10-20-2011 11:49 PM - edited 03-07-2019 02:57 AM
Hey all,
I am using Cisco 3560 as distrubution switch and want to limit port 445 traffic on 1 MB and applied rate limit statment on Gi0/1 port but switch unable to limit said traffic.
Here bellow is my scanrio.
access-list 120 permit tcp any any eq 445 log
access-list 120 permit tcp any eq 445 any log
Gi0/1
rate-limit output access-group 120 1024000 128000 128000 conform-action transmit exceed-action drop
But its not working. Kindly guide me on this issue as it is very critical to me.
10-25-2011 04:20 AM
Hi Arshad,
"service-policy output" is not supported on physical interfaces in 3560/3750 due to ASIC limitation. You can use it under a vlan using hierachical qos maps. However it might be a bit of admin task here as you have 64 vlans. It would mean that you need to apply to each vlan and use "mls qos vlan-based" on the trunk interface as well.
access-list 120 permit tcp any any eq 445 log
access-list 120 permit tcp any eq 445 any log
Gi0/1
rate-limit output access-group 120 1024000 128000 128000 conform-action transmit exceed-action drop
what happens when you change that to rate-limit input?
Also can you please paste in the output of " sh interface gi0/1 rate-limit" I would like to see what actually happens?
There are some restrictions with these classic switches 3560/3750..
if push comes to shove then apply it to all the vlans. you can write a script to do that or go for a Metro E switch. Also whats connected to this port on the other side. maybe you can police the traffic on that device for incoming traffic
Edit: you can also downgrade to a 3550 if you like.
HTH
Regards,
Kishore
10-29-2011 01:13 AM
Now i have applied mention bellow configuration on distribution switch and core switch connected via G0/1 and G0/2 ports with each other and found no error this time however configuration working fine on distribution switch but now working on core switch.
Distribution Switch Configuration
access-list 140 permit tcp any any eq 445 log
access-list 140 permit tcp any eq 445 any log
class-map test
match access-group 140
policy-map test
class test
police 1024000 128000 exceed-action drop
int range gi0/1-2
service-policy input test
Core Switch Configuration
access-list 140 permit tcp any any eq 445 log
access-list 140 permit tcp any eq 445 any log
class-map test
match access-group 140
policy-map test
class test
police 1024000 128000 exceed-action drop
int range gi1/0/1-2
service-policy input test
Regards,
Arshad Ahmed
10-29-2011 04:08 AM
Hi Kishore,
The traffic originating on core is finely police on input queue of distribution switch mean policy working fine on distribution switch but traffic originating from distribution switch need to be police on input queue of core switch which is not working.
I m attaching a diagram for your under standing.
Regards,
Arshad Ahmed
10-29-2011 06:38 AM
sory arshad I was reading another post and got mixed up. . I see what you mean. Policing on core is not working right?what does sh ip access-lists show . Does it show any hits? what model switch are using?
10-31-2011 02:24 AM
Hi Kishorr,
There is no hits on access list and model # of core switch is as under.
Model and IOS version of core switch is as under
Model number : WS-C3750G-24T-E
Sw Image : C3750-IPSERVICESK9-M
SW version :12.2(50)SE3
Regards,
Arshad Ahmed
10-31-2011 05:06 PM
Hi Arshad,
Interesting. How about this? can I suggest you to add the following to the existing ACL
access-list 140 permit icmp < ipaddress on distrobution switch>
send some ping across frmo distributino switch to the core switch and see if you get any hits
What I am trying to see if the ACL's are working and traffic is indeed being matched. Because if the traffic doesn't get matched then your policy-map won't work
HTH
Kishore
10-29-2011 02:46 AM
Hi Kishore,
I also applied rate limit on vlan interface in both incoming and outgoing direction as follow.
Extended IP access list 140
10 permit tcp any any eq 445 time-range SSH-Data-Transfer (active)
20 permit tcp any eq 445 any time-range SSH-Data-Transfer (active)
30 permit tcp any any eq 139 time-range SSH-Data-Transfer (active)
40 permit tcp any eq 139 any time-range SSH-Data-Transfer (active)
50 permit tcp any any eq 22 time-range SSH-Data-Transfer (active)
60 permit tcp any eq 22 any time-range SSH-Data-Transfer (active)
interface Vlan300
ip address 172.18.1.1 255.255.255.0
rate-limit output access-group 140 2048000 256000 256000 conform-action transmit exceed-action drop
sh interfaces vlan 300 rate-limit
Vlan300
Output
matches: access-group 140
params: 2048000 bps, 256000 limit, 256000 extended limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 4013622527ms ago, current burst: 0 bytes
last cleared 00:11:20 ago, conformed 0 bps, exceeded 0 bps
But as showen in bold section that packets are not match.
10-29-2011 12:21 PM
Hi Arshad,
What is the model and IOS of your core switch where the policy is not working?
Best regards,
Alex
10-31-2011 02:22 AM
Dear Alexandar,
Model and IOS version of core switch is as under
Model number : WS-C3750G-24T-E
Sw Image : C3750-IPSERVICESK9-M
SW version :12.2(50)SE3
Regards,
Arshad Ahmed
10-31-2011 09:21 AM
Hi Arshad,
It will not work on vlan unless you use "mls qos vlan-based" for the vlan based qos.
QoS should work the same way as on 3560. If you have used used "mls qos vlan-based" remove it and just make config the same way as you did on 3560. If it is not working there is something else in the config which is preventing it to do so.
Best regards,
Alex
11-28-2011 03:55 AM
Dear Alexander,
if i use "mls qos" on cisco 3750 and cisco 3560 then its showing mention bellow options
switch_3750(config)mls qos ?
aggregate-policer
map
queue-set
rewrite
srr-queue
so which option i will slect for QoS ?
if i am apply police based QoS on SVI den it will generate error.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide