mqc policing works for me but the counters do not increment
rate-limiting doesn't work.
mls qos
access-list 111 permit udp any any
class-map match-all CMAP
match access-group 111
!
!
policy-map PMAP
class CMAP
police 128000 8000 exceed-action drop
interface FastEthernet0/5
description R5-FA0/1
no switchport
ip address 136.1.133.1 255.255.255.0
service-policy input PMAP
spanning-tree portfast
SW2#sh policy-map interface
FastEthernet0/5
Service-policy input: PMAP
Class-map: CMAP (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 111
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
0 packets, 0 bytes
5 minute rate 0 bps
Loading c2801-adventerprisek9-mz.124-15.T.bin from 136.1.122.6 (via
FastEthernet0/1): !O!.!O!O.!O!OO!.!O!OO!OO!O.!O!OO!O.!O!OO!OO!OO!O
On Fri, Jun 1, 2012 at 9:00 AM,
<[email protected]>wrote:
> Send CCIE_Security mailing list submissions to
> [email protected]
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://onlinestudylist.com/mailman/listinfo/ccie_security
> or, via email, send a message with subject or body 'help' to
> [email protected]
>
> You can reach the person managing the list at
> [email protected]
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of CCIE_Security digest..."
>
>
> Today's Topics:
>
> 1. Policing traffic on switch (Kingsley Charles)
> 2. RES: IOS IPS troubleshooting (Carlos Alberto Campos Jardim)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 1 Jun 2012 13:23:53 +0530
> From: Kingsley Charles <[email protected]>
> To: [email protected]
> Subject: [OSL | CCIE_Security] Policing traffic on switch
> Message-ID:
> <CAHs0B04Z+MZxf0hh1PH7Q8YRjq51=acsoqqk6zayd+3ukos...@mail.gmail.com
> >
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi all
>
> I am trying to configure policing and rate-limiting on a switch. It doesn't
> work for me. For rate-limiting, it seems we make the port as a L3 port
> using "no switchport" command which was interesting for me. Tried enabling
> "mls qos" but still rate-limiting or policing doesn't work.
>
> Has anyone tried rate-limiting or policing on a switch.
>
> Snippet from
>
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_44_se/command/reference/cli1.html#wp5046030
>
>
> Usage Guidelines
>
> QoS must be globally enabled to use QoS classification, policing, mark down
> or drop, queueing, and traffic shaping features. You can create a
> policy-map and attach it to a port before entering the mls qos command.
> However, until you enter the mls qos command, QoS processing is disabled.
>
>
> With regards
> Kings
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> </archives/ccie_security/attachments/20120601/9f365dc2/attachment-0001.html>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 1 Jun 2012 08:51:55 -0300
> From: "Carlos Alberto Campos Jardim" <[email protected]>
> To: "Kingsley Charles" <[email protected]>
> Cc: [email protected]
> Subject: [OSL | CCIE_Security] RES: IOS IPS troubleshooting
> Message-ID:
> <[email protected]>
> Content-Type: text/plain; charset="us-ascii"
>
>
>
> At this time I am managing with CCP. Do you know how to fix it?
>
> All signatures were tuned to only produce-alert and IOS IPS keeps
> reseting connections without providing any alarm..
>
>
>
> De: Kingsley Charles [mailto:[email protected]]
> Enviada em: sexta-feira, 1 de junho de 2012 03:49
> Para: Carlos Alberto Campos Jardim
> Cc: [email protected]
> Assunto: Re: [OSL | CCIE_Security] IOS IPS troubleshooting
>
>
>
> It is some issue with tcp socket having src port of 443. Are managing it
> with SDM or CCP?
>
> With regards
> Kings
>
> On Thu, May 31, 2012 at 9:23 PM, Carlos Alberto Campos Jardim
> <[email protected]> wrote:
>
> Hi guys, I have configured IOS IPS and I getting the following messages:
>
>
>
> *May 31 12:28:59: %IPS-6-TIMEOUT_EVENT: Synwait timer timeout event.
>
> *May 31 12:28:59: %IPS-6-SEND_TCP_PAK: Sending TCP
> packet:(12.12.12.12:443)=>(44.44.44.44:2985),tcp flag:0x4,
> pak:0x3187DEDC, iso:0x2CCD0C60,tcp seq:0x0, tcp ack:0x0,
> tcp_window:65535, ip_checksum:0xDA60, Serial0/0/0,feat_flags:0x10000,
> fast_path(no)
>
>
>
> >From statistics I can see:
>
>
>
> Lab_ips_Eng#sh ip ips statistics
>
> Interfaces configured for ips 1
>
> Session creations since subsystem startup or last reset 131182
>
> Current session counts (estab/half-open/terminating) [0:907:0]
>
> Maxever session counts (estab/half-open/terminating) [2:1000:1]
>
> Last session created 00:00:09
>
> Last statistic reset 00:02:17
>
> TCP reassembly statistics
>
> Out-of-order packets dropped 0
>
>
>
>
>
> Do you guys have any insight about these errors?
>
>
>
> Best regards!
>
> Carlos Jardim
>
>
>
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training,
> please visit www.ipexpert.com
>
> Are you a CCNP or CCIE and looking for a job? Check out
> www.PlatinumPlacement.com
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> </archives/ccie_security/attachments/20120601/f3a30c49/attachment-0001.html>
>
> End of CCIE_Security Digest, Vol 72, Issue 4
> ********************************************
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
