Police Traffic Help

cisconoobie · ‎03-22-2007

I want to limit traffic that is comming from a computer connected to port g1/0/12 on a 3750G switch to 2 megabit but I keep getting an error. Please help.

I do this:

access-list 100 permit ip any any

class-map TRAFFIC

match access-group 100

policy-map limit-traffic

class TRAFFIC

police 2000000 1000000 exceed-action drop

int g1/0/12

service-policy output limit-traffic

I get this:

police command is not supported for this interface

Configuration failed!

Warning: Assigning a policy map to the output side of an interface not supported

If I do:

service-policy input limit-traffic

it does not police the traffic and goes way over 2 megabit

Help ?

cisconoobie · ‎03-22-2007

show policy-map interface g1/0/12

GigabitEthernet1/0/12

Service-policy input: limit-traffic

Class-map: TRAFFIC (match-all)

0 packets, 0 bytes

offered rate 0 bps, drop rate 0 bps

Match: access-group 100

Class-map: class-default (match-any)

0 packets, 0 bytes

offered rate 0 bps, drop rate 0 bps

Match: any

0 packets, 0 bytes

rate 0 bps

This is what I get if I do INPUT instead of OUTPUT

royalblues · ‎03-23-2007

Hi Friend,

Cisco 3750 switches does not support the service-policy output command ans thats why you are getting the error

These outout and input commands may be confusing. it usually depends on the reference point from where you see it.

In your example if you use service-policy input, you are restricting the traffic to the upstream which seems to be ok.

Output would have been more sensible if configured on the upstream device towards your 3750.

HTH, rate if it does

Narayan

cisconoobie · ‎03-26-2007

Ok but the input still does not work. I cannot police this traffic at all. Any help ?

cfolkerts · ‎03-26-2007

Another option would be to use SRR queue on the 3750. It requires quite a bit of configuration but essentially you can mark the traffic with a certain DSCP value. Then attach that DSCP value to a queue (3750's have 4 outbound queues). Then you can shape the traffic per interface by each queue.

More information is below in the attached link.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12235se/scg/swqos.htm#wp1162303

royalblues · ‎03-26-2007

What do you see when you issue the foll command

sh policy-map interface g1/0/X

Narayan

cisconoobie · ‎03-26-2007

Here is my config:

Current configuration : 2941 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname 3750G-Outside

!

username xxx privilege 15 password 7 1446425A093C292325263430

no aaa new-model

switch 1 provision ws-c3750g-24ts-1u

ip subnet-zero

no ip domain-lookup

!

mls qos

!

no file verify auto

!

mac access-list extended mactraffic

permit any any

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

class-map match-any TRAFFIC

match access-group name mactraffic

!

policy-map p1

class TRAFFIC

police 2000000 8000 exceed-action drop

trust cos

!

interface GigabitEthernet1/0/1

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet1/0/2

description Backup LAN

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet1/0/3

!

interface GigabitEthernet1/0/4

description Backup-LAN

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet1/0/5

!

interface GigabitEthernet1/0/6

!

interface GigabitEthernet1/0/7

!

interface GigabitEthernet1/0/8

!

interface GigabitEthernet1/0/9

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet1/0/10

!

interface GigabitEthernet1/0/11

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet1/0/12

switchport mode access

service-policy input p1

!

interface GigabitEthernet1/0/13

!

interface GigabitEthernet1/0/14

!

interface GigabitEthernet1/0/15

switchport mode access

ip access-group deny-icmp in

spanning-tree portfast

!

interface GigabitEthernet1/0/16

!

interface GigabitEthernet1/0/17

!

interface GigabitEthernet1/0/18

!

interface GigabitEthernet1/0/19

!

interface GigabitEthernet1/0/20

!

interface GigabitEthernet1/0/21

!

interface GigabitEthernet1/0/22

!

interface GigabitEthernet1/0/23

switchport mode access

ip access-group deny-icmp in

spanning-tree portfast

!

interface GigabitEthernet1/0/24

!

interface GigabitEthernet1/0/25

!

interface GigabitEthernet1/0/26

!

interface GigabitEthernet1/0/27

!

interface GigabitEthernet1/0/28

!

interface Vlan1

ip address 1.2.3.4 255.255.255.224

!

ip classless

no ip http server

no ip http secure-server

!

ip access-list standard TELNET_ACCESS

remark Allow telnet to these IPs Only

remark Allow Telnet for these hosts

permit x.x.x.x

!

ip access-list extended deny-icmp

permit icmp any any echo-reply

permit icmp any any unreachable

permit icmp any any time-exceeded

deny icmp any any

permit ip any any

ip access-list extended mytraffic

permit ip any any

!

no cdp run

!

control-plane

!

line con 0

privilege level 15

password 7 135447430E3407222A2A2F36

logging synchronous

login

line vty 0 4

access-class TELNET_ACCESS in

privilege level 15

password 7 06575F7049760A110419150E

login local

line vty 5 15

password 7 06575F7049760A110419150E

no login

!

end

I even created a MAC ACL and still nothing works.

____________

show policy-map int g1/0/12

GigabitEthernet1/0/12

Service-policy input: p1

Class-map: TRAFFIC (match-any)

0 packets, 0 bytes

offered rate 0 bps, drop rate 0 bps

Match: access-group name mactraffic

0 packets, 0 bytes

rate 0 bps

Class-map: class-default (match-any)

0 packets, 0 bytes

offered rate 0 bps, drop rate 0 bps

Match: any

0 packets, 0 bytes

rate 0 bps

Edison Ortiz · ‎03-28-2007

I suggest a simpler solution. Implement Storm Control on the workstation port.

Storm control can control bandwidth on unicast, broadcast and multicast packets.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225see/cr/cli3.htm#wp2278213

Please rate this post if it helps.

Thanks