Catalyst 4500X output policing on etherchannel - matching but not enforcing

David Williams · ‎03-01-2018

I was hoping to get some assistance on some strange behavior that I'm seeing. I put the config and show commands at the bottom. The policy map appears to be matching traffic for transmit, exceed, and violate but it appears to be allowing everything and not dropping the exceed or violate traffic. Google is usually my friend but in this case I have had little luck and tried many things, mostly specific to the 4500E and not the X.

ip access-list extended match_acl
 deny   ip host 1.1.1.1 192.168.0.0 0.0.255.255
 deny   ip host 1.1.1.1 172.16.0.0 0.15.255.255
 deny   ip host 1.1.1.1 10.0.0.0 0.255.255.255
 permit ip host 1.1.1.1 any
 
 
class-map match-any match_acl
 match access-group name match_acl

policy-map Police_Traffic
 class match_acl
  police cir 150000000
   conform-action transmit
   exceed-action drop
   violate-action drop
 class class-default

 
interface Port-channel77
 switchport
 switchport trunk allowed vlan 2,3,4
 switchport mode trunk
 load-interval 30
 service-policy output Police_Traffic

 
 
 Port-channel77

  Service-policy output: Police_Traffic

    Class-map: match_acl (match-any)
      1939890225 packets
      Match: access-group name match_acl
        1370047716 packets
      police:
          cir 150000000 bps, bc 4687500 bytes, be 4687500 bytes
        conformed 2565706880607 bytes; actions:
          transmit
        exceeded 34762228045 bytes; actions:
          drop
        violated 231329471116 bytes; actions:
          drop
        conformed 97597000 bps, exceeded 2000 bps, violated 16214000 bps

    Class-map: class-default (match-any)
      24366816045 packets
      Match: any