[c-nsp] Switch support for IPv6 policing

Vincent C Jones v.jones at networkingunlimited.com
Thu Dec 22 17:59:56 EST 2011


Testing is fairly simple. I set the police value to 8000 bps (1KByte/s),
8000 byte burst. Then send 1000 byte ICMP ping packets at a rate of
5/sec to a dual-stacked PC on the switch port Fa0/17. The responses are
policed as they enter the switch for the return journey. Except as noted
in the policy descriptions, they are not. When policing is working
correctly, the first 10 or so pings work fine, then only every fifth
ping succeeds. Makes the policing very obvious, even if the numbers are
artificially low.

Capture from a semi-working policing (PM_Default):

IP version 4:

vcjones at X61:~> ping hp-wired -s 1000 -i .2
PING hp-wired (192.168.100.128) 1000(1028) bytes of data.
1008 bytes from hp-wired (192.168.100.128): icmp_seq=1 ttl=64 time=1.37
ms
1008 bytes from hp-wired (192.168.100.128): icmp_seq=2 ttl=64 time=1.04
ms
1008 bytes from hp-wired (192.168.100.128): icmp_seq=3 ttl=64 time=1.09
ms
1008 bytes from hp-wired (192.168.100.128): icmp_seq=4 ttl=64 time=1.03
ms
1008 bytes from hp-wired (192.168.100.128): icmp_seq=5 ttl=64 time=1.03
ms
1008 bytes from hp-wired (192.168.100.128): icmp_seq=6 ttl=64 time=1.04
ms
1008 bytes from hp-wired (192.168.100.128): icmp_seq=7 ttl=64 time=1.03
ms
1008 bytes from hp-wired (192.168.100.128): icmp_seq=10 ttl=64 time=1.04
ms
1008 bytes from hp-wired (192.168.100.128): icmp_seq=15 ttl=64 time=1.02
ms
1008 bytes from hp-wired (192.168.100.128): icmp_seq=20 ttl=64 time=1.05
ms
1008 bytes from hp-wired (192.168.100.128): icmp_seq=25 ttl=64 time=1.07
ms
1008 bytes from hp-wired (192.168.100.128): icmp_seq=31 ttl=64 time=1.12
ms
1008 bytes from hp-wired (192.168.100.128): icmp_seq=36 ttl=64 time=1.09
ms
1008 bytes from hp-wired (192.168.100.128): icmp_seq=41 ttl=64 time=1.11
ms
^C
--- hp-wired ping statistics ---
44 packets transmitted, 14 received, 68% packet loss, time 8832ms
rtt min/avg/max/mdev = 1.028/1.084/1.376/0.094 ms
vcjones at X61:~>

IP version 6

1008 bytes from 2001:470:1f07:110f:222:64ff:fe83:11a2: icmp_seq=21334
ttl=64 time=1.00 ms
1008 bytes from 2001:470:1f07:110f:222:64ff:fe83:11a2: icmp_seq=21335
ttl=64 time=0.889 ms
1008 bytes from 2001:470:1f07:110f:222:64ff:fe83:11a2: icmp_seq=21336
ttl=64 time=1.00 ms
1008 bytes from 2001:470:1f07:110f:222:64ff:fe83:11a2: icmp_seq=21337
ttl=64 time=0.789 ms
1008 bytes from 2001:470:1f07:110f:222:64ff:fe83:11a2: icmp_seq=21338
ttl=64 time=0.862 ms
1008 bytes from 2001:470:1f07:110f:222:64ff:fe83:11a2: icmp_seq=21339
ttl=64 time=0.982 ms


FYI: I am not concerned with the documented limitations of the 2960,
those were evaluated before selecting the hardware for this application.
It is the undocumented limitations which are killing me.

