10-20-2011 11:49 PM - edited 03-07-2019 02:57 AM
Hey all,
I am using Cisco 3560 as distrubution switch and want to limit port 445 traffic on 1 MB and applied rate limit statment on Gi0/1 port but switch unable to limit said traffic.
Here bellow is my scanrio.
access-list 120 permit tcp any any eq 445 log
access-list 120 permit tcp any eq 445 any log
Gi0/1
rate-limit output access-group 120 1024000 128000 128000 conform-action transmit exceed-action drop
But its not working. Kindly guide me on this issue as it is very critical to me.
10-21-2011 12:58 AM
Hi,
Why dont you apply rate-limit or policy map feature to the vlan which you want and to which the gi0/1 belongs to.
See the below two individual steps may help in your scenario.
STEP-1:
Apply rate-limit on each L3 vlan interface in your 2851
Example (for 1024kbits for vlan 2):
Router# conf t
Router(config)# int vlan 2
Router(config-if)#rate-limit input 1000000 187500 375000 conform-action transmit exceed-action drop
Router(config-if)#rate-limit output 1000000 187500 375000 conform-action transmit exceed-action drop
STEP-2:
Policy a specific VLAN number on VLAN interface.
class-map vlan5
match vlan 5
match class-map class-default
policy-map vlan5-limit
class vlan5
police 2000000 250000 exceed-action drop
int vlan5
service-policy input vlan5-limit
After you apply this configuration, the traffic with VLAN 5 coming from any will be policed at 2Mbps.
Hope this will help you.
Please rate the helpfull posts.
Regards,
Naidu.
10-21-2011 01:07 AM
Thanks for the reply ..
I have around 64 vlans on distribution switch and i also need to apply rate limit on core switch (3750) which not carry any vlan configered.
Kindly provide the way to control on 3560 and 3750 Gig ports (layer 3 ports).
10-21-2011 01:09 AM
Hi Arshad,
Why are you not using NBAR and MQC for the same ??
Regards,
Smitesh
10-21-2011 01:26 AM
Hi,
Try this:
police 90000000 11250000 exceed-action drop
police 30000000 3750000 exceed-action drop
Please rate the helpfull posts.
Regards,
Naidu.
10-21-2011 02:17 AM
Hey Naidu,
If i am apply
police 90000000 11250000 exceed-action drop
police 30000000 3750000 exceed-action drop
on Gi0/1 so how its control said access-list (access-list 120) to control port 445 traffic?
Regards,
Arshad Ahmed
10-21-2011 02:20 AM
Hi Smitesh,
Kindly guide me how i em implement NBAR or MQC in said scanerio.
Regards,
Arshad Ahmed
10-21-2011 02:53 AM
Hi Arshad,
Maek class-map and have match ip protocol
Then make policy-map and call that class-map.
Set the action you need to perform ( in your case rate-limiting).
Apply the policy-map to the outgoing interface or incoming nterface; which ever is of your interest.
Skeleton should look like below:
class-map match-all
match ip protocol
exit
policy-map
class
set
exit
interface
service-policy
exit
HTH,
Smitesh
10-21-2011 11:11 PM
Hi all,
I have reconfigure switch with following configuration to control port 445 traffic.
access-list 140 permit tcp any any eq 445 log
access-list 140 permit tcp any eq 445 any log
class-map test
match access-group 140
policy-map test
class test
police 1024000 128000 exceed-action drop
int gi0/1
service-policy output test
and then getting following massage
"police command is not supported for this interface
The interface does not support the specified policy configuration and/or paramet
er values.
Warning: Assigning a policy map to the output side of an interface not supported"
10-22-2011 03:00 AM
Hi,
What is your IOS version and model of 3560?
Best regards,
Alex
EDIT: Maybe you will need to use SRR for egress traffic shaping.
10-22-2011 05:12 AM
Hi Alexander,
ISO Version : 12.2(50)SE3
Image : C3560-IPSERVICESK9-M
I dont know about SRR shaping so kindly let me know about it as i mention configuration in previous post.
Thanks and Regards,
Arshad Ahmed
10-22-2011 03:12 PM
Hi,
You can use your already created policy ingress. Give it a try. Just change from "output to "input". Add it to your interface where this traffic originate and to the ingress of the returning interface if you need it. This should be working ingress.
The idea about SRR is to mark the packets with certain CoS or DSCP. Then when we determine using the selected marking which queue the marked traffic will use and give it shaping percent.
More information on SRR:
Best regards,
Alex
10-24-2011 11:03 PM
Hi Alexander,
Thanks for your support, can you please provide alternate SRR queue configuration as comparitively to my provided above configuration.
Thanks and Regards,
Arshad Ahmed
10-25-2011 01:22 AM
Hi Arshad Khan, your configration have some thing wrong. Please remove the log tag from you access-list!
Because access-list with log in switch ,it won't work . Log could only used for route-control logging.
10-25-2011 01:55 AM
Hi Wenbin,
I already remove log statement from ACL, i put here by mistake.
Regards,
Arshad Ahmed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide