From: Ahmed Ossama (ahmed_ossama@rayatelecom.net)
Date: Wed Sep 14 2005 - 17:26:30 GMT-3
Dear All,
is there is any way to police icmp traffic on a switch out of certain interface or ingress on a vlan ?
if I had a server that launch icmp attack and I want to limit it on vlan x , I didnt know the location of the server but I know the output interface of the vlan. so there is two possible solution, police the traffic out the interface or policy it ingress to the vlan.
as far as I know that we cant apply policing on SVIs or on the egress of the interface. also I tried to configure it and also gives me an error as shown below :
Switch(config-if)#service-policy out testi
Switch(config-if)#
2d23h: %QM-4-CLASS_NOT_SUPPORTED: Classification is not supported in classmap testi
2d23h: %QM-4-CLASS_NOT_SUPPORTED: Classification is not supported in classmap testi
Switch(config-if)#
Switch(config-if)#
also in interface vlan
Switch(config-if)#service-policy out testi
Switch(config-if)#
2d23h: %QM-4-CLASS_NOT_SUPPORTED: Classification is not supported in classmap testi
2d23h: %QM-4-CLASS_NOT_SUPPORTED: Classification is not supported in classmap testi
Switch(config-if)#
I configure the policy map as mentioned below
Switch#show policy-map testi
Policy Map testi
class testi
police 8000 8000 exceed-action drop
Switch#show cl
Switch#show cla
Switch#show class-map testi
Class Map match-all testi (id 4)
Match access-group 101
!
Switch#show access-lists 101
Extended IP access list 101
permit icmp any any
!
Switch(config-if)#service-policy out testi
Switch(config-if)#
2d23h: %QM-4-CLASS_NOT_SUPPORTED: Classification is not supported in classmap testi
2d23h: %QM-4-CLASS_NOT_SUPPORTED: Classification is not supported in classmap testi
Switch(config-if)#
Switch(config-if)#
Thanks in advance,
This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:15 GMT-3