Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
737
Views
0
Helpful
5
Replies

QoS on SVI in stack of 3750x

Go to solution
SergeBr
Level 1
Level 1

‎10-03-2017 03:56 AM - edited ‎03-05-2019 09:13 AM

Hello,

I have stack of 2 switches 3750x.

 

I want protect the stack's CPU from pinging.

 

I have next settings:

class-map match-any ICMP_PORT_TE_1_1_2
match input-interface TenGigabitEthernet1/1/2

The TenGigabitEthernet1/1/2 is uplink.

 

class-map match-all ICMP_v4
match access-group name ACL_ICMPv4

 

policy-map ICMP_POLICY_CHILD_COPP

class ICMP_PORT_TE_1_1_2
police 100000 18000 exceed-action drop

 

policy-map POLICY_PARENT_COPP

class ICMP_v4
set precedence 0
service-policy ICMP_POLICY_CHILD_COPP

 

interface TenGigabitEthernet1/1/2
description -T-- #0000000 TRUNK TO SW1-MO-PUTIL-AGG Te1/1/1, MO,zaval (13.01.2017) ----
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 916,940,967,968,970,977,1124,1125
switchport mode trunk
switchport block unicast
srr-queue bandwidth share 10 70 15 5
srr-queue bandwidth shape 0 0 0 0
mls qos vlan-based
spanning-tree bpdufilter enable

 

interface Vlan1125
description ---Interface To SW1-MSK-074-CORE (Global Route Table)---
ip address 212.46.13.178 255.255.255.252
ip pim sparse-mode
ip ospf message-digest-key 1 md5 7 011C15145D3401032E4E71190C111E1E59
ip ospf network point-to-point
ip ospf dead-interval 3
ip ospf hello-interval 1
ip ospf mtu-ignore
service-policy input POLICY_PARENT_COPP

 

ip access-list extended ACL_ICMPv4
deny icmp 212.46.0.0 0.0.0.255 any
deny icmp 212.46.9.0 0.0.0.255 any
deny icmp 212.46.13.0 0.0.0.255 any
deny icmp 46.38.100.0 0.0.0.255 any
permit icmp any any

 

But, protection don't working.

I'm pinging 212.46.13.178 from 46.38.120.1

The same settings is working on old 3750g.

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
SergeBr
Level 1
Level 1
In response to SergeBr

‎10-06-2017 03:05 AM

I'm solved the problem.

 

My config is correct.

 

Problem with IOS ver. 15.2(1)E2.

I'm upgraded the IOS to version 15.2(4)E5 and protection was working.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
SergeBr
Level 1
Level 1

‎10-03-2017 05:31 AM

MLS enable...

 

SW1-MO-PUTIL2-AGG#sh mls qos
QoS is enabled

0 Helpful

Go to solution
David Lee
Level 1
Level 1

‎10-03-2017 08:05 AM - edited ‎10-03-2017 08:10 AM

Your ACL is incorrect.

 

If you want to block ICMP from 46.38.120.1 you need to either add

 

deny icmp 46.38.120.0 0.0.0.255 any

 

OR

 

deny icmp 46.38.0.0 0.0.255.255 any

This one will block ICMP from 46.38.X.X subnets. 

 

 

 

 

 

ip access-list extended ACL_ICMPv4
deny icmp 212.46.0.0 0.0.0.255 any
deny icmp 212.46.9.0 0.0.0.255 any
deny icmp 212.46.13.0 0.0.0.255 any
deny icmp 46.38.100.0 0.0.0.255 any.     <<--- This will block only IP addresses 46.38.100.X
permit icmp any any

 

But, protection don't working.

I'm pinging 212.46.13.178 from 46.38.120.1

0 Helpful

Go to solution
SergeBr
Level 1
Level 1
In response to David Lee

‎10-04-2017 02:01 AM

Hello, David

 

For subnets 212.46.0.0/24, 212.46.9.0/24, 212.46.13.0/24 and 46.38.100.0/24 the protection don't must work. For all other subnets, it must work.

 

But from 46.38.120.1 no protection.

0 Helpful

Go to solution
SergeBr
Level 1
Level 1
In response to SergeBr

‎10-04-2017 02:08 AM

From 212.46.9.1 no protection too.

There is no protection for any addresses.

0 Helpful

Go to solution
SergeBr
Level 1
Level 1
In response to SergeBr

‎10-06-2017 03:05 AM

I'm solved the problem.

 

My config is correct.

 

Problem with IOS ver. 15.2(1)E2.

I'm upgraded the IOS to version 15.2(4)E5 and protection was working.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card