username nms-user privilege 5 password .....
snmp-server community ..... ro
snmp-server contact TCI
snmp-server location BRWTP
snmp-server host 172.17.20.205 version v2c .....
snmp-server host 172.18.19.40 version v2c .....
snmp-server host 192.168.19.213 version v2c .....
snmp-server host 192.168.19.11 version v2c .....
snmp-server host 192.168.19.10 version v2c .....
snmp-server host 192.168.19.90 version v2c .....
!
!
clock summer-time
clock timezone us Pacific
!
!
ntp
 master
 source-interface ve 350
 server 10.4.62.19
 server 172.17.30.97
 server 172.18.30.97
 server 172.19.30.97
!
!
ssh access-group 
hitless-failover enable
!
!
!
!
!
!
!
interface ethernet 1/1/1
 port-name Connection to City Fiber (Dynac)
!
interface ethernet 1/1/11
 port-name NAS LAG 2
!
interface ethernet 1/1/29
 disable
!
interface ethernet 1/1/30
 disable
!
interface ethernet 1/1/31
 disable
!
interface ethernet 1/1/36
 port-name WTVH01-IPMI
!
interface ethernet 1/1/37
 port-name WTVH02-IPMI
!
interface ethernet 1/1/38
 port-name WTVH03-IPMI
!
interface ethernet 1/3/1
 port-name WTVH01-ETH2
 speed-duplex 10G-full
 stp-protect
!
interface ethernet 1/3/2
 port-name WTVH02-ETH2
 speed-duplex 10G-full
 stp-protect
!
interface ethernet 1/3/3
 port-name WTVH03-ETH2
 speed-duplex 10G-full
 stp-protect
!
interface ethernet 1/3/4
 spanning-tree 802-1w admin-edge-port
 stp-protect
!
interface ethernet 1/3/5
 spanning-tree 802-1w admin-edge-port
 stp-protect
!
interface ethernet 1/3/6
 spanning-tree 802-1w admin-edge-port
 stp-protect
!
interface ethernet 1/3/7
 spanning-tree 802-1w admin-edge-port
 stp-protect
!
interface ethernet 1/3/8
 spanning-tree 802-1w admin-edge-port
 stp-protect
!
interface ethernet 2/1/17
 port-name Cell Modem 1
!
interface ethernet 2/1/18
 port-name Cell Modem 2
!
interface ethernet 2/1/29
 disable
!
interface ethernet 2/1/30
 disable
!
interface ethernet 2/1/31
 disable
!
interface ethernet 2/1/47
 port-name Trunk to Lime System
!
interface ethernet 2/3/1
 port-name WTVH01-ETH3
 speed-duplex 10G-full
 stp-protect
!
interface ethernet 2/3/2
 port-name WTVH02-ETH3
 speed-duplex 10G-full
 stp-protect
!
interface ethernet 2/3/3
 port-name WTVH03-ETH3
 speed-duplex 10G-full
 stp-protect
!
interface ethernet 2/3/4
 spanning-tree 802-1w admin-edge-port
 stp-protect
!
interface ethernet 2/3/5
 spanning-tree 802-1w admin-edge-port
 stp-protect
!
interface ethernet 2/3/6
 spanning-tree 802-1w admin-edge-port
 stp-protect
!
interface ethernet 2/3/7
 spanning-tree 802-1w admin-edge-port
 stp-protect
!
interface ethernet 2/3/8
 spanning-tree 802-1w admin-edge-port
 stp-protect
!
interface ethernet 3/1/1
 port-name Trunk to MCC Room
!
interface ethernet 3/1/2
 port-name Trunk to East Clearwell
!
interface ethernet 3/1/3
 port-name Trunk to Utility Room
!
interface ethernet 3/1/4
 port-name Trunk to WT71-00101
!
interface ethernet 3/1/5
 port-name Trunk to Reclamation
!
interface ethernet 3/1/6
 port-name Trunk to Centrifuge
!
interface ethernet 3/1/7
 port-name Trunk to Filters 7,8
!
interface ethernet 3/1/9
 port-name Trunk to Chemical Bldg
!
interface ethernet 3/1/10
 port-name Trunk to Filters 9,10
!
interface ethernet 3/1/11
 port-name Trunk to Filters 11,12
!
interface ethernet 3/1/12
 port-name Trunk to Intake Structure
!
interface ve 1
 acl-logging
 ip address 192.168.34.1 255.255.255.0
!
interface ve 210
 port-name switch-net
 acl-logging
 ip address 172.17.16.1 255.255.255.0
!
interface ve 240
 acl-logging
 ip address 172.17.19.1 255.255.255.0
!
interface ve 250
 port-name scada-mgmt
 acl-logging
 ip address 172.17.20.1 255.255.255.0
!
interface ve 270
 acl-logging
 ip address 172.17.22.1 255.255.255.0
!
interface ve 280
 port-name maint-net
 acl-logging
 ip address 172.17.23.1 255.255.255.0
!
interface ve 290
 acl-logging
 ip address 172.17.24.1 255.255.255.0
!
interface ve 300
 acl-logging
 ip access-group SCADA-ZC-Net-Inbound in 
 ip address 172.17.25.1 255.255.255.0
!
interface ve 350
 ip address 172.17.30.1 255.255.255.0
!
interface ve 360
 port-name enterprise-net
 acl-logging
 ip address 172.17.31.2 255.255.255.0
!
interface ve 430
 ip address 192.168.35.1 255.255.255.0
!
!
!
ip access-list standard VTY-Access-update
 permit 172.17.16.0 0.0.0.255 
 permit 172.17.19.0 0.0.0.255 
 permit 172.17.20.0 0.0.0.255 
 permit 172.17.23.0 0.0.0.255 
 deny any 
!
!
!
!
!
ip ssh  authentication-retries 5
ip ssh  timeout 30
ip ssh  idle-time 30
!
!
end

[email protected]>                        
[email protected]>en
User Name:cor-admin
Password:
[email protected]#con t
[email protected](config)#traffic-policy TP-ACLD1 count
ERROR: Traffic Policy TP-ACLD1 cannot be modified when in use. #ref is 22.
[email protected](config)#
[email protected](config)#show traffic-policy TP-ACLD1
Traffic Policy - TP-ACLD1:

Metering Enabled, Parameters:
Mode: Fixed Rate-Limiting
cir: 100 kbps
Exceed Action: Drop
Counting Not Enabled
Number of References/Bindings: 22
[email protected](config)#
Photo of Jijo Panangat

Jijo Panangat, Employee

  • 102 Posts
  • 35 Reply Likes
Hello,

As per the show cmd it says 22 bindings but dont see any in the config shared. Do you have the prior/initial config (with 22 bindings) applied ?
You may try a reload now and if that doesn't help open a TAC case for additional debugging.


Thanks
Jijo 

Photo of eu scada

eu scada

  • 5 Posts
  • 1 Reply Like
Thanks for the reply, 

We will give reload a try and see what happens.

Thanks
Photo of eu scada

eu scada

  • 5 Posts
  • 1 Reply Like
A reload “released” the 22 bindings and I was able to remove the TP. Thanks much
Photo of Jijo Panangat

Jijo Panangat, Employee

  • 102 Posts
  • 35 Reply Likes
Glad to hear, Thanks