[c-nsp] policing by mac address

Tóth András diosbejgli at gmail.com
Fri Oct 7 13:55:45 EDT 2011 

Hi Nikolay,

I could not find a documentation to confirm but I'd not be surprised
if having MAC ACL in a policy-map would not be supported. Might depend
on the platform and IOS though. For instance, MAC ACL in CoPP is not
supported on 6500 switches.

I think that could be the reason of having a separate "match
source-address mac" and "match destination-address mac" command as
well apart from the "match access-group" command.

http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m1.html#wp1038658
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfmcli2.html

Best regards,
Andras

On Fri, Oct 7, 2011 at 2:20 PM, Nikolay Shopik <shopik at inblock.ru> wrote:
> Hey,
>
> I'm trying to configure basic stuff, like policing by mac address on router
> and it doesn't match any packets.
>
> class-map match-any shopik
>  match access-group 700
> policy-map ultraspeed
>  class shopik
>    police 8000 2000
> interface FastEthernet1/1
>  service-policy input ultraspeed
> access-list 700 permit 4487.fc8d.a826 0000.0000.0000
>
> This configuration never work for me, it just doesn't match packets
> according show policy-map int fa1/1. If I add additional match like "match
> source-address mac 4487.FC8D.A826", this start working. And here is output
> from show policy-map int fa1/1.
>
>  FastEthernet1/1
>
>  Service-policy input: ultraspeed
>
>    Class-map: shopik (match-any)
>      125 packets, 17888 bytes
>      5 minute offered rate 2000 bps, drop rate 2000 bps
>      Match: access-group 700
>        125 packets, 17888 bytes
>        5 minute rate 2000 bps
>      Match: source-address mac 4487.FC8D.A826
>        0 packets, 0 bytes
>        5 minute rate 0 bps
>      police:
>          cir 8000 bps, bc 2000 bytes
>        conformed 101 packets, 11808 bytes; actions:
>          transmit
>        exceeded 24 packets, 6080 bytes; actions:
>          drop
>        conformed 2000 bps, exceed 2000 bps
>
> This looks odd to me, because it appears to be start matching packets by mac
> access-list, while it's not entirely true.
>
> So my question is am I doing this wrong? Why mac access-list doesn't work?
> Match source-address, seems doing job but it less scale, especially when I
> need masks.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list