Re: 3550 policing

From: Carlos G Mendioroz (tron@huapi.ba.ar)
Date: Wed Jul 11 2007 - 17:49:07 ART

• Next message: Antonio Soares: "RE: 3550 policing"
• Previous message: bmckenzie@hotmail.com: "Re: OT - 40 dollar pizza - home rack food."
• Maybe in reply to: Carlos G Mendioroz: "3550 policing"
• Next in thread: Antonio Soares: "RE: 3550 policing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hmm, this is a 12.1(22)EA2, 3550-24.

!
class-map match-all calabozoout
  match access-group 120
!
!
policy-map pol-me-out
  class calabozoout
    police 256000 8000 exceed-action drop

interface FastEthernet0/11
 description Layer 3 interface to Vlan 3
 no switchport
 ip address X.X.X.X 255.255.240.0
 ip access-group 111 in
 ip access-group 130 out
 no ip redirects
 ip wccp web-cache redirect in
 ip route-cache flow
 no ip mroute-cache
 standby ip X.X.X.X
 standby ip X.X.X.X secondary
 standby priority 120
 standby preempt
 service-policy input pol-me-out

Actually, this try was with a L3 int.
Some docs suggest that you should be trusting some kind of QoQ marking
for it to work. I'll play with that traffic permiting (this is a live
switch)

-Carlos

James MacDonald @ 11/07/2007 17:36 -0300 dixit:
> Can you post your configuration? I've found in the past in 12.1(19)EA1
> code on 3550-12T's you seem to need to match the vlan first then the IP
> in a separate class-map ... have no clue why. Subsequent testing seems
> to indicate you can do it with a single class-map match just the ip
> access-list ... you could simply be running into a bug.
>
> ------------------------------
> Jim MacDonald
> j4m3sm63@yahoo.ca
> ------------------------------
>
>
> ----- Original Message ----
> From: Carlos G Mendioroz <tron@huapi.ba.ar>
> To: ccielab@groupstudy.com
> Sent: Wednesday, July 11, 2007 3:33:31 PM
> Subject: 3550 policing
>
> I'm trying to apply some rate limits to some traffic that
> goes across a 3550.
>
> Reading 3550 features, it's kind of clear that you should be able
> to do that using MQC, using classes with only one match.
> There are some restrictions, but it seems that 1 access group
> based class (ip access list) with a police statement, applied
> to an port in the ingress direction.
>
> But it's not working. mls qos enabled, the policy is accepted, but
> no traffic gets dropped. Actually, a show policy interface shows 0
> packets conforming to the class, but I know that is not the case.
> It seems I'm missing something...
>
> Any ideas ?
> --
> Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> ------------------------------------------------------------------------
> Ask a question on any topic and get answers from real people. *Go to
> Yahoo! Answers.* <http://ca.answers.yahoo.com>

-- 
Carlos G Mendioroz  <tron@huapi.ba.ar>  LW7 EQI  Argentina

• Next message: Antonio Soares: "RE: 3550 policing"
• Previous message: bmckenzie@hotmail.com: "Re: OT - 40 dollar pizza - home rack food."
• Maybe in reply to: Carlos G Mendioroz: "3550 policing"
• Next in thread: Antonio Soares: "RE: 3550 policing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:40 ART