Testing is fairly simple. I set the police value to 8000 bps (1KByte/s), 8000 byte burst. Then send 1000 byte ICMP ping packets at a rate of 5/sec to a dual-stacked PC on the switch port Fa0/17. The responses are policed as they enter the switch for the return journey. Except as noted in the policy descriptions, they are not. When policing is working correctly, the first 10 or so pings work fine, then only every fifth ping succeeds. Makes the policing very obvious, even if the numbers are artificially low.
Capture from a semi-working policing (PM_Default): IP version 4: vcjones@X61:~> ping hp-wired -s 1000 -i .2 PING hp-wired (192.168.100.128) 1000(1028) bytes of data. 1008 bytes from hp-wired (192.168.100.128): icmp_seq=1 ttl=64 time=1.37 ms 1008 bytes from hp-wired (192.168.100.128): icmp_seq=2 ttl=64 time=1.04 ms 1008 bytes from hp-wired (192.168.100.128): icmp_seq=3 ttl=64 time=1.09 ms 1008 bytes from hp-wired (192.168.100.128): icmp_seq=4 ttl=64 time=1.03 ms 1008 bytes from hp-wired (192.168.100.128): icmp_seq=5 ttl=64 time=1.03 ms 1008 bytes from hp-wired (192.168.100.128): icmp_seq=6 ttl=64 time=1.04 ms 1008 bytes from hp-wired (192.168.100.128): icmp_seq=7 ttl=64 time=1.03 ms 1008 bytes from hp-wired (192.168.100.128): icmp_seq=10 ttl=64 time=1.04 ms 1008 bytes from hp-wired (192.168.100.128): icmp_seq=15 ttl=64 time=1.02 ms 1008 bytes from hp-wired (192.168.100.128): icmp_seq=20 ttl=64 time=1.05 ms 1008 bytes from hp-wired (192.168.100.128): icmp_seq=25 ttl=64 time=1.07 ms 1008 bytes from hp-wired (192.168.100.128): icmp_seq=31 ttl=64 time=1.12 ms 1008 bytes from hp-wired (192.168.100.128): icmp_seq=36 ttl=64 time=1.09 ms 1008 bytes from hp-wired (192.168.100.128): icmp_seq=41 ttl=64 time=1.11 ms ^C --- hp-wired ping statistics --- 44 packets transmitted, 14 received, 68% packet loss, time 8832ms rtt min/avg/max/mdev = 1.028/1.084/1.376/0.094 ms vcjones@X61:~> IP version 6 1008 bytes from 2001:470:1f07:110f:222:64ff:fe83:11a2: icmp_seq=21334 ttl=64 time=1.00 ms 1008 bytes from 2001:470:1f07:110f:222:64ff:fe83:11a2: icmp_seq=21335 ttl=64 time=0.889 ms 1008 bytes from 2001:470:1f07:110f:222:64ff:fe83:11a2: icmp_seq=21336 ttl=64 time=1.00 ms 1008 bytes from 2001:470:1f07:110f:222:64ff:fe83:11a2: icmp_seq=21337 ttl=64 time=0.789 ms 1008 bytes from 2001:470:1f07:110f:222:64ff:fe83:11a2: icmp_seq=21338 ttl=64 time=0.862 ms 1008 bytes from 2001:470:1f07:110f:222:64ff:fe83:11a2: icmp_seq=21339 ttl=64 time=0.982 ms FYI: I am not concerned with the documented limitations of the 2960, those were evaluated before selecting the hardware for this application. It is the undocumented limitations which are killing me. Vince On Thu, 2011-12-22 at 14:14 -0800, Mack McBride wrote: > How are you determining if the policing is working? > For reference purposes the 2960 switch polices AFTER incoming BW is > calculated. > The 2960 also does not police outgoing bandwidth. > > Mack > > -----Original Message----- > From: Vincent C Jones [mailto:[email protected]] > Sent: Thursday, December 22, 2011 11:21 AM > To: Mack McBride > Cc: [email protected] > Subject: Re: [c-nsp] Switch support for IPv6 policing > > hi Mack, > > Tried c2960-lanbasek9-mz.150-1.SE and 2960-lanbasek9-mz.122-58.SE2. Same > results. Show sdm and run (abridged) are below > > Switch-1#show sdm prefer > The current template is "dual-ipv4-and-ipv6 default" template. > The selected template optimizes the resources in the switch to support this > level of features for > 0 routed interfaces and 255 VLANs. > > number