[c-nsp] Ingress policing on a 3560

Tom Storey tom at snnap.net
Mon Jun 1 00:57:16 EDT 2009


Thanks to those who have responded so far.

To answer a couple of so far common questions:

"mls qos" is enabled:

sw2#sh mls qos
QoS is enabled
QoS ip packet dscp rewrite is enabled

And I dont appear to be counting any hits against my MAC ACL, which may
explain part of the problem:

sw2#sh access-lists mac-any-any

Extended MAC access list mac-any-any
    permit any any 0x0 0xFFFF

I tried applying the ACL inbound on the interface to see if it would count
any hits, and there are zero hits on there too. I also modified the ACL
rule to what you see above based on an example I found.

So something is definitely up there, considering I am pumping 12000+ pps
through it each way with iperf. :-)

Back to the drawing board.

Cheers,
Tom

> Hi all.
>
> What I'm trying to do is police ingress on a port, using a MAC ACL to
> match traffic to police (just a "permit any any" to match all traffic).
>
> But what I'm getting is that the switch doesnt appear to be matching any
> traffic at all.
>
> sw2#sh int gi0/14 | inc put rate
>   30 second input rate 20449000 bits/sec, 1688 packets/sec
>   30 second output rate 2620000 bits/sec, 1690 packets/sec
> sw2#sh policy-map int gi0/14
>  GigabitEthernet0/14
>
>   Service-policy input: police-10mbit-in
>
>     Class-map: mac-any-any (match-any)
>       0 packets, 0 bytes
>       30 second offered rate 0 bps, drop rate 0 bps
>       Match: access-group name mac-any-any
>         0 packets, 0 bytes
>         30 second rate 0 bps
>
>     Class-map: class-default (match-any)
>       0 packets, 0 bytes
>       30 second offered rate 0 bps, drop rate 0 bps
>       Match: any
>         0 packets, 0 bytes
>         30 second rate 0 bps
>
> Does anyone have any pointers as to what I'm doing wrong? Below is my
> config.
>
> mac access-list extended mac-any-any
>  permit any any
> !
> class-map match-any mac-any-any
>  match access-group name mac-any-any
> !
> policy-map police-10mbit-in
>  class mac-any-any
>   police 10000000 1000000 exceed-action drop
> !
> interface GigabitEthernet0/14
>  service-policy input police-10mbit-in
> !
>
> Ive also tried with just class-default, but got the same result.
>
> I am currently using the "vlan" SDM profile, if that makes any difference.
>
> Cheers,
> Tom
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>




More information about the cisco-nsp mailing list