Policing is not working

Unanswered Question
Sep 1st, 2006
User Badges:

Hi,

We have 3550 switch with following IOS information.

Cisco Internetwork Operating System Software

IOS (tm) C3550 Software (C3550-I5Q3L2-M), Version 12.1(19)EA1a, RELEASE SOFTWARE

(fc1)

Copyright (c) 1986-2003 by cisco Systems, Inc.

Compiled Tue 09-Dec-03 03:21 by yenanh

Image text-base: 0x00003000, data-base: 0x0080DDAC


ROM: Bootstrap program is C3550 boot loader


IN_BLR_RT_L301 uptime is 1 year, 43 weeks, 1 day, 11 hours, 12 minutes

System returned to ROM by power-on

System restarted at 21:54:05 IST Tue Nov 2 2004

System image file is "flash:c3550-i5q3l2-mz.121-19.EA1a.bin"


cisco WS-C3550-48 (PowerPC) processor (revision E0) with 65526K/8192K bytes of m

emory.

Processor board ID CAT0636Y0SU

Last reset from warm-reset

Bridging software.

Running Layer2/3 Switching Image


Ethernet-controller 1 has 12 Fast Ethernet/IEEE 802.3 interfaces


Ethernet-controller 2 has 12 Fast Ethernet/IEEE 802.3 interfaces


Ethernet-controller 3 has 12 Fast Ethernet/IEEE 802.3 interfaces


Ethernet-controller 4 has 12 Fast Ethernet/IEEE 802.3 interfaces


Ethernet-controller 5 has 1 Gigabit Ethernet/IEEE 802.3 interface


Ethernet-controller 6 has 1 Gigabit Ethernet/IEEE 802.3 interface


48 FastEthernet/IEEE 802.3 interface(s)

2 Gigabit Ethernet/IEEE 802.3 interface(s)


The password-recovery mechanism is enabled.

384K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address: 00:0A:B7:D2:2F:00

Motherboard assembly number: 73-5701-06

Power supply part number: 34-0967-01

Motherboard serial number: CAT063401T1

Power supply serial number: DCA06341KTF

Model revision number: E0

Motherboard revision number: D0

Model number: WS-C3550-48-EMI

System serial number: CAT0636Y0SU

Configuration register is 0x10F


We implemented policing with below configuration:


access-list 160 permit ip host 10.140.17.135 host 10.132.17.24

!

class-map match-any test1

match access-group 160

!

!

policy-map test1

class test1

police 8000 8000 exceed-action drop

!

interface FastEthernet0/16

switchport mode dynamic desirable

no ip address

service-policy input test1

!


we kept continues ping to 10.132.17.24 from 10.140.17.135 with payload 60000bytes.


After applying policy-map to interface also it is pinging.


Is there any configuration problem or it is not supported in our device?


Required help in this.......


Regards

SKRAO



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (2 ratings)
Loading.
cisconoval Fri, 09/01/2006 - 02:46
User Badges:

Hi,

From your post what I understood is you want to block the host 10.132.17.24 by accessing the 10.140.17.135. am I correct?


If so you had menitoned "permit" in your policy. Just change it to "deny". Also give "access-list 160 permit ip any any"

at the last.


If you wanna block only the Ping / ICMP then give the follwoing access-list


access-list 160 deny icmp host 10.140.17.135 host 10.132.17.24



Hope it will help you.




sivakondalarao Fri, 09/01/2006 - 03:05
User Badges:

Hi,

My requirement is to not block the ICMP.

Just I wanted to restrict it to particular bandwidth.


Regards

SKRAO

jj-zhou Fri, 09/01/2006 - 02:52
User Badges:

i think perhaps you should enable ip cef.

rajinikanth Fri, 09/01/2006 - 02:55
User Badges:
  • Bronze, 100 points or more

Hi,


Your Payload for ping is 60000 Bytes

Where as the syntax of police in rate-bps is in bits per seconds (bps)

Syntax:

police [exceed-action {drop | policed-dscp-transmit}]


So you need to change your command then it should work properly,

Eg:

police 80000 8000 exceed-action drop


Hope this solves your problem

Thanks


cisconoval Fri, 09/01/2006 - 03:01
User Badges:

rajinikanth,

as per your context it should not be ping bcz of the exceed payload. But sivakondalarao says still he can able to ping? Am I correct?



rajinikanth Fri, 09/01/2006 - 03:26
User Badges:
  • Bronze, 100 points or more

Yes! your correct !

But he wants to ping still 8000 payload

The access-list with icmp denies both echo reply and request.



rajinikanth Fri, 09/01/2006 - 03:54
User Badges:
  • Bronze, 100 points or more


First is your Fa 0/16 is a egress interface ,if yes then

You cannot use the service-policy interface configuration command to attach policy maps that contain these elements to an egress interface:


Access control list (ACL) classification.

Per-port per-VLAN classification.


Thanks


rajinikanth Fri, 09/01/2006 - 04:11
User Badges:
  • Bronze, 100 points or more

!

policy-map test1

class test1

set ip dscp 10

police 8000 8000 exceed-action drop

!

Instead of this command

!

class-map match-any test1

match access-group 160

!

Use this

!

class-map match-any test1

match ip dscp 10

!


Hope it works, tell me if it worked.

Actions

This Discussion