[c-nsp] Switch support for IPv6 policing

Mack McBride mack.mcbride at viawest.com
Thu Dec 22 10:13:12 EST 2011


That is odd I have previously used the mac addresss method on the 2960.  Have you tried a differnt code rev?

Mack

----- Original Message -----
From: Vincent C Jones [mailto:v.jones at networkingunlimited.com]
Sent: Thursday, December 22, 2011 07:07 AM
To: Mack McBride
Cc: cisco-nsp <cisco-nsp at puck.nether.net>
Subject: RE: [c-nsp] Switch support for IPv6 policing

FWIW, while using "class-default" or a MAC filter would be logical ways
to avoid IPv4 dependencies, neither seems to work, although both could
be applied to an interface. This is unlike class-maps which reference
IPv6 ACLs, which are accepted without errors, along with policy maps
which reference them, but any service-policy statement on the interface
is silently ignored and never shows up in the configuration.

Test results:
    class-default throttles IPv4 but not IPv6.
    ANY-MAC does not throttle IPv4 or IPv6. 

cisco WS-C2960-24TT-L (PowerPC405) processor (revision D0) with 65536K
bytes of memory.
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version
12.2(58)SE2, RELEASE SOFTWARE (fc1)

So I repeat the question... what is the cheapest Cisco switch with gig
uplinks which supports IPv6 ingress filtering and policing, or, lacking
a definitive answer, is there a feature to check for in the software
advisor or other publicly available resource that reflects this critical
functionality?

Vince


On Wed, 2011-12-21 at 14:01 -0800, Mack McBride wrote:
> Use a mac access-list or class-default
> 
> mac access-list extended ALL
>  permit any any
> class-map match-all ANY-MAC
>  match access-group name MAC
> policy-map 10M
>  class ANY-MAC
>   police 10000000 1000000 exceed-action drop
> 
> or
> 
> policy-map 10M
>  class class-default
>   police 10000000 1000000 exceed-action drop
> 
> LR Mack McBride
> Network Architect
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vincent C Jones
> Sent: Tuesday, December 20, 2011 6:28 PM
> To: cisco-nsp
> Subject: [c-nsp] Switch support for IPv6 policing
> 
> Arrgh. Currently filtering and policing user traffic on Cisco 2960 switches and discovered the hard way that the ingress policy ONLY applies itself to IPv4 packets and only IPv4 access-groups can be applied to an interface. What Cisco switches do I have to upgrade to in order to filter and police ALL customer traffic and not just IPv4 traffic?
> 
> Vince
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list