09-01-2006 02:14 AM - edited 03-03-2019 01:50 PM
Hi,
We have 3550 switch with following IOS information.
Cisco Internetwork Operating System Software
IOS (tm) C3550 Software (C3550-I5Q3L2-M), Version 12.1(19)EA1a, RELEASE SOFTWARE
(fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 09-Dec-03 03:21 by yenanh
Image text-base: 0x00003000, data-base: 0x0080DDAC
ROM: Bootstrap program is C3550 boot loader
IN_BLR_RT_L301 uptime is 1 year, 43 weeks, 1 day, 11 hours, 12 minutes
System returned to ROM by power-on
System restarted at 21:54:05 IST Tue Nov 2 2004
System image file is "flash:c3550-i5q3l2-mz.121-19.EA1a.bin"
cisco WS-C3550-48 (PowerPC) processor (revision E0) with 65526K/8192K bytes of m
emory.
Processor board ID CAT0636Y0SU
Last reset from warm-reset
Bridging software.
Running Layer2/3 Switching Image
Ethernet-controller 1 has 12 Fast Ethernet/IEEE 802.3 interfaces
Ethernet-controller 2 has 12 Fast Ethernet/IEEE 802.3 interfaces
Ethernet-controller 3 has 12 Fast Ethernet/IEEE 802.3 interfaces
Ethernet-controller 4 has 12 Fast Ethernet/IEEE 802.3 interfaces
Ethernet-controller 5 has 1 Gigabit Ethernet/IEEE 802.3 interface
Ethernet-controller 6 has 1 Gigabit Ethernet/IEEE 802.3 interface
48 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)
The password-recovery mechanism is enabled.
384K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:0A:B7:D2:2F:00
Motherboard assembly number: 73-5701-06
Power supply part number: 34-0967-01
Motherboard serial number: CAT063401T1
Power supply serial number: DCA06341KTF
Model revision number: E0
Motherboard revision number: D0
Model number: WS-C3550-48-EMI
System serial number: CAT0636Y0SU
Configuration register is 0x10F
We implemented policing with below configuration:
access-list 160 permit ip host 10.140.17.135 host 10.132.17.24
!
class-map match-any test1
match access-group 160
!
!
policy-map test1
class test1
police 8000 8000 exceed-action drop
!
interface FastEthernet0/16
switchport mode dynamic desirable
no ip address
service-policy input test1
!
we kept continues ping to 10.132.17.24 from 10.140.17.135 with payload 60000bytes.
After applying policy-map to interface also it is pinging.
Is there any configuration problem or it is not supported in our device?
Required help in this.......
Regards
SKRAO
09-01-2006 02:46 AM
Hi,
From your post what I understood is you want to block the host 10.132.17.24 by accessing the 10.140.17.135. am I correct?
If so you had menitoned "permit" in your policy. Just change it to "deny". Also give "access-list 160 permit ip any any"
at the last.
If you wanna block only the Ping / ICMP then give the follwoing access-list
access-list 160 deny icmp host 10.140.17.135 host 10.132.17.24
Hope it will help you.
09-01-2006 03:05 AM
Hi,
My requirement is to not block the ICMP.
Just I wanted to restrict it to particular bandwidth.
Regards
SKRAO
09-01-2006 02:52 AM
i think perhaps you should enable ip cef.
09-01-2006 02:55 AM
Hi,
Your Payload for ping is 60000 Bytes
Where as the syntax of police in rate-bps is in bits per seconds (bps)
Syntax:
police
So you need to change your command then it should work properly,
Eg:
police 80000 8000 exceed-action drop
Hope this solves your problem
Thanks
09-01-2006 03:01 AM
rajinikanth,
as per your context it should not be ping bcz of the exceed payload. But sivakondalarao says still he can able to ping? Am I correct?
09-01-2006 03:26 AM
Yes! your correct !
But he wants to ping still 8000 payload
The access-list with icmp denies both echo reply and request.
09-01-2006 03:43 AM
yes you are right
Regards
SKRAO
09-01-2006 03:54 AM
First is your Fa 0/16 is a egress interface ,if yes then
You cannot use the service-policy interface configuration command to attach policy maps that contain these elements to an egress interface:
Access control list (ACL) classification.
Per-port per-VLAN classification.
Thanks
09-01-2006 04:11 AM
!
policy-map test1
class test1
set ip dscp 10
police 8000 8000 exceed-action drop
!
Instead of this command
!
class-map match-any test1
match access-group 160
!
Use this
!
class-map match-any test1
match ip dscp 10
!
Hope it works, tell me if it worked.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide