[nsp] 6509 Help - Please! :)

Alexandre Snarskii snar at paranoia.ru
Fri Mar 19 01:59:01 EST 2004 

On Thu, Mar 18, 2004 at 09:36:44PM -0500, Paul Stewart wrote:
> We were told this before but what threw us off is that another company
> locally that we supply some inet services to has a 6509 on their end.  They
> refeed some internet to some of their customers over vlan's and are able to
> police their traffic using hybrid mode with sup2/msfc2/pfc2 ... So I'm
> trying to figure out how they are doing it then?  Unless they are "punting"
> everything to the msfc for software switching??  We tried turning mls off in
> native ios however it seems that mls will not turn off on them??  I also
> read another thread where someone else tried to turn off mls and run
> software switching (taking a major performance hit) and never got it working
> neither...

Looks like that they just doing ingress policing, which may be like egress..
Hint: 

in vlan xxx
 service-policy input BB-IN
policy-map BB-IN
 class CLIENT-OUT
  police .... 

where class-map CLIENT-OUT permits traffic from any to 'client-ip-addresses'

The same schema works well for us for some months. 


> Maybe I'm being a dummy.. And if someone wants to call  me that please do
> and while you're at it feel free to toss me a few ideas....;)  We'd actually
> prefer native ios as it's easier for me to work with but we were unable to
> find a method of limiting vlan's inbound/outbound traffic that worked... Any
> ideas? ;)
> 
> Thanks again, appreciate it..
> 
> Paul
> 
> 
> -----Original Message-----
> From: Tim Stevenson [mailto:tstevens at cisco.com] 
> Sent: Thursday, March 18, 2004 9:31 PM
> To: Paul Stewart; 'Jared Mauch'
> Cc: cisco-nsp at puck.nether.net
> Subject: RE: [nsp] 6509 Help - Please! :)
> 
> 
> Native or hybrid is not going the change the capabilities of the hardware -
> only sup720 is capable of egress policing, and even then, only on a Layer 3
> routed interface (in native) or a VLAN basis. Sup2 supports only ingress
> policing.
> 
> Tim
> 
> At 06:23 PM 3/18/2004, Paul Stewart quipped:
> >We found that we were unable to police vlan's in both directions 
> >(perhaps we missed something configuration wise but only inbound would 
> >work).. We our only solution was then to break the vlan out into a pair 
> >of physical ports and police input on each port therefore policing in 
> >both directions... Unfortunately that meant 2 ports for every vlan and 
> >we didn't like that
> >idea..;)
> >
> >I still have the spare sup (which is pulled right now) setup for native 
> >in case someone can help us resolve that problem..;)
> >
> >-----Original Message-----
> >From: Jared Mauch [mailto:jared at puck.nether.net]
> >Sent: Thursday, March 18, 2004 8:59 PM
> >To: Paul Stewart
> >Cc: 'Tim Stevenson'; cisco-nsp at puck.nether.net
> >Subject: Re: [nsp] 6509 Help - Please! :)
> >
> >
> >     Just wondering,
> >
> >     Is there a reason why you're not just running Native?
> >
> >     this is the path that the 6k sw is going.  If it's a new 6509, 
> >it's a good time to play with something different, IMHO.
> >
> >     - Jared
> >     
> >On Thu, Mar 18, 2004 at 08:49:24PM -0500, Paul Stewart wrote:
> >> Hi Tim.. No (see other post).. I found another problem kind of
> >> related..
> >> 
> >> I had setup sc0 with a management Ip but it defaults to vlan1 (my
> >> default vlan is 2 which is sc1 if I have this correct).. Move sc1 to 
> >> vlan 3 and changed sc0 to vlan 2... No difference yet however I 
> >> believe that your suggestion (and the other gentleman's) is on the 
> >> right track...
> >> 
> >> Thanks everyone..:)
> >> 
> >> -----Original Message-----
> >> From: cisco-nsp-bounces at puck.nether.net
> >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tim Stevenson
> >> Sent: Thursday, March 18, 2004 8:39 PM
> >> To: cisco-nsp at puck.nether.net; cisco-nsp at puck.nether.net
> >> Subject: Re: [nsp] 6509 Help - Please! :)
> >> 
> >> 
> >> Are any of the vlan 2 ports actually connected? The vlan interface
> >> won't come up unless there is at least 1 port in the vlan that is up & 
> >> connected (autostate).
> >> 
> >> Tim
> >> 
> >> At 05:22 PM 3/18/2004, cisco-nsp-request at puck.nether.net quipped:
> >> >Message: 3
> >> >Date: Thu, 18 Mar 2004 20:19:39 -0500
> >> >From: "Paul Stewart" <pauls at nexicom.net>
> >> >Subject: [nsp] 6509 Help - Please! :)
> >> >To: <cisco-nsp at puck.nether.net>
> >> >Message-ID: <000c01c40d50$400d3a50$640aa8c0 at pstewart>
> >> >Content-Type: text/plain;     charset="us-ascii"
> >> >
> >> >Hi everyone...
> >> >
> >> >I'm trying to bring a new 6509 online in hybrid mode... This is my 
> >> >first attempt at hybrid mode (although I am used to 5500's with RSM 
> >> >cards so hoping it's not much different)....
> >> >
> >> >Anyways, my problem is getting native vlan online.
> >> 
> >> 
> >> Tim Stevenson, tstevens at cisco.com
> >> Routing & Switching CCIE #5561
> >> Technical Marketing Engineer, Catalyst 6500
> >> Cisco Systems, http://www.cisco.com
> >> IP Phone: 408-526-6759
> >> ********************************************************
> >> The contents of this message may be *Cisco Confidential*
> >> and are intended for the specified recipients only.
> >> 
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >> 
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >--
> >Jared Mauch  | pgp key available via finger from jared at puck.nether.net
> >clue++;      | http://puck.nether.net/~jared/  My statements are only mine.
> 
> 
> Tim Stevenson, tstevens at cisco.com
> Routing & Switching CCIE #5561
> Technical Marketing Engineer, Catalyst 6500
> Cisco Systems, http://www.cisco.com
> IP Phone: 408-526-6759
> ********************************************************
> The contents of this message may be *Cisco Confidential*
> and are intended for the specified recipients only.
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list