[c-nsp] policing by mac address
Nikolay Shopik
shopik at inblock.ru
Fri Oct 7 08:20:54 EDT 2011
Hey,
I'm trying to configure basic stuff, like policing by mac address on
router and it doesn't match any packets.
class-map match-any shopik
match access-group 700
policy-map ultraspeed
class shopik
police 8000 2000
interface FastEthernet1/1
service-policy input ultraspeed
access-list 700 permit 4487.fc8d.a826 0000.0000.0000
This configuration never work for me, it just doesn't match packets
according show policy-map int fa1/1. If I add additional match like
"match source-address mac 4487.FC8D.A826", this start working. And here
is output from show policy-map int fa1/1.
FastEthernet1/1
Service-policy input: ultraspeed
Class-map: shopik (match-any)
125 packets, 17888 bytes
5 minute offered rate 2000 bps, drop rate 2000 bps
Match: access-group 700
125 packets, 17888 bytes
5 minute rate 2000 bps
Match: source-address mac 4487.FC8D.A826
0 packets, 0 bytes
5 minute rate 0 bps
police:
cir 8000 bps, bc 2000 bytes
conformed 101 packets, 11808 bytes; actions:
transmit
exceeded 24 packets, 6080 bytes; actions:
drop
conformed 2000 bps, exceed 2000 bps
This looks odd to me, because it appears to be start matching packets by
mac access-list, while it's not entirely true.
So my question is am I doing this wrong? Why mac access-list doesn't
work? Match source-address, seems doing job but it less scale,
especially when I need masks.
More information about the cisco-nsp
mailing list