I am using Cisco 3560 as distrubution switch and want to limit port 445 traffic on 1 MB and applied rate limit statment on Gi0/1 port but switch unable to limit said traffic.
Here bellow is my scanrio.
access-list 120 permit tcp any any eq 445 log
access-list 120 permit tcp any eq 445 any log
rate-limit output access-group 120 1024000 128000 128000 conform-action transmit exceed-action drop
But its not working. Kindly guide me on this issue as it is very critical to me.
Why dont you apply rate-limit or policy map feature to the vlan which you want and to which the gi0/1 belongs to.
See the below two individual steps may help in your scenario.
Apply rate-limit on each L3 vlan interface in your 2851
Example (for 1024kbits for vlan 2):
Router# conf t
Router(config)# int vlan 2
Router(config-if)#rate-limit input 1000000 187500 375000 conform-action transmit exceed-action drop
Router(config-if)#rate-limit output 1000000 187500 375000 conform-action transmit exceed-action drop
Policy a specific VLAN number on VLAN interface.
match vlan 5
match class-map class-default
police 2000000 250000 exceed-action drop
service-policy input vlan5-limit
After you apply this configuration, the traffic with VLAN 5 coming from any will be policed at 2Mbps.
Hope this will help you.
Please rate the helpfull posts.
Maek class-map and have match ip protocol
Then make policy-map and call that class-map.
Set the action you need to perform ( in your case rate-limiting).
Apply the policy-map to the outgoing interface or incoming nterface; which ever is of your interest.
Skeleton should look like below:
match ip protocol
I have reconfigure switch with following configuration to control port 445 traffic.
police 1024000 128000 exceed-action drop
service-policy output test
and then getting following massage
"police command is not supported for this interface
The interface does not support the specified policy configuration and/or paramet
Warning: Assigning a policy map to the output side of an interface not supported"
You can use your already created policy ingress. Give it a try. Just change from "output to "input". Add it to your interface where this traffic originate and to the ingress of the returning interface if you need it. This should be working ingress.
The idea about SRR is to mark the packets with certain CoS or DSCP. Then when we determine using the selected marking which queue the marked traffic will use and give it shaping percent.
More information on SRR: