[c-nsp] Policing Layer3 traffic in 6500/sup720

Gustavo Rodrigues Ramos gustavo at acmesecurity.org
Mon Oct 8 11:20:21 EDT 2007


Hi,

I'm trying to policy layer 3 traffic that pass through a 6500/sup720
(native IOS 12.2(18)SXF7). I've tried two things:

- Policy the traffic with class-default, was unsuccessfully because it
polices layer 2 and layer 3 traffic (and, as I said, I want to policy
just layer 3).

- Policy the traffic with a mac access-list on a match-any or match-all
class-map, matching only packets thats going from or to the layer 3
interface on my router. I've tried this configuration using mac
access-list, but I've got no packets been policed even if I configure a
permit any any clause.

I have no success in both of them.

MLS (and mls qos) is enabled globally and per layer 3 interface and I
also have mls qos vlan-based configured in proper interfaces.

The main configuration used is attached below. Any comments is very
appreciated.

Regards,
Gustavo.




interface Vlan205
 ip address x.x.x.x y.y.y.y
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache policy
 ip policy route-map TO-MY-FIREWALL
 service-policy input qos_vlan205
 service-policy output qos_vlan205

router#sh policy-map qos_vlan205
  Policy Map qos_vlan205
    Class cm_vlan205
     police cir 256000 bc 32000 be 32000 conform-action transmit
exceed-action drop violate-action drop


router#sh class-map cm_vlan205
 Class Map match-all cm_vlan205 (id 46)
   Match access-group name mac-spocsr02


router#sh access-lists mac-router

Extended MAC access list mac-router
    permit host 00d0.012b.9c00 any
    permit host 000f.f83f.0800 any
    permit host 0000.0c07.ac01 any
    permit host 0000.0c07.ac02 any
    permit host 0000.0c07.ac05 any
    permit host 0000.0c07.ac63 any
    permit any host 00d0.012b.9c00
    permit any host 000f.f83f.0800
    permit any host 0000.0c07.ac01
    permit any host 0000.0c07.ac02
    permit any host 0000.0c07.ac05
    permit any host 0000.0c07.ac63
    permit any any   <--- this was added after, and also didn't work.


router#sh mls qos
  QoS is enabled globally
  Policy marking depends on port_trust
  QoS ip packet dscp rewrite enabled globally
  Input mode for GRE Tunnel is Pipe mode
  Input mode for MPLS is Pipe mode

  QoS is vlan-based on the following interfaces:
    Gi3/4 Gi3/5 Gi3/6 Gi3/20 Gi3/27 Gi3/48 Fa4/41 Gi8/7
  Vlan or Portchannel(Multi-Earl) policies supported: Yes
  Egress policies supported: Yes


 ----- Module [5] -----
  QoS global counters:
    Total packets: 1159147
    IP shortcut packets: 0
    Packets dropped by policing: 0
    IP packets with TOS changed by policing: 289
    IP packets with COS changed by policing: 7739
    Non-IP packets with COS changed by policing: 530
    MPLS packets with EXP changed by policing: 0



router#sh policy-map interface vlan 205
 Vlan205

  Service-policy input: qos_vlan205

    class-map: cm_vlan205 (match-all)
      Match: access-group name mac-router
      police :
        256000 bps 32000 limit 32000 extended limit
      Earl in slot 5 :
        405 bytes
        5 minute offered rate 16 bps
        aggregate-forwarded 405 bytes action: transmit
        exceeded 0 bytes action: drop
        aggregate-forward 64 bps exceed 0 bps

    Class-map: class-default (match-any)
      113 packets, 15388 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

  Service-policy output: qos_vlan205

    class-map: cm_vlan205 (match-all)
      Match: access-group name mac-router
      police :
        256000 bps 32000 limit 32000 extended limit
      Earl in slot 5 :
        77543 bytes
        5 minute offered rate 560 bps
        aggregate-forwarded 77543 bytes action: transmit
        exceeded 0 bytes action: drop
        aggregate-forward 608 bps exceed 0 bps

    Class-map: class-default (match-any)
      42063 packets, 62500574 bytes
      5 minute offered rate 20000 bps, drop rate 0 bps
      Match: any


More information about the cisco-nsp mailing list