[c-nsp] Switch support for IPv6 policing
Mack McBride
mack.mcbride at viawest.com
Thu Dec 22 10:13:12 EST 2011
That is odd I have previously used the mac addresss method on the 2960. Have you tried a differnt code rev?
Mack
----- Original Message -----
From: Vincent C Jones [mailto:v.jones at networkingunlimited.com]
Sent: Thursday, December 22, 2011 07:07 AM
To: Mack McBride
Cc: cisco-nsp <cisco-nsp at puck.nether.net>
Subject: RE: [c-nsp] Switch support for IPv6 policing
FWIW, while using "class-default" or a MAC filter would be logical ways
to avoid IPv4 dependencies, neither seems to work, although both could
be applied to an interface. This is unlike class-maps which reference
IPv6 ACLs, which are accepted without errors, along with policy maps
which reference them, but any service-policy statement on the interface
is silently ignored and never shows up in the configuration.
Test results:
class-default throttles IPv4 but not IPv6.
ANY-MAC does not throttle IPv4 or IPv6.
cisco WS-C2960-24TT-L (PowerPC405) processor (revision D0) with 65536K
bytes of memory.
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version
12.2(58)SE2, RELEASE SOFTWARE (fc1)
So I repeat the question... what is the cheapest Cisco switch with gig
uplinks which supports IPv6 ingress filtering and policing, or, lacking
a definitive answer, is there a feature to check for in the software
advisor or other publicly available resource that reflects this critical
functionality?
Vince
On Wed, 2011-12-21 at 14:01 -0800, Mack McBride wrote:
> Use a mac access-list or class-default
>
> mac access-list extended ALL
> permit any any
> class-map match-all ANY-MAC
> match access-group name MAC
> policy-map 10M
> class ANY-MAC
> police 10000000 1000000 exceed-action drop
>
> or
>
> policy-map 10M
> class class-default
> police 10000000 1000000 exceed-action drop
>
> LR Mack McBride
> Network Architect
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vincent C Jones
> Sent: Tuesday, December 20, 2011 6:28 PM
> To: cisco-nsp
> Subject: [c-nsp] Switch support for IPv6 policing
>
> Arrgh. Currently filtering and policing user traffic on Cisco 2960 switches and discovered the hard way that the ingress policy ONLY applies itself to IPv4 packets and only IPv4 access-groups can be applied to an interface. What Cisco switches do I have to upgrade to in order to filter and police ALL customer traffic and not just IPv4 traffic?
>
> Vince
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list