[c-nsp] Switch support for IPv6 policing

Vincent C Jones v.jones at networkingunlimited.com
Thu Dec 22 13:20:46 EST 2011


hi Mack,

Tried c2960-lanbasek9-mz.150-1.SE and 2960-lanbasek9-mz.122-58.SE2. Same
results. Show sdm and run (abridged) are below

Switch-1#show sdm prefer
 The current template is "dual-ipv4-and-ipv6 default" template.
 The selected template optimizes the resources in
 the switch to support this level of features for
 0 routed interfaces and 255 VLANs.

  number of unicast mac addresses:                  7.5K
  number of IPv4 IGMP groups + multicast routes:    0.25K
  number of IPv4 unicast routes:                    0
  number of IPv6 multicast groups:                  0.375k
  number of directly-connected IPv6 addresses:      0
  number of indirect IPv6 unicast routes:           0
  number of IPv4 policy based routing aces:         0
  number of IPv4/MAC qos aces:                      0.125k
  number of IPv4/MAC security aces:                 0.375k
  number of IPv6 policy based routing aces:         0
  number of IPv6 qos aces:                          0
  number of IPv6 security aces:                     0.125k

Switch-1#sho run

!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch-1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$66fH$YUPTZu6udRWYE4j.E67G7/
!
username cisco password 0 cisco
username vcjones secret 5 $1$YchQ$Sp6VUmtJHCz8uiu1SwIXx.
no aaa new-model
system mtu routing 1500
vtp mode transparent
!
!
no ip domain-lookup
ip domain-name test.lab
ip host x23 192.168.100.126
ip host x61 192.168.100.129
!
mls qos
!
mac access-list extended ACL_All_MAC
 permit any any
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 2-9,100,143,200,666 
!
class-map match-all CM_All_MAC
  match access-group name ACL_All_MAC
class-map match-any CM_AllIPv6byProto
  match protocol ipv6
class-map match-any CM_AllIPv4byProto
  match protocol ip
class-map match-any CM_AllIPv6byACL
  match access-group name ACL_AllIPv6
class-map match-any CM_AllIPv4byACL
  match access-group name ACL_AllIPv4
class-map match-any CM_AllIPv46byACL
  match access-group name ACL_AllIPv4
  match access-group name ACL_AllIPv6
class-map match-any CM_AllIPv46byProto
  match protocol ip
  match protocol ipv6
!
policy-map PM_AllIPv46byProto
 description Silently rejected from I/F cfg
 class CM_AllIPv46byProto
  police 8000 8000 exceed-action drop
policy-map PM_AllIPv4byACL
 description IPv4 - OK, IPv6 - NO
 class CM_AllIPv4byACL
  police 8000 8000 exceed-action drop
policy-map PM_All_MAC
 description IPv4 - NO, IPv6 - NO
 class CM_All_MAC
  police 8000 8000 exceed-action drop
policy-map PM_AllIPv4byProto
 description Silently rejected from I/F cfg
 class CM_AllIPv4byProto
  police 8000 8000 exceed-action drop
policy-map PM_AllIPv46byACL
 description Silently rejected from I/F cfg
 class CM_AllIPv46byACL
  police 8000 8000 exceed-action drop
policy-map PM_AllIPv6byProto
 description Silently rejected from I/F cfg
 class CM_AllIPv6byProto
  police 8000 8000 exceed-action drop
policy-map PM_AllIPv6byACL
 description Silently rejected from I/F cfg
 class CM_AllIPv6byACL
  police 8000 8000 exceed-action drop
policy-map PM_Default
 description IPv4 - OK, IPv6 - NO
 class class-default
  police 8000 8000 exceed-action drop
!
!
interface FastEthernet0/17
 description Test user interface
 switchport access vlan 143
 switchport mode access
 switchport nonegotiate
 spanning-tree portfast
 service-policy input PM_Default
!
!
interface GigabitEthernet0/1
 description Uplink to LAN
 switchport access vlan 143
 switchport mode access
 switchport nonegotiate
 switchport block multicast
 switchport block unicast
 no cdp enable
!
interface Vlan1
 no ip address
 no ip route-cache
!
interface Vlan143
 ip address 192.168.100.20 255.255.255.0
 no ip route-cache
!
ip http server
ip http secure-server
!
ip access-list extended ACL_AllIPv4
 permit ip any any
logging esm config
!
ipv6 access-list ACL_AllIPv6
 sequence 20 permit ipv6 any any
!
line con 0
 exec-timeout 600 0
line vty 0 4
 exec-timeout 600 0
 login local
line vty 5 15
 exec-timeout 600 0
 login local
!
ntp server 192.168.100.126
end
 
Are you sure that you actually got policing using the MAC address
method? The switch accepts it, and it shows up in the running config, it
just doesn't do anything.... (setting the policing to 8000 8000 allows
triggering policing using ping -i .2 -s 1000 host, when policing is
working, only every fifth ping gets through).

Vince

On Thu, 2011-12-22 at 07:13 -0800, Mack McBride wrote:
> That is odd I have previously used the mac addresss method on the 2960.  Have you tried a differnt code rev?
> 
> Mack
> 
> ----- Original Message -----
> From: Vincent C Jones [mailto:v.jones at networkingunlimited.com]
> Sent: Thursday, December 22, 2011 07:07 AM
> To: Mack McBride
> Cc: cisco-nsp <cisco-nsp at puck.nether.net>
> Subject: RE: [c-nsp] Switch support for IPv6 policing
> 
> FWIW, while using "class-default" or a MAC filter would be logical ways
> to avoid IPv4 dependencies, neither seems to work, although both could
> be applied to an interface. This is unlike class-maps which reference
> IPv6 ACLs, which are accepted without errors, along with policy maps
> which reference them, but any service-policy statement on the interface
> is silently ignored and never shows up in the configuration.
> 
> Test results:
>     class-default throttles IPv4 but not IPv6.
>     ANY-MAC does not throttle IPv4 or IPv6. 
> 
> cisco WS-C2960-24TT-L (PowerPC405) processor (revision D0) with 65536K
> bytes of memory.
> Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version
> 12.2(58)SE2, RELEASE SOFTWARE (fc1)
> 
> So I repeat the question... what is the cheapest Cisco switch with gig
> uplinks which supports IPv6 ingress filtering and policing, or, lacking
> a definitive answer, is there a feature to check for in the software
> advisor or other publicly available resource that reflects this critical
> functionality?
> 
> Vince
> 
> 
> On Wed, 2011-12-21 at 14:01 -0800, Mack McBride wrote:
> > Use a mac access-list or class-default
> > 
> > mac access-list extended ALL
> >  permit any any
> > class-map match-all ANY-MAC
> >  match access-group name MAC
> > policy-map 10M
> >  class ANY-MAC
> >   police 10000000 1000000 exceed-action drop
> > 
> > or
> > 
> > policy-map 10M
> >  class class-default
> >   police 10000000 1000000 exceed-action drop
> > 
> > LR Mack McBride
> > Network Architect
> > 
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vincent C Jones
> > Sent: Tuesday, December 20, 2011 6:28 PM
> > To: cisco-nsp
> > Subject: [c-nsp] Switch support for IPv6 policing
> > 
> > Arrgh. Currently filtering and policing user traffic on Cisco 2960 switches and discovered the hard way that the ingress policy ONLY applies itself to IPv4 packets and only IPv4 access-groups can be applied to an interface. What Cisco switches do I have to upgrade to in order to filter and police ALL customer traffic and not just IPv4 traffic?
> > 
> > Vince
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list