[c-nsp] Ingress policing on a 3560

Ziv Leyes zivl at gilat.net
Tue Jun 2 08:43:03 EDT 2009 

I'm applying the same you need using dscp instead of mac for "all traffic" and it's working good, here's a sample:

class-map match-all ALL-TRAFFIC
  match ip dscp 0
!
policy-map 7-MEGA
  class ALL-TRAFFIC
    police 7168000 1344000 exceed-action drop

!
interface FastEthernet0/1
description 7 Megabit rated interface sample
service-policy input 7-MEGA
!



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tom Storey
Sent: Monday, June 01, 2009 5:39 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Ingress policing on a 3560

Hi all.

What I'm trying to do is police ingress on a port, using a MAC ACL to
match traffic to police (just a "permit any any" to match all traffic).

But what I'm getting is that the switch doesnt appear to be matching any
traffic at all.

sw2#sh int gi0/14 | inc put rate
  30 second input rate 20449000 bits/sec, 1688 packets/sec
  30 second output rate 2620000 bits/sec, 1690 packets/sec
sw2#sh policy-map int gi0/14
 GigabitEthernet0/14

  Service-policy input: police-10mbit-in

    Class-map: mac-any-any (match-any)
      0 packets, 0 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: access-group name mac-any-any
        0 packets, 0 bytes
        30 second rate 0 bps

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: any
        0 packets, 0 bytes
        30 second rate 0 bps

Does anyone have any pointers as to what I'm doing wrong? Below is my config.

mac access-list extended mac-any-any
 permit any any
!
class-map match-any mac-any-any
 match access-group name mac-any-any
!
policy-map police-10mbit-in
 class mac-any-any
  police 10000000 1000000 exceed-action drop
!
interface GigabitEthernet0/14
 service-policy input police-10mbit-in
!

Ive also tried with just class-default, but got the same result.

I am currently using the "vlan" SDM profile, if that makes any difference.

Cheers,
Tom

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************


 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************

More information about the cisco-nsp mailing list