of unicast mac addresses: 7.5K > number of IPv4 IGMP groups + multicast routes: 0.25K > number of IPv4 unicast routes: 0 > number of IPv6 multicast groups: 0.375k > number of directly-connected IPv6 addresses: 0 > number of indirect IPv6 unicast routes: 0 > number of IPv4 policy based routing aces: 0 > number of IPv4/MAC qos aces: 0.125k > number of IPv4/MAC security aces: 0.375k > number of IPv6 policy based routing aces: 0 > number of IPv6 qos aces: 0 > number of IPv6 security aces: 0.125k > > Switch-1#sho run > > ! > version 15.0 > no service pad > service timestamps debug datetime msec > service timestamps log datetime msec > no service password-encryption > ! > hostname Switch-1 > ! > boot-start-marker > boot-end-marker > ! > enable secret 5 $1$66fH$YUPTZu6udRWYE4j.E67G7/ ! > username cisco password 0 cisco > username vcjones secret 5 $1$YchQ$Sp6VUmtJHCz8uiu1SwIXx. > no aaa new-model > system mtu routing 1500 > vtp mode transparent > ! > ! > no ip domain-lookup > ip domain-name test.lab > ip host x23 192.168.100.126 > ip host x61 192.168.100.129 > ! > mls qos > ! > mac access-list extended ACL_All_MAC > permit any any > spanning-tree mode pvst > spanning-tree extend system-id > ! > vlan internal allocation policy ascending ! > vlan 2-9,100,143,200,666 > ! > class-map match-all CM_All_MAC > match access-group name ACL_All_MAC > class-map match-any CM_AllIPv6byProto > match protocol ipv6 > class-map match-any CM_AllIPv4byProto > match protocol ip > class-map match-any CM_AllIPv6byACL > match access-group name ACL_AllIPv6 > class-map match-any CM_AllIPv4byACL > match access-group name ACL_AllIPv4 > class-map match-any CM_AllIPv46byACL > match access-group name ACL_AllIPv4 > match access-group name ACL_AllIPv6 > class-map match-any CM_AllIPv46byProto > match protocol ip > match protocol ipv6 > ! > policy-map PM_AllIPv46byProto > description Silently rejected from I/F cfg class CM_AllIPv46byProto > police 8000 8000 exceed-action drop > policy-map PM_AllIPv4byACL > description IPv4 - OK, IPv6 - NO > class CM_AllIPv4byACL > police 8000 8000 exceed-action drop > policy-map PM_All_MAC > description IPv4 - NO, IPv6 - NO > class CM_All_MAC > police 8000 8000 exceed-action drop > policy-map PM_AllIPv4byProto > description Silently rejected from I/F cfg class CM_AllIPv4byProto > police 8000 8000 exceed-action drop > policy-map PM_AllIPv46byACL > description Silently rejected from I/F cfg class CM_AllIPv46byACL > police 8000 8000 exceed-action drop > policy-map PM_AllIPv6byProto > description Silently rejected from I/F cfg class CM_AllIPv6byProto > police 8000 8000 exceed-action drop > policy-map PM_AllIPv6byACL > description Silently rejected from I/F cfg class CM_AllIPv6byACL > police 8000 8000 exceed-action drop > policy-map PM_Default > description IPv4 - OK, IPv6 - NO > class class-default > police 8000 8000 exceed-action drop > ! > ! > interface FastEthernet0/17 > description Test user interface > switchport access vlan 143 > switchport mode access > switchport nonegotiate > spanning-tree portfast > service-policy input PM_Default > ! > ! > interface GigabitEthernet0/1 > description Uplink to LAN > switchport access vlan 143 > switchport mode access > switchport nonegotiate > switchport block multicast > switchport block unicast > no cdp enable > ! > interface Vlan1 > no ip address > no ip route-cache > ! > interface Vlan143 > ip address 192.168.100.20 255.255.255.0 no ip route-cache ! > ip http server > ip http secure-server > ! > ip access-list