Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
472
Views
4
Helpful
9
Replies

Policing is not working

sivakondalarao
Level 1
Level 1

‎09-01-2006 02:14 AM - edited ‎03-03-2019 01:50 PM

Hi,

We have 3550 switch with following IOS information.

Cisco Internetwork Operating System Software

IOS (tm) C3550 Software (C3550-I5Q3L2-M), Version 12.1(19)EA1a, RELEASE SOFTWARE

(fc1)

Copyright (c) 1986-2003 by cisco Systems, Inc.

Compiled Tue 09-Dec-03 03:21 by yenanh

Image text-base: 0x00003000, data-base: 0x0080DDAC

ROM: Bootstrap program is C3550 boot loader

IN_BLR_RT_L301 uptime is 1 year, 43 weeks, 1 day, 11 hours, 12 minutes

System returned to ROM by power-on

System restarted at 21:54:05 IST Tue Nov 2 2004

System image file is "flash:c3550-i5q3l2-mz.121-19.EA1a.bin"

cisco WS-C3550-48 (PowerPC) processor (revision E0) with 65526K/8192K bytes of m

emory.

Processor board ID CAT0636Y0SU

Last reset from warm-reset

Bridging software.

Running Layer2/3 Switching Image

Ethernet-controller 1 has 12 Fast Ethernet/IEEE 802.3 interfaces

Ethernet-controller 2 has 12 Fast Ethernet/IEEE 802.3 interfaces

Ethernet-controller 3 has 12 Fast Ethernet/IEEE 802.3 interfaces

Ethernet-controller 4 has 12 Fast Ethernet/IEEE 802.3 interfaces

Ethernet-controller 5 has 1 Gigabit Ethernet/IEEE 802.3 interface

Ethernet-controller 6 has 1 Gigabit Ethernet/IEEE 802.3 interface

48 FastEthernet/IEEE 802.3 interface(s)

2 Gigabit Ethernet/IEEE 802.3 interface(s)

The password-recovery mechanism is enabled.

384K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address: 00:0A:B7:D2:2F:00

Motherboard assembly number: 73-5701-06

Power supply part number: 34-0967-01

Motherboard serial number: CAT063401T1

Power supply serial number: DCA06341KTF

Model revision number: E0

Motherboard revision number: D0

Model number: WS-C3550-48-EMI

System serial number: CAT0636Y0SU

Configuration register is 0x10F

We implemented policing with below configuration:

access-list 160 permit ip host 10.140.17.135 host 10.132.17.24

!

class-map match-any test1

match access-group 160

!

!

policy-map test1

class test1

police 8000 8000 exceed-action drop

!

interface FastEthernet0/16

switchport mode dynamic desirable

no ip address

service-policy input test1

!

we kept continues ping to 10.132.17.24 from 10.140.17.135 with payload 60000bytes.

After applying policy-map to interface also it is pinging.

Is there any configuration problem or it is not supported in our device?

Required help in this.......

Regards

SKRAO

Labels:
0 Helpful
9 Replies 9

cisconoval
Level 1
Level 1

‎09-01-2006 02:46 AM

Hi,

From your post what I understood is you want to block the host 10.132.17.24 by accessing the 10.140.17.135. am I correct?

If so you had menitoned "permit" in your policy. Just change it to "deny". Also give "access-list 160 permit ip any any"

at the last.

If you wanna block only the Ping / ICMP then give the follwoing access-list

access-list 160 deny icmp host 10.140.17.135 host 10.132.17.24

Hope it will help you.

sivakondalarao
Level 1
Level 1
In response to cisconoval

‎09-01-2006 03:05 AM

Hi,

My requirement is to not block the ICMP.

Just I wanted to restrict it to particular bandwidth.

Regards

SKRAO

0 Helpful

jj-zhou
Level 1
Level 1

‎09-01-2006 02:52 AM

i think perhaps you should enable ip cef.

0 Helpful

rajinikanth
Level 3
Level 3

‎09-01-2006 02:55 AM

Hi,

Your Payload for ping is 60000 Bytes

Where as the syntax of police in rate-bps is in bits per seconds (bps)

Syntax:

police [exceed-action {drop | policed-dscp-transmit}]

So you need to change your command then it should work properly,

Eg:

police 80000 8000 exceed-action drop

Hope this solves your problem

Thanks

0 Helpful

cisconoval
Level 1
Level 1
In response to rajinikanth

‎09-01-2006 03:01 AM

rajinikanth,

as per your context it should not be ping bcz of the exceed payload. But sivakondalarao says still he can able to ping? Am I correct?

rajinikanth
Level 3
Level 3
In response to cisconoval

‎09-01-2006 03:26 AM

Yes! your correct !

But he wants to ping still 8000 payload

The access-list with icmp denies both echo reply and request.

0 Helpful

sivakondalarao
Level 1
Level 1
In response to rajinikanth

‎09-01-2006 03:43 AM

yes you are right

Regards

SKRAO

0 Helpful

rajinikanth
Level 3
Level 3

‎09-01-2006 03:54 AM

First is your Fa 0/16 is a egress interface ,if yes then

You cannot use the service-policy interface configuration command to attach policy maps that contain these elements to an egress interface:

Access control list (ACL) classification.

Per-port per-VLAN classification.

Thanks

0 Helpful

rajinikanth
Level 3
Level 3

‎09-01-2006 04:11 AM

!

policy-map test1

class test1

set ip dscp 10

police 8000 8000 exceed-action drop

!

Instead of this command

!

class-map match-any test1

match access-group 160

!

Use this

!

class-map match-any test1

match ip dscp 10

!

Hope it works, tell me if it worked.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card