How are you determining if the policing is working? For reference purposes the 2960 switch polices AFTER incoming BW is calculated. The 2960 also does not police outgoing bandwidth.
Mack -----Original Message----- From: Vincent C Jones [mailto:[email protected]] Sent: Thursday, December 22, 2011 11:21 AM To: Mack McBride Cc: [email protected] Subject: Re: [c-nsp] Switch support for IPv6 policing hi Mack, Tried c2960-lanbasek9-mz.150-1.SE and 2960-lanbasek9-mz.122-58.SE2. Same results. Show sdm and run (abridged) are below Switch-1#show sdm prefer The current template is "dual-ipv4-and-ipv6 default" template. The selected template optimizes the resources in the switch to support this level of features for 0 routed interfaces and 255 VLANs. number of unicast mac addresses: 7.5K number of IPv4 IGMP groups + multicast routes: 0.25K number of IPv4 unicast routes: 0 number of IPv6 multicast groups: 0.375k number of directly-connected IPv6 addresses: 0 number of indirect IPv6 unicast routes: 0 number of IPv4 policy based routing aces: 0 number of IPv4/MAC qos aces: 0.125k number of IPv4/MAC security aces: 0.375k number of IPv6 policy based routing aces: 0 number of IPv6 qos aces: 0 number of IPv6 security aces: 0.125k Switch-1#sho run ! version 15.0 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Switch-1 ! boot-start-marker boot-end-marker ! enable secret 5 $1$66fH$YUPTZu6udRWYE4j.E67G7/ ! username cisco password 0 cisco username vcjones secret 5 $1$YchQ$Sp6VUmtJHCz8uiu1SwIXx. no aaa new-model system mtu routing 1500 vtp mode transparent ! ! no ip domain-lookup ip domain-name test.lab ip host x23 192.168.100.126 ip host x61 192.168.100.129 ! mls qos ! mac access-list extended ACL_All_MAC permit any any spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 2-9,100,143,200,666 ! class-map match-all CM_All_MAC match access-group name ACL_All_MAC class-map match-any CM_AllIPv6byProto match protocol ipv6 class-map match-any CM_AllIPv4byProto match protocol ip class-map match-any CM_AllIPv6byACL match access-group name ACL_AllIPv6 class-map match-any CM_AllIPv4byACL match access-group name ACL_AllIPv4 class-map match-any CM_AllIPv46byACL match access-group name ACL_AllIPv4 match access-group name ACL_AllIPv6 class-map match-any CM_AllIPv46byProto match protocol ip match protocol ipv6 ! policy-map PM_AllIPv46byProto description Silently rejected from I/F cfg class CM_AllIPv46byProto police 8000 8000 exceed-action drop policy-map PM_AllIPv4byACL description IPv4 - OK, IPv6 - NO class CM_AllIPv4byACL police 8000 8000 exceed-action drop policy-map PM_All_MAC description IPv4 - NO, IPv6 - NO class CM_All_MAC police 8000 8000 exceed-action drop policy-map PM_AllIPv4byProto description Silently rejected from I/F cfg class CM_AllIPv4byProto police 8000 8000 exceed-action drop policy-map PM_AllIPv46byACL description Silently rejected from I/F cfg class CM_AllIPv46byACL police 8000 8000 exceed-action drop policy-map PM_AllIPv6byProto description Silently rejected from I/F cfg class CM_AllIPv6byProto police 8000 8000 exceed-action drop policy-map PM_AllIPv6byACL description Silently rejected from I/F cfg class CM_AllIPv6byACL police 8000 8000 exceed-action drop policy-map PM_Default description IPv4 - OK, IPv6 - NO class class-default police 8000 8000 exceed-action drop ! ! interface FastEthernet0/17 description Test user interface switchport access vlan 143 switchport mode access switchport nonegotiate spanning-tree portfast service-policy input PM_Default ! ! interface GigabitEthernet0/1 description Uplink to LAN switchport access vlan 143 switchport mode access switchport nonegotiate switchport block multicast switchport block unicast no cdp enable ! interface Vlan1 no ip address no ip route-cache ! interface Vlan143 ip address 192.168.100.20 255.255.255.0 no ip route-cache ! ip http server ip http secure-server ! ip access-list extended ACL_AllIPv4 permit ip any any logging esm config ! ipv6 access-list ACL_AllIPv6 sequence 20 permit ipv6 any any ! line con 0 exec-timeout 600 0 line vty 0 4 exec-timeout 600 0 login local line vty 5 15 exec-timeout 600 0 login local ! ntp server 192.168.100.126 end Are you sure that you actually got policing using the MAC address method? The switch accepts it, and it shows up in the running config, it just doesn't do anything.... (setting the policing to 8000 8000 allows triggering policing using ping -i .2 -s 1000 host, when policing is working, only every fifth ping gets through). Vince On Thu, 2011-12-22 at 07:13 -0800, Mack McBride wrote: > That is odd I have previously used the mac addresss method on the 2960. Have > you tried a differnt code rev? > > Mack > > ----- Original Message ----- > From: Vincent C Jones [mailto:[email protected]] > Sent: Thursday, December 22, 2011 07:07 AM > To: Mack McBride > Cc: cisco-nsp <[email protected]> > Subject: RE: [c-nsp] Switch support for IPv6 policing > > FWIW, while using "class-default" or a MAC filter would be logical > ways to avoid IPv4 dependencies, neither seems to work, although both > could be applied to an interface. This is unlike class-maps which > reference > IPv6 ACLs, which are accepted without errors, along with policy maps > which reference them, but any service-policy statement on the > interface is silently ignored and never shows up in the configuration. > > Test results: > class-default throttles IPv4 but not IPv6. > ANY-MAC does not throttle IPv4 or IPv6. > > cisco WS-C2960-24TT-L (PowerPC405) processor (revision D0) with 65536K > bytes of memory. > Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version > 12.2(58)SE2, RELEASE SOFTWARE (fc1) > > So I repeat the question... what is the cheapest Cisco switch with gig > uplinks which supports IPv6 ingress filtering and policing, or, > lacking a definitive answer, is there a feature to check for in the > software advisor or other publicly available resource that reflects > this critical functionality? > > Vince > > > On Wed, 2011-12-21 at 14:01 -0800, Mack McBride wrote: > > Use a mac access-list or class-default > > > > mac access-list extended ALL > > permit any any > > class-map match-all ANY-MAC > > match access-group name MAC > > policy-map 10M > > class ANY-MAC > > police 10000000 1000000 exceed-action drop > > > > or > > > > policy-map 10M > > class class-default > > police 10000000 1000000 exceed-action drop > > > > LR Mack McBride > > Network Architect > > > > -----Original Message----- > > From: [email protected] > > [mailto:[email protected]] On Behalf Of Vincent C > > Jones > > Sent: Tuesday, December 20, 2011 6:28 PM > > To: cisco-nsp > > Subject: [c-nsp] Switch support for IPv6 policing > > > > Arrgh. Currently filtering and policing user traffic on Cisco 2960 switches > > and discovered the hard way that the ingress policy ONLY applies itself to > > IPv4 packets and only IPv4 access-groups can be applied to an interface. > > What Cisco switches do I have to upgrade to in order to filter and police > > ALL customer traffic and not just IPv4 traffic? > > > > Vince > > > > _______________________________________________ > > cisco-nsp mailing list [email protected] > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