Vince

On Thu, 2011-12-22 at 14:14 -0800, Mack McBride wrote:
> How are you determining if the policing is working?
> For reference purposes the 2960 switch polices AFTER incoming BW is calculated.
> The 2960 also does not police outgoing bandwidth.
> 
> Mack
> 
> -----Original Message-----
> From: Vincent C Jones [mailto:v.jones at networkingunlimited.com] 
> Sent: Thursday, December 22, 2011 11:21 AM
> To: Mack McBride
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Switch support for IPv6 policing
> 
> hi Mack,
> 
> Tried c2960-lanbasek9-mz.150-1.SE and 2960-lanbasek9-mz.122-58.SE2. Same results. Show sdm and run (abridged) are below
> 
> Switch-1#show sdm prefer
>  The current template is "dual-ipv4-and-ipv6 default" template.
>  The selected template optimizes the resources in  the switch to support this level of features for
>  0 routed interfaces and 255 VLANs.
> 
>   number of unicast mac addresses:                  7.5K
>   number of IPv4 IGMP groups + multicast routes:    0.25K
>   number of IPv4 unicast routes:                    0
>   number of IPv6 multicast groups:                  0.375k
>   number of directly-connected IPv6 addresses:      0
>   number of indirect IPv6 unicast routes:           0
>   number of IPv4 policy based routing aces:         0
>   number of IPv4/MAC qos aces:                      0.125k
>   number of IPv4/MAC security aces:                 0.375k
>   number of IPv6 policy based routing aces:         0
>   number of IPv6 qos aces:                          0
>   number of IPv6 security aces:                     0.125k
> 
> Switch-1#sho run
> 
> !
> version 15.0
> no service pad
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname Switch-1
> !
> boot-start-marker
> boot-end-marker
> !
> enable secret 5 $1$66fH$YUPTZu6udRWYE4j.E67G7/ !
> username cisco password 0 cisco
> username vcjones secret 5 $1$YchQ$Sp6VUmtJHCz8uiu1SwIXx.
> no aaa new-model
> system mtu routing 1500
> vtp mode transparent
> !
> !
> no ip domain-lookup
> ip domain-name test.lab
> ip host x23 192.168.100.126
> ip host x61 192.168.100.129
> !
> mls qos
> !
> mac access-list extended ACL_All_MAC
>  permit any any
> spanning-tree mode pvst
> spanning-tree extend system-id
> !
> vlan internal allocation policy ascending !
> vlan 2-9,100,143,200,666
> !
> class-map match-all CM_All_MAC
>   match access-group name ACL_All_MAC
> class-map match-any CM_AllIPv6byProto
>   match protocol ipv6
> class-map match-any CM_AllIPv4byProto
>   match protocol ip
> class-map match-any CM_AllIPv6byACL
>   match access-group name ACL_AllIPv6
> class-map match-any CM_AllIPv4byACL
>   match access-group name ACL_AllIPv4
> class-map match-any CM_AllIPv46byACL
>   match access-group name ACL_AllIPv4
>   match access-group name ACL_AllIPv6
> class-map match-any CM_AllIPv46byProto
>   match protocol ip
>   match protocol ipv6
> !
> policy-map PM_AllIPv46byProto
>  description Silently rejected from I/F cfg  class CM_AllIPv46byProto
>   police 8000 8000 exceed-action drop
> policy-map PM_AllIPv4byACL
>  description IPv4 - OK, IPv6 - NO
>  class CM_AllIPv4byACL
>   police 8000 8000 exceed-action drop
> policy-map PM_All_MAC
>  description IPv4 - NO, IPv6 - NO
>  class CM_All_MAC
>   police 8000 8000 exceed-action drop
> policy-map PM_AllIPv4byProto
>  description Silently rejected from I/F cfg  class CM_AllIPv4byProto
>   police 8000 8000 exceed-action drop
> policy-map PM_AllIPv46byACL
>  description Silently rejected from I/F cfg  class CM_AllIPv46byACL
>   police 8000 8000 exceed-action drop
> policy-map PM_AllIPv6byProto
>  description Silently rejected from I/F cfg  class CM_AllIPv6byProto
>   police 8000 8000 exceed-action drop
> policy-map PM_AllIPv6byACL
>  description Silently rejected from I/F cfg  class CM_AllIPv6byACL
>   police 8000 8000 exceed-action drop
> policy-map PM_Default
>  description IPv4 - OK, IPv6 - NO
>  class class-default
>   police 8000 8000 exceed-action drop
> !
> !
> interface FastEthernet0/17
>  description Test user interface
>  switchport access vlan 143
