[c-nsp] Policing Layer3 traffic in 6500/sup720
Gustavo Rodrigues Ramos
gustavo at acmesecurity.org
Mon Oct 8 11:20:21 EDT 2007
Hi,
I'm trying to policy layer 3 traffic that pass through a 6500/sup720
(native IOS 12.2(18)SXF7). I've tried two things:
- Policy the traffic with class-default, was unsuccessfully because it
polices layer 2 and layer 3 traffic (and, as I said, I want to policy
just layer 3).
- Policy the traffic with a mac access-list on a match-any or match-all
class-map, matching only packets thats going from or to the layer 3
interface on my router. I've tried this configuration using mac
access-list, but I've got no packets been policed even if I configure a
permit any any clause.
I have no success in both of them.
MLS (and mls qos) is enabled globally and per layer 3 interface and I
also have mls qos vlan-based configured in proper interfaces.
The main configuration used is attached below. Any comments is very
appreciated.
Regards,
Gustavo.
interface Vlan205
ip address x.x.x.x y.y.y.y
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache policy
ip policy route-map TO-MY-FIREWALL
service-policy input qos_vlan205
service-policy output qos_vlan205
router#sh policy-map qos_vlan205
Policy Map qos_vlan205
Class cm_vlan205
police cir 256000 bc 32000 be 32000 conform-action transmit
exceed-action drop violate-action drop
router#sh class-map cm_vlan205
Class Map match-all cm_vlan205 (id 46)
Match access-group name mac-spocsr02
router#sh access-lists mac-router
Extended MAC access list mac-router
permit host 00d0.012b.9c00 any
permit host 000f.f83f.0800 any
permit host 0000.0c07.ac01 any
permit host 0000.0c07.ac02 any
permit host 0000.0c07.ac05 any
permit host 0000.0c07.ac63 any
permit any host 00d0.012b.9c00
permit any host 000f.f83f.0800
permit any host 0000.0c07.ac01
permit any host 0000.0c07.ac02
permit any host 0000.0c07.ac05
permit any host 0000.0c07.ac63
permit any any <--- this was added after, and also didn't work.
router#sh mls qos
QoS is enabled globally
Policy marking depends on port_trust
QoS ip packet dscp rewrite enabled globally
Input mode for GRE Tunnel is Pipe mode
Input mode for MPLS is Pipe mode
QoS is vlan-based on the following interfaces:
Gi3/4 Gi3/5 Gi3/6 Gi3/20 Gi3/27 Gi3/48 Fa4/41 Gi8/7
Vlan or Portchannel(Multi-Earl) policies supported: Yes
Egress policies supported: Yes
----- Module [5] -----
QoS global counters:
Total packets: 1159147
IP shortcut packets: 0
Packets dropped by policing: 0
IP packets with TOS changed by policing: 289
IP packets with COS changed by policing: 7739
Non-IP packets with COS changed by policing: 530
MPLS packets with EXP changed by policing: 0
router#sh policy-map interface vlan 205
Vlan205
Service-policy input: qos_vlan205
class-map: cm_vlan205 (match-all)
Match: access-group name mac-router
police :
256000 bps 32000 limit 32000 extended limit
Earl in slot 5 :
405 bytes
5 minute offered rate 16 bps
aggregate-forwarded 405 bytes action: transmit
exceeded 0 bytes action: drop
aggregate-forward 64 bps exceed 0 bps
Class-map: class-default (match-any)
113 packets, 15388 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Service-policy output: qos_vlan205
class-map: cm_vlan205 (match-all)
Match: access-group name mac-router
police :
256000 bps 32000 limit 32000 extended limit
Earl in slot 5 :
77543 bytes
5 minute offered rate 560 bps
aggregate-forwarded 77543 bytes action: transmit
exceeded 0 bytes action: drop
aggregate-forward 608 bps exceed 0 bps
Class-map: class-default (match-any)
42063 packets, 62500574 bytes
5 minute offered rate 20000 bps, drop rate 0 bps
Match: any
More information about the cisco-nsp
mailing list