RE: Policing on 3550 switch

From: Chris Lewis \(chrlewis\) (chrlewis@cisco.com)
Date: Wed Sep 14 2005 - 17:58:32 GMT-3

This is a good question and gets to the heart of how the 3550 operates
QoS, which does support egress policing on physical interfaces.

If like me you are more of a router person, the way the 3550 works is
painful for QoS, but that is not the proctor's problem :)

Now I would suggest you read
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12120ea2/3550s
cg/swqos.htm thoroughly, the answer is there.

If you want to short cut a bit, read the first sentence on the section
for policing and marking, figure 29-4 is helpful too. The issue is with
how things are classified for the policer to work on, not the policing
configuration itself.

If you have trouble with this, I have given a solution that works (but
would be sub-optimal in most lab questions I think, but it illustrates
the problem and shows one way to solve it) at the end of this mail

Chris

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Ahmed Ossama
Sent: Wednesday, September 14, 2005 3:27 PM
To: ccielab@groupstudy.com
Subject: Policing on 3550 switch

        Dear All,
        is there is any way to police icmp traffic on a switch out of
certain interface or ingress on a vlan ?
        if I had a server that launch icmp attack and I want to limit it
on vlan x , I didnt know the location of the server but I know the
output interface of the vlan. so there is two possible solution, police
the traffic out the interface or policy it ingress to the vlan.
         
        as far as I know that we cant apply policing on SVIs or on the
egress of the interface. also I tried to configure it and also gives me
an error as shown below :
         
        Switch(config-if)#service-policy out testi
        Switch(config-if)#
        2d23h: %QM-4-CLASS_NOT_SUPPORTED: Classification is not
supported in classmap testi
        2d23h: %QM-4-CLASS_NOT_SUPPORTED: Classification is not
supported in classmap testi
        Switch(config-if)#
        Switch(config-if)#
         
        also in interface vlan
         
        Switch(config-if)#service-policy out testi
        Switch(config-if)#
        2d23h: %QM-4-CLASS_NOT_SUPPORTED: Classification is not
supported in classmap testi
        2d23h: %QM-4-CLASS_NOT_SUPPORTED: Classification is not
supported in classmap testi
        Switch(config-if)#
         
        I configure the policy map as mentioned below
         
         
        Switch#show policy-map testi
         Policy Map testi
          class testi
           police 8000 8000 exceed-action drop
        Switch#show cl
        Switch#show cla
        Switch#show class-map testi
         Class Map match-all testi (id 4)
           Match access-group 101
        !
        Switch#show access-lists 101
        Extended IP access list 101
            permit icmp any any
        !
         
        Switch(config-if)#service-policy out testi
        Switch(config-if)#
        2d23h: %QM-4-CLASS_NOT_SUPPORTED: Classification is not
supported in classmap testi
        2d23h: %QM-4-CLASS_NOT_SUPPORTED: Classification is not
supported in classmap testi
        Switch(config-if)#
        Switch(config-if)#
         
         
        Thanks in advance,

This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:15 GMT-3