We have a Catalyst 3560 that connects to a metro E circuit. It also has 1 uplink into each of our core L3 switches. All ports are layer 2.
We are trying to police bandwidth on a per-client basis. We have setup the following, but it doesn't seem to be working. We're seeing clients spike above the limits we have configured. Any ideas?
class-map match-any ClientA_CM
match access-group 109
class-map match-any ClientB_CM
match access-group 105
police 5000000 48000 exceed-action drop
police 3000000 24000 exceed-action drop
access-list 105 permit ip any 209.X.X.120 0.0.0.7
access-list 105 permit ip 209.X.X.120 0.0.0.7 any
access-list 110 permit ip any 66.X.X.160 0.0.0.2
access-list 110 permit ip 66.X.X.160 0.0.0.2 any
Then, we have this applied on both the metro E interface and the 2 uplinks to our core L3 switches:
service-policy input Rate_Limit_Clients
Here is the VLAN interface on our core for the client we're trying to rate-limit:
ip address 66.X.X.162 255.255.255.252