>  switchport mode access
>  switchport nonegotiate
>  spanning-tree portfast
>  service-policy input PM_Default
> !
> !
> interface GigabitEthernet0/1
>  description Uplink to LAN
>  switchport access vlan 143
>  switchport mode access
>  switchport nonegotiate
>  switchport block multicast
>  switchport block unicast
>  no cdp enable
> !
> interface Vlan1
>  no ip address
>  no ip route-cache
> !
> interface Vlan143
>  ip address 192.168.100.20 255.255.255.0  no ip route-cache !
> ip http server
> ip http secure-server
> !
> ip access-list extended ACL_AllIPv4
>  permit ip any any
> logging esm config
> !
> ipv6 access-list ACL_AllIPv6
>  sequence 20 permit ipv6 any any
> !
> line con 0
>  exec-timeout 600 0
> line vty 0 4
>  exec-timeout 600 0
>  login local
> line vty 5 15
>  exec-timeout 600 0
>  login local
> !
> ntp server 192.168.100.126
> end
>  
> Are you sure that you actually got policing using the MAC address method? The switch accepts it, and it shows up in the running config, it just doesn't do anything.... (setting the policing to 8000 8000 allows triggering policing using ping -i .2 -s 1000 host, when policing is working, only every fifth ping gets through).
> 
> Vince
> 
> On Thu, 2011-12-22 at 07:13 -0800, Mack McBride wrote:
> > That is odd I have previously used the mac addresss method on the 2960.  Have you tried a differnt code rev?
> > 
> > Mack
> > 
> > ----- Original Message -----
> > From: Vincent C Jones [mailto:v.jones at networkingunlimited.com]
> > Sent: Thursday, December 22, 2011 07:07 AM
> > To: Mack McBride
> > Cc: cisco-nsp <cisco-nsp at puck.nether.net>
> > Subject: RE: [c-nsp] Switch support for IPv6 policing
> > 
> > FWIW, while using "class-default" or a MAC filter would be logical 
> > ways to avoid IPv4 dependencies, neither seems to work, although both 
> > could be applied to an interface. This is unlike class-maps which 
> > reference
> > IPv6 ACLs, which are accepted without errors, along with policy maps 
> > which reference them, but any service-policy statement on the 
> > interface is silently ignored and never shows up in the configuration.
> > 
> > Test results:
> >     class-default throttles IPv4 but not IPv6.
> >     ANY-MAC does not throttle IPv4 or IPv6. 
> > 
> > cisco WS-C2960-24TT-L (PowerPC405) processor (revision D0) with 65536K 
> > bytes of memory.
> > Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 
> > 12.2(58)SE2, RELEASE SOFTWARE (fc1)
> > 
> > So I repeat the question... what is the cheapest Cisco switch with gig 
> > uplinks which supports IPv6 ingress filtering and policing, or, 
> > lacking a definitive answer, is there a feature to check for in the 
> > software advisor or other publicly available resource that reflects 
> > this critical functionality?
> > 
> > Vince
> > 
> > 
> > On Wed, 2011-12-21 at 14:01 -0800, Mack McBride wrote:
> > > Use a mac access-list or class-default
> > > 
> > > mac access-list extended ALL
> > >  permit any any
> > > class-map match-all ANY-MAC
> > >  match access-group name MAC
> > > policy-map 10M
> > >  class ANY-MAC
> > >   police 10000000 1000000 exceed-action drop
> > > 
> > > or
> > > 
> > > policy-map 10M
> > >  class class-default
> > >   police 10000000 1000000 exceed-action drop
> > > 
> > > LR Mack McBride
> > > Network Architect
> > > 
> > > -----Original Message-----
> > > From: cisco-nsp-bounces at puck.nether.net 
> > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vincent C 
> > > Jones
> > > Sent: Tuesday, December 20, 2011 6:28 PM
> > > To: cisco-nsp
> > > Subject: [c-nsp] Switch support for IPv6 policing
> > > 
> > > Arrgh. Currently filtering and policing user traffic on Cisco 2960 switches and discovered the hard way that the ingress policy ONLY applies itself to IPv4 packets and only IPv4 access-groups can be applied to an interface. What Cisco switches do I have to upgrade to in order to filter and police ALL customer traffic and not just IPv4 traffic?
> > > 
> > > Vince
> > > 
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list