extended ACL_AllIPv4 > permit ip any any > logging esm config > ! > ipv6 access-list ACL_AllIPv6 > sequence 20 permit ipv6 any any > ! > line con 0 > exec-timeout 600 0 > line vty 0 4 > exec-timeout 600 0 > login local > line vty 5 15 > exec-timeout 600 0 > login local > ! > ntp server 192.168.100.126 > end > > Are you sure that you actually got policing using the MAC address method? The > switch accepts it, and it shows up in the running config, it just doesn't do > anything.... (setting the policing to 8000 8000 allows triggering policing > using ping -i .2 -s 1000 host, when policing is working, only every fifth > ping gets through). > > Vince > > On Thu, 2011-12-22 at 07:13 -0800, Mack McBride wrote: > > That is odd I have previously used the mac addresss method on the 2960. > > Have you tried a differnt code rev? > > > > Mack > > > > ----- Original Message ----- > > From: Vincent C Jones [mailto:[email protected]] > > Sent: Thursday, December 22, 2011 07:07 AM > > To: Mack McBride > > Cc: cisco-nsp <[email protected]> > > Subject: RE: [c-nsp] Switch support for IPv6 policing > > > > FWIW, while using "class-default" or a MAC filter would be logical > > ways to avoid IPv4 dependencies, neither seems to work, although both > > could be applied to an interface. This is unlike class-maps which > > reference > > IPv6 ACLs, which are accepted without errors, along with policy maps > > which reference them, but any service-policy statement on the > > interface is silently ignored and never shows up in the configuration. > > > > Test results: > > class-default throttles IPv4 but not IPv6. > > ANY-MAC does not throttle IPv4 or IPv6. > > > > cisco WS-C2960-24TT-L (PowerPC405) processor (revision D0) with 65536K > > bytes of memory. > > Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version > > 12.2(58)SE2, RELEASE SOFTWARE (fc1) > > > > So I repeat the question... what is the cheapest Cisco switch with gig > > uplinks which supports IPv6 ingress filtering and policing, or, > > lacking a definitive answer, is there a feature to check for in the > > software advisor or other publicly available resource that reflects > > this critical functionality? > > > > Vince > > > > > > On Wed, 2011-12-21 at 14:01 -0800, Mack McBride wrote: > > > Use a mac access-list or class-default > > > > > > mac access-list extended ALL > > > permit any any > > > class-map match-all ANY-MAC > > > match access-group name MAC > > > policy-map 10M > > > class ANY-MAC > > > police 10000000 1000000 exceed-action drop > > > > > > or > > > > > > policy-map 10M > > > class class-default > > > police 10000000 1000000 exceed-action drop > > > > > > LR Mack McBride > > > Network Architect > > > > > > -----Original Message----- > > > From: [email protected] > > > [mailto:[email protected]] On Behalf Of Vincent C > > > Jones > > > Sent: Tuesday, December 20, 2011 6:28 PM > > > To: cisco-nsp > > > Subject: [c-nsp] Switch support for IPv6 policing > > > > > > Arrgh. Currently filtering and policing user traffic on Cisco 2960 > > > switches and discovered the hard way that the ingress policy ONLY applies > > > itself to IPv4 packets and only IPv4 access-groups can be applied to an > > > interface. What Cisco switches do I have to upgrade to in order to filter > > > and police ALL customer traffic and not just IPv4 traffic? > > > > > > Vince > > > > > > _______________________________________________ > > > cisco-nsp mailing list [email protected] > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
