[c-nsp] Ingress policing on a 3560

Tassos Chatzithomaoglou achatz at forthnet.gr
Wed Jun 3 08:14:58 EDT 2009 

Yep, that is a known way for matching ALL "by-default untrusted" traffic.

--
Tassos

Ziv Leyes wrote on 02/06/2009 15:43:
> I'm applying the same you need using dscp instead of mac for "all traffic" and it's working good, here's a sample:
> 
> class-map match-all ALL-TRAFFIC
>   match ip dscp 0
> !
> policy-map 7-MEGA
>   class ALL-TRAFFIC
>     police 7168000 1344000 exceed-action drop
> 
> !
> interface FastEthernet0/1
> description 7 Megabit rated interface sample
> service-policy input 7-MEGA
> !
> 
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tom Storey
> Sent: Monday, June 01, 2009 5:39 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Ingress policing on a 3560
> 
> Hi all.
> 
> What I'm trying to do is police ingress on a port, using a MAC ACL to
> match traffic to police (just a "permit any any" to match all traffic).
> 
> But what I'm getting is that the switch doesnt appear to be matching any
> traffic at all.
> 
> sw2#sh int gi0/14 | inc put rate
>   30 second input rate 20449000 bits/sec, 1688 packets/sec
>   30 second output rate 2620000 bits/sec, 1690 packets/sec
> sw2#sh policy-map int gi0/14
>  GigabitEthernet0/14
> 
>   Service-policy input: police-10mbit-in
> 
>     Class-map: mac-any-any (match-any)
>       0 packets, 0 bytes
>       30 second offered rate 0 bps, drop rate 0 bps
>       Match: access-group name mac-any-any
>         0 packets, 0 bytes
>         30 second rate 0 bps
> 
>     Class-map: class-default (match-any)
>       0 packets, 0 bytes
>       30 second offered rate 0 bps, drop rate 0 bps
>       Match: any
>         0 packets, 0 bytes
>         30 second rate 0 bps
> 
> Does anyone have any pointers as to what I'm doing wrong? Below is my config.
> 
> mac access-list extended mac-any-any
>  permit any any
> !
> class-map match-any mac-any-any
>  match access-group name mac-any-any
> !
> policy-map police-10mbit-in
>  class mac-any-any
>   police 10000000 1000000 exceed-action drop
> !
> interface GigabitEthernet0/14
>  service-policy input police-10mbit-in
> !
> 
> Ive also tried with just class-default, but got the same result.
> 
> I am currently using the "vlan" SDM profile, if that makes any difference.
> 
> Cheers,
> Tom
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
>  
>  
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
> 
> 
>  
>  